Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/back/glsl/features.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/back/glsl/features.rs@@ -1,7 +1,7 @@ use super::{BackendResult, Error, Version, Writer}; use crate::{- Binding, Bytes, Handle, ImageClass, ImageDimension, Interpolation, Sampling, ScalarKind,- ShaderStage, StorageClass, StorageFormat, Type, TypeInner,+ Binding, Bytes, Expression, Handle, ImageClass, ImageDimension, Interpolation, MathFunction,+ Sampling, ScalarKind, ShaderStage, StorageClass, StorageFormat, Type, TypeInner, }; use std::fmt::Write;@@ -33,6 +33,8 @@ /// Arrays with a dynamic length const DYNAMIC_ARRAY_SIZE = 1 << 16; const MULTI_VIEW = 1 << 17;+ /// Adds support for fused multiply-add+ const FMA = 1 << 18; } }@@ -98,6 +100,7 @@ check_feature!(SAMPLE_VARIABLES, 400, 300); check_feature!(DYNAMIC_ARRAY_SIZE, 430, 310); check_feature!(MULTI_VIEW, 140, 310);+ check_feature!(FMA, 400, 310); // Return an error if there are missing features if missing.is_empty() {@@ -199,6 +202,11 @@ if self.0.contains(Features::MULTI_VIEW) { // https://github.com/KhronosGroup/GLSL/blob/master/extensions/ext/GL_EXT_multiview.txt writeln!(out, "#extension GL_EXT_multiview : require")?;+ }++ if self.0.contains(Features::FMA) && version.is_es() {+ // https://www.khronos.org/registry/OpenGL/extensions/EXT/EXT_gpu_shader5.txt+ writeln!(out, "#extension GL_EXT_gpu_shader5 : require")?; } Ok(())@@ -347,6 +355,27 @@ } }+ if self.options.version.supports_fma_function() {+ let has_fma = self+ .module+ .functions+ .iter()+ .flat_map(|(_, f)| f.expressions.iter())+ .chain(+ self.module+ .entry_points+ .iter()+ .flat_map(|e| e.function.expressions.iter()),+ )+ .any(|(_, e)| match *e {+ Expression::Math { fun, .. } if fun == MathFunction::Fma => true,+ _ => false,+ });+ if has_fma {+ self.features.request(Features::FMA);+ }+ }+ self.features.check_availability(self.options.version) }
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: no
No specific security vulnerability was fixed in this diff. The changes appear to be feature additions and improvements rather than security fixes.
2. Vulnerability Existed: not sure
[Potential Feature Implementation Issue] [third_party/rust/naga/src/back/glsl/features.rs] [Lines 1-7, 33-35, 98-100, 199-206, 347-369]
[Old Code]
use crate::{
Binding, Bytes, Handle, ImageClass, ImageDimension, Interpolation, Sampling, ScalarKind,
ShaderStage, StorageClass, StorageFormat, Type, TypeInner,
};
...
// No FMA feature flag
...
// No FMA feature check
...
// No FMA extension handling
...
// No FMA expression scanning
[Fixed Code]
use crate::{
Binding, Bytes, Expression, Handle, ImageClass, ImageDimension, Interpolation, MathFunction,
Sampling, ScalarKind, ShaderStage, StorageClass, StorageFormat, Type, TypeInner,
};
...
const FMA = 1 << 18;
...
check_feature!(FMA, 400, 310);
...
if self.0.contains(Features::FMA) && version.is_es() {
writeln!(out, "#extension GL_EXT_gpu_shader5 : require")?;
}
...
if self.options.version.supports_fma_function() {
// FMA expression scanning logic
}
Additional Details:
The changes introduce support for fused multiply-add (FMA) operations in GLSL shaders. While not directly a security fix, proper implementation of FMA operations is important for numerical precision and correctness in shaders. The changes include:
1. Adding MathFunction to imports
2. Adding FMA feature flag
3. Adding version checks for FMA support
4. Adding extension requirement for GL_EXT_gpu_shader5 in ES shaders
5. Adding scanning logic for FMA expressions in shaders
The changes appear to be a feature addition rather than a security fix, but proper FMA implementation could prevent potential precision-related issues in shader calculations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/readable-streams/count-queuing-strategy-integration.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/readable-streams/count-queuing-strategy-integration.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker 'use strict'; test(() => {
Let me analyze the provided code diff for security fixes. Vulnerability Existed: not sure [Potential Removal of jsshell Environment] [testing/web-platform/tests/streams/readable-streams/count-queuing-strategy-integration.any.js] [Lines 1] [Old Code] // META: global=window,worker,jsshell [Fixed Code] // META: global=window,worker Additional Details: - The change removes 'jsshell' from the list of global environments where this test should run - This could be a security-related change if jsshell had specific vulnerabilities in handling streams - Without more context about why jsshell was removed, I can't be certain if this was a security fix - It might also be a test environment simplification unrelated to security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/frontend/Stencil.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/frontend/Stencil.cpp@@ -47,7 +47,7 @@ #include "vm/JSScript.h" // BaseScript, JSScript #include "vm/Printer.h" // js::Fprinter #include "vm/RegExpObject.h" // js::RegExpObject-#include "vm/Scope.h" // Scope, *Scope, ScopeKind::*, ScopeKindString, ScopeIter, ScopeKindIsCatch, BindingIter, GetScopeDataTrailingNames+#include "vm/Scope.h" // Scope, *Scope, ScopeKind::*, ScopeKindString, ScopeIter, ScopeKindIsCatch, BindingIter, GetScopeDataTrailingNames, SizeOfParserScopeData #include "vm/ScopeKind.h" // ScopeKind #include "vm/SelfHosting.h" // SetClonedSelfHostedFunctionName #include "vm/StaticStrings.h"@@ -1972,8 +1972,7 @@ // FunctionKey is used when caching to map a delazification stencil to a // specific lazy script. It is not used by instantiation, but we should // ensure it is correctly defined.- MOZ_ASSERT(stencil.functionKey ==- CompilationStencil::toFunctionKey(input.extent()));+ MOZ_ASSERT(stencil.functionKey == input.extent().toFunctionKey()); FunctionsFromExistingLazy(input, gcOutput); MOZ_ASSERT(gcOutput.functions.length() == stencil.scriptData.size());@@ -2288,6 +2287,14 @@ source(input.source), parserAtoms(cx->runtime(), alloc) {}+ExtensibleCompilationStencil::ExtensibleCompilationStencil(+ JSContext* cx, const JS::ReadOnlyCompileOptions& options,+ RefPtr<ScriptSource> source)+ : canLazilyParse(CanLazilyParse(options)),+ alloc(CompilationStencil::LifoAllocChunkSize),+ source(std::move(source)),+ parserAtoms(cx->runtime(), alloc) {}+ CompilationState::CompilationState(JSContext* cx, LifoAllocScope& parserAllocScope, CompilationInput& input)@@ -2383,6 +2390,44 @@ return true; }+bool SharedDataContainer::cloneFrom(JSContext* cx,+ const SharedDataContainer& other) {+ MOZ_ASSERT(isEmpty());++ if (other.isBorrow()) {+ return cloneFrom(cx, *other.asBorrow());+ }++ if (other.isSingle()) {+ // As we clone, we add an extra reference.+ RefPtr<SharedImmutableScriptData> ref(other.asSingle());+ setSingle(ref.forget());+ } else if (other.isVector()) {+ if (!initVector(cx)) {+ return false;+ }+ if (!asVector()->appendAll(*other.asVector())) {+ ReportOutOfMemory(cx);+ return false;+ }+ } else if (other.isMap()) {+ if (!initMap(cx)) {+ return false;+ }+ auto& otherMap = *other.asMap();+ if (!asMap()->reserve(otherMap.count())) {+ ReportOutOfMemory(cx);+ return false;+ }+ auto& map = *asMap();+ for (auto iter = otherMap.iter(); !iter.done(); iter.next()) {+ auto& entry = iter.get();+ map.putNewInfallible(entry.key(), entry.value());+ }+ }+ return true;+}+ js::SharedImmutableScriptData* SharedDataContainer::get( ScriptIndex index) const { if (isSingle()) {@@ -2561,6 +2606,24 @@ return true; }+template <typename T, typename IntoSpanT, size_t Inline, typename AllocPolicy>+[[nodiscard]] bool CopyToVector(JSContext* cx,+ mozilla::Vector<T, Inline, AllocPolicy>& vec,+ const IntoSpanT& source) {+ mozilla::Span<const T> span = source;+ return CopySpanToVector(cx, vec, span);+}++// Span and Vector do not share the same method names.+template <typename T, size_t Inline, typename AllocPolicy>+size_t GetLength(const mozilla::Vector<T, Inline, AllocPolicy>& vec) {+ return vec.length();+}+template <typename T>+size_t GetLength(const mozilla::Span<T>& span) {+ return span.Length();+}+ // Copy scope names from `src` into `alloc`, and returns the allocated data. BaseParserScopeData* CopyScopeData(JSContext* cx, LifoAlloc& alloc, ScopeKind kind,@@ -2577,6 +2640,125 @@ memcpy(dest, src, dataSize); return dest;+}++template <typename Stencil>+bool ExtensibleCompilationStencil::cloneFromImpl(JSContext* cx,+ const Stencil& other) {+ MOZ_ASSERT(alloc.isEmpty());++ canLazilyParse = other.canLazilyParse;+ functionKey = other.functionKey;++ if (!CopyToVector(cx, scriptData, other.scriptData)) {+ return false;+ }++ if (!CopyToVector(cx, scriptExtra, other.scriptExtra)) {+ return false;+ }++ if (!CopyToVector(cx, gcThingData, other.gcThingData)) {+ return false;+ }++ size_t scopeSize = GetLength(other.scopeData);+ if (!CopyToVector(cx, scopeData, other.scopeData)) {+ return false;+ }+ if (!scopeNames.reserve(scopeSize)) {+ js::ReportOutOfMemory(cx);+ return false;+ }+ for (size_t i = 0; i < scopeSize; i++) {+ if (other.scopeNames[i]) {+ BaseParserScopeData* data = CopyScopeData(+ cx, alloc, other.scopeData[i].kind(), other.scopeNames[i]);+ if (!data) {+ return false;+ }+ scopeNames.infallibleEmplaceBack(data);+ } else {+ scopeNames.infallibleEmplaceBack(nullptr);+ }+ }++ if (!CopyToVector(cx, regExpData, other.regExpData)) {+ return false;+ }++ // If CompilationStencil has external dependency, peform deep copy.++ size_t bigIntSize = GetLength(other.bigIntData);+ if (!bigIntData.resize(bigIntSize)) {+ js::ReportOutOfMemory(cx);+ return false;+ }+ for (size_t i = 0; i < bigIntSize; i++) {+ if (!bigIntData[i].init(cx, alloc, other.bigIntData[i].source())) {+ return false;+ }+ }++ size_t objLiteralSize = GetLength(other.objLiteralData);+ if (!objLiteralData.reserve(objLiteralSize)) {+ js::ReportOutOfMemory(cx);+ return false;+ }+ for (const auto& data : other.objLiteralData) {+ size_t length = data.code().size();+ auto* code = alloc.newArrayUninitialized<uint8_t>(length);+ if (!code) {+ js::ReportOutOfMemory(cx);+ return false;+ }+ memcpy(code, data.code().data(), length);+ objLiteralData.infallibleEmplaceBack(code, length, data.kind(),+ data.flags(), data.propertyCount());+ }++ // Regardless of whether CompilationStencil has external dependency or not,+ // ParserAtoms should be interned, to populate internal HashMap.+ for (const auto* entry : other.parserAtomsSpan()) {+ if (!entry) {+ if (!parserAtoms.addPlaceholder(cx)) {+ return false;+ }+ continue;+ }++ auto index = parserAtoms.internExternalParserAtom(cx, entry);+ if (!index) {+ return false;+ }+ }++ // We copy the stencil and increment the reference count of each+ // SharedImmutableScriptData.+ if (!sharedData.cloneFrom(cx, other.sharedData)) {+ return false;+ }++ // Note: moduleMetadata and asmJS are known after the first parse, and are+ // not mutated by any delazifications later on. Thus we can safely increment+ // the reference counter and keep these as-is.+ moduleMetadata = other.moduleMetadata;+ asmJS = other.asmJS;++#ifdef DEBUG+ assertNoExternalDependency();+#endif++ return true;+}++bool ExtensibleCompilationStencil::cloneFrom(JSContext* cx,+ const CompilationStencil& other) {+ return cloneFromImpl(cx, other);+}+bool ExtensibleCompilationStencil::cloneFrom(+ JSContext* cx, const ExtensibleCompilationStencil& other) {+ return cloneFromImpl(cx, other); } bool ExtensibleCompilationStencil::steal(JSContext* cx,@@ -2621,19 +2803,23 @@ return true; }+ if (storageType == StorageType::Borrowed) {+ return cloneFrom(cx, *other);+ }++ MOZ_ASSERT(storageType == StorageType::Owned);+ canLazilyParse = other->canLazilyParse; functionKey = other->functionKey;- if (storageType == StorageType::Owned) { #ifdef DEBUG- other->assertNoExternalDependency();- MOZ_ASSERT(other->refCount == 1);+ other->assertNoExternalDependency();+ MOZ_ASSERT(other->refCount == 1); #endif- // If CompilationStencil has no external dependency,- // steal LifoAlloc and perform shallow copy.- alloc.steal(&other->alloc);- }+ // If CompilationStencil has no external dependency,+ // steal LifoAlloc and perform shallow copy.+ alloc.steal(&other->alloc); if (!CopySpanToVector(cx, scriptData, other->scriptData)) { return false;@@ -2647,81 +2833,23 @@ return false; }- if (storageType == StorageType::Borrowed) {- size_t scopeSize = other->scopeData.size();-- if (!CopySpanToVector(cx, scopeData, other->scopeData)) {- return false;- }- if (!scopeNames.reserve(scopeSize)) {- js::ReportOutOfMemory(cx);- return false;- }- for (size_t i = 0; i < scopeSize; i++) {- if (other->scopeNames[i]) {- BaseParserScopeData* data = CopyScopeData(- cx, alloc, other->scopeData[i].kind(), other->scopeNames[i]);- if (!data) {- return false;- }- scopeNames.infallibleEmplaceBack(data);- } else {- scopeNames.infallibleEmplaceBack(nullptr);- }- }- } else {- if (!CopySpanToVector(cx, scopeData, other->scopeData)) {- return false;- }- if (!CopySpanToVector(cx, scopeNames, other->scopeNames)) {- return false;- }+ if (!CopySpanToVector(cx, scopeData, other->scopeData)) {+ return false;+ }+ if (!CopySpanToVector(cx, scopeNames, other->scopeNames)) {+ return false; } if (!CopySpanToVector(cx, regExpData, other->regExpData)) { return false; }- if (storageType == StorageType::Borrowed) {- // If CompilationStencil has external dependency, peform deep copy.-- size_t bigIntSize = other->bigIntData.size();- if (!bigIntData.resize(bigIntSize)) {- js::ReportOutOfMemory(cx);- return false;- }- for (size_t i = 0; i < bigIntSize; i++) {- if (!bigIntData[i].init(cx, alloc, other->bigIntData[i].source())) {- return false;- }- }- } else {- if (!CopySpanToVector(cx, bigIntData, other->bigIntData)) {- return false;- }- }-- if (storageType == StorageType::Borrowed) {- size_t objLiteralSize = other->objLiteralData.size();- if (!objLiteralData.reserve(objLiteralSize)) {- js::ReportOutOfMemory(cx);- return false;- }- for (const auto& data : other->objLiteralData) {- size_t length = data.code().size();- auto* code = alloc.newArrayUninitialized<uint8_t>(length);- if (!code) {- js::ReportOutOfMemory(cx);- return false;- }- memcpy(code, data.code().data(), length);- objLiteralData.infallibleEmplaceBack(code, length, data.kind(),- data.flags(), data.propertyCount());- }- } else {- if (!CopySpanToVector(cx, objLiteralData, other->objLiteralData)) {- return false;- }+ if (!CopySpanToVector(cx, bigIntData, other->bigIntData)) {+ return false;+ }++ if (!CopySpanToVector(cx, objLiteralData, other->objLiteralData)) {+ return false; } // Regardless of whether CompilationStencil has external dependency or not,@@ -2871,6 +2999,15 @@ return; }+ if (taggedIndex.isLength3StaticParserString()) {+ json.property("tag", "Length3Static");+ auto index = taggedIndex.toLength3StaticParserString();+ GenericPrinter& out = json.beginStringProperty("atom");+ ParserAtomsTable::dumpCharsNoQuote(out, index);+ json.endString();+ return;+ }+ MOZ_ASSERT(taggedIndex.isNull()); json.property("tag", "null"); }@@ -2928,6 +3065,12 @@ if (taggedIndex.isLength2StaticParserString()) { auto index = taggedIndex.toLength2StaticParserString();+ ParserAtomsTable::dumpCharsNoQuote(out, index);+ return;+ }++ if (taggedIndex.isLength3StaticParserString()) {+ auto index = taggedIndex.toLength3StaticParserString(); ParserAtomsTable::dumpCharsNoQuote(out, index); return; }@@ -3744,9 +3887,14 @@ return cx->staticStrings().getUnit(char16_t(index)); }- MOZ_ASSERT(taggedIndex.isLength2StaticParserString());- auto index = taggedIndex.toLength2StaticParserString();- return cx->staticStrings().getLength2FromIndex(size_t(index));+ if (taggedIndex.isLength2StaticParserString()) {+ auto index = taggedIndex.toLength2StaticParserString();+ return cx->staticStrings().getLength2FromIndex(size_t(index));+ }++ MOZ_ASSERT(taggedIndex.isLength3StaticParserString());+ auto index = taggedIndex.toLength3StaticParserString();+ return cx->staticStrings().getUint(uint32_t(index)); } JSString* CompilationAtomCache::getStringAt(ParserAtomIndex index) const {@@ -3938,7 +4086,7 @@ for (size_t i = 1; i < initial_->scriptExtra.length(); i++) { const auto& extra = initial_->scriptExtra[i];- auto key = CompilationStencil::toFunctionKey(extra.extent);+ auto key = extra.extent.toFunctionKey(); // There can be multiple ScriptStencilExtra with same extent if // the function is parsed multiple times because of rewind for@@ -4313,6 +4461,10 @@ i == CompilationStencil::TopLevelIndex); }+ // WARNING: moduleMetadata and asmJS fields are known at script/module+ // top-level parsing, any mutation made in this function should be reflected+ // to ExtensibleCompilationStencil::steal and CompilationStencil::clone.+ // Function shouldn't be a module. MOZ_ASSERT(!delazification.moduleMetadata);@@ -4327,8 +4479,7 @@ void JS::StencilAddRef(JS::Stencil* stencil) { stencil->refCount++; } void JS::StencilRelease(JS::Stencil* stencil) { MOZ_RELEASE_ASSERT(stencil->refCount > 0);- stencil->refCount--;- if (stencil->refCount == 0) {+ if (--stencil->refCount == 0) { js_delete(stencil); } }
After analyzing the provided code diff, I don't identify any clear security vulnerabilities. The changes appear to be primarily refactoring, bug fixes, and feature additions rather than security fixes. Here's my analysis:
1. First change is just an include addition:
Vulnerability Existed: no
[No vulnerability] [js/src/frontend/Stencil.cpp] [Lines 47]
[Old Code]
#include "vm/Scope.h" // Scope, *Scope, ScopeKind::*, ScopeKindString, ScopeIter, ScopeKindIsCatch, BindingIter, GetScopeDataTrailingNames
[Fixed Code]
#include "vm/Scope.h" // Scope, *Scope, ScopeKind::*, ScopeKindString, ScopeIter, ScopeKindIsCatch, BindingIter, GetScopeDataTrailingNames, SizeOfParserScopeData
2. Second change is a refactoring of function key assertion:
Vulnerability Existed: no
[No vulnerability] [js/src/frontend/Stencil.cpp] [Lines 1972-1973]
[Old Code]
MOZ_ASSERT(stencil.functionKey ==
CompilationStencil::toFunctionKey(input.extent()));
[Fixed Code]
MOZ_ASSERT(stencil.functionKey == input.extent().toFunctionKey());
3. The remaining changes are primarily:
- Addition of new constructors and methods (ExtensibleCompilationStencil, SharedDataContainer::cloneFrom)
- Refactoring of cloning and stealing logic
- Addition of Length3StaticParserString support
- Memory management improvements
- Bug fixes in reference counting
None of these changes appear to address specific security vulnerabilities, but rather improve code quality, add features, and fix potential bugs. The changes include better memory management (like the refCount decrement before check in StencilRelease) and more robust cloning operations, but these don't appear to be fixing known vulnerabilities.
If there were any security fixes in this diff, they would likely be more explicitly marked or referenced in commit messages/bug reports. The changes here seem focused on functionality improvements and code maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0, 100% 50%)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-3.html [Lines] 17-25
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas`. There's no indication of any security vulnerability being fixed in this change. The functionality remains exactly the same, just with a different variable name. The test case continues to verify the same behavior regarding CSS color parsing in canvas contexts.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,15 +27,15 @@ g.addColorStop(1, '#f00'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be purely cosmetic, renaming a variable for consistency or clarity. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch1.html] [Lines: 17-18, 27-35]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
// ... (other _assertPixel calls with offscreenCanvas)
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
// ... (other _assertPixel calls with canvas)
```
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't affect security in any way. No security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-018-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-018-ref.html@@ -21,7 +21,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
After analyzing the provided code diff, here's the security assessment: Vulnerability Existed: no [No security vulnerability found] [layout/reftests/css-grid/grid-fragmentation-018-ref.html] [Lines 21] [Old Code: border: 2px dashed;] [Fixed Code: border: 2px solid salmon;] Additional Details: The change appears to be purely cosmetic, modifying the border style from dashed to solid and changing the color to salmon. This is a visual/style change in a test reference file and doesn't appear to have any security implications. The modification is likely related to improving test visibility or accuracy rather than addressing any security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/vulkan/adapter.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/vulkan/adapter.rs@@ -332,7 +332,7 @@ | F::TIMESTAMP_QUERY | F::PIPELINE_STATISTICS_QUERY | F::TEXTURE_ADAPTER_SPECIFIC_FORMAT_FEATURES- | F::CLEAR_COMMANDS;+ | F::CLEAR_TEXTURE; let mut dl_flags = Df::all(); dl_flags.set(Df::CUBE_ARRAY_TEXTURES, self.core.image_cube_array != 0);@@ -708,8 +708,12 @@ max_storage_buffers_per_shader_stage: max_storage_buffers, max_storage_textures_per_shader_stage: max_storage_textures, max_uniform_buffers_per_shader_stage: max_uniform_buffers,- max_uniform_buffer_binding_size: limits.max_uniform_buffer_range,- max_storage_buffer_binding_size: limits.max_storage_buffer_range,+ max_uniform_buffer_binding_size: limits+ .max_uniform_buffer_range+ .min(crate::auxil::MAX_I32_BINDING_SIZE),+ max_storage_buffer_binding_size: limits+ .max_storage_buffer_range+ .min(crate::auxil::MAX_I32_BINDING_SIZE), max_vertex_buffers: limits .max_vertex_input_bindings .min(crate::MAX_VERTEX_BUFFERS as u32),@@ -1116,8 +1120,8 @@ let timeline_semaphore_fn = if enabled_extensions.contains(&khr::TimelineSemaphore::name()) { Some(super::ExtensionFn::Extension(khr::TimelineSemaphore::new(- &self.instance.entry, &self.instance.raw,+ &raw_device, ))) } else if self.phd_capabilities.properties.api_version >= vk::API_VERSION_1_2 { Some(super::ExtensionFn::Promoted)@@ -1328,6 +1332,7 @@ format: wgt::TextureFormat, ) -> crate::TextureFormatCapabilities { use crate::TextureFormatCapabilities as Tfc;+ let vk_format = self.private_caps.map_texture_format(format); let properties = self .phd_capabilities@@ -1380,6 +1385,11 @@ features.intersects( vk::FormatFeatureFlags::TRANSFER_DST | vk::FormatFeatureFlags::BLIT_DST, ),+ );+ // Vulkan is very permissive about MSAA+ flags.set(+ Tfc::MULTISAMPLE | Tfc::MULTISAMPLE_RESOLVE,+ !format.describe().is_compressed(), ); flags }
I'll analyze the code diff following the specified format. There appear to be several changes that might relate to security fixes:
1. First potential vulnerability:
Vulnerability Existed: not sure
Buffer Size Limitation [File] [Lines 708-716]
[Old Code]
max_uniform_buffer_binding_size: limits.max_uniform_buffer_range,
max_storage_buffer_binding_size: limits.max_storage_buffer_range,
[Fixed Code]
max_uniform_buffer_binding_size: limits
.max_uniform_buffer_range
.min(crate::auxil::MAX_I32_BINDING_SIZE),
max_storage_buffer_binding_size: limits
.max_storage_buffer_range
.min(crate::auxil::MAX_I32_BINDING_SIZE),
2. Second potential vulnerability:
Vulnerability Existed: not sure
Timeline Semaphore Initialization [File] [Lines 1116-1122]
[Old Code]
Some(super::ExtensionFn::Extension(khr::TimelineSemaphore::new(
&self.instance.entry,
&self.instance.raw,
)))
[Fixed Code]
Some(super::ExtensionFn::Extension(khr::TimelineSemaphore::new(
&self.instance.raw,
&raw_device,
)))
3. Third potential change (less likely to be security-related):
Vulnerability Existed: no
Feature Flag Update [File] [Lines 332-334]
[Old Code]
| F::CLEAR_COMMANDS;
[Fixed Code]
| F::CLEAR_TEXTURE;
4. Fourth potential change (likely not security-related):
Vulnerability Existed: no
Multisample Format Check [File] [Lines 1380-1386]
[Old Code]
(No equivalent code in old version)
[Fixed Code]
flags.set(
Tfc::MULTISAMPLE | Tfc::MULTISAMPLE_RESOLVE,
!format.describe().is_compressed(),
);
The most likely security-related changes are the first two:
1. The buffer size limitation change appears to add bounds checking to prevent potential integer overflows or excessively large allocations.
2. The timeline semaphore initialization change modifies the parameters being passed, which might relate to proper device initialization security.
However, without more context about the specific vulnerabilities being addressed, I can't be certain about the exact vulnerability names. The changes appear to be defensive programming improvements that could prevent potential security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.convolveMatrix.exceptions.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.convolveMatrix.exceptions.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(TypeError, function() { new CanvasFilter({filter: "convolveMatrix"}); }); assert_throws_js(TypeError, function() { new CanvasFilter({filter: "convolveMatrix", divisor: 2}); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming without any security implications.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.convolveMatrix.exceptions.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes are:
1. Renaming variable `offscreenCanvas` to `canvas`
2. The rest of the file remains unchanged in terms of functionality
3. The test assertions remain the same
4. No security-related fixes are apparent in this diff
This appears to be a code style/readability change rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/extensions/test/xpcshell/test_shutdown.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/extensions/test/xpcshell/test_shutdown.js@@ -9,8 +9,6 @@ "escapeAddonURI", "shouldAutoUpdate", "getStartupChanges",- "addTypeListener",- "removeTypeListener", "addAddonListener", "removeAddonListener", "addInstallListener",@@ -26,14 +24,12 @@ "addUpgradeListener", "removeUpgradeListener", "getInstallSourceFromHost",- "getInstallSourceFromPrincipal", "stageLangpacksForAppUpdate", ]; const IGNORE_PRIVATE = [ "AddonAuthor", "AddonScreenshot",- "AddonType", "startup", "shutdown", "addonIsActive",
Based on the provided diff, I'll analyze the changes for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Information Exposure] [toolkit/mozapps/extensions/test/xpcshell/test_shutdown.js] [Lines 9-11, 26] [Old Code] "addTypeListener", "removeTypeListener", ... "AddonType", [Fixed Code] (Removed these lines) Additional Details: The removal of type-related listeners and AddonType could indicate these were exposing sensitive type information, but without more context this is uncertain. 2. Vulnerability Existed: not sure [Potential Principal-based Security Check Removal] [toolkit/mozapps/extensions/test/xpcshell/test_shutdown.js] [Line 24] [Old Code] "getInstallSourceFromPrincipal", [Fixed Code] (Removed this line) Additional Details: The removal of getInstallSourceFromPrincipal might relate to security checks based on content principals, but the test context makes the security impact unclear. Note: Since this is test code, the security implications are less direct than in production code. The changes appear to be simplifying the test interface, possibly removing unnecessary or potentially sensitive information exposure points. However, without more context about how these interfaces were used, I can't definitively identify specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/vulkan/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/vulkan/mod.rs@@ -514,9 +514,7 @@ match *self { Self::TimelineSemaphore(raw) => unsafe { Ok(match *extension.unwrap() {- ExtensionFn::Extension(ref ext) => {- ext.get_semaphore_counter_value(device.handle(), raw)?- }+ ExtensionFn::Extension(ref ext) => ext.get_semaphore_counter_value(raw)?, ExtensionFn::Promoted => device.get_semaphore_counter_value(raw)?, }) },
Let me analyze the code diff for security vulnerabilities.
Vulnerability Existed: yes
Vulnerability Name: Unsafe Vulkan API usage [File] third_party/rust/wgpu-hal/src/vulkan/mod.rs [Lines] 514-519
[Old Code]
ExtensionFn::Extension(ref ext) => {
ext.get_semaphore_counter_value(device.handle(), raw)?
}
[Fixed Code]
ExtensionFn::Extension(ref ext) => ext.get_semaphore_counter_value(raw)?,
Additional Details:
1. The vulnerability involves improper Vulkan API usage where the device handle was being passed unnecessarily to get_semaphore_counter_value.
2. The old code could potentially lead to synchronization issues or invalid device handle usage since the semaphore counter value should be queried directly from the semaphore object.
3. The fix removes the device handle parameter, making the API call safer and more correct according to Vulkan specifications.
4. While this isn't a classic memory safety vulnerability, incorrect Vulkan API usage can lead to GPU-related security issues like command buffer corruption or improper synchronization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/test/test-platforms.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/test/test-platforms.yml@@ -48,12 +48,9 @@ - awsy - desktop-screenshot-capture - linux1804-tests- - marionette-headless- - mochitest-headless - mochitest-webgpu - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless - linux-talos-flex - talos - browsertime@@ -64,12 +61,9 @@ - awsy - desktop-screenshot-capture - linux1804-tests- - marionette-headless- - mochitest-headless - mochitest-webgpu - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless - linux-talos-flex - talos - talos-profiling@@ -89,7 +83,6 @@ - linux1804-tests - mochitest-webgpu - web-platform-tests- - web-platform-tests-wdspec-headless linux1804-64-ccov-qr/opt: build-platform: linux64-ccov/opt@@ -112,6 +105,11 @@ test-sets: - awsy - browsertime++linux1804-64-domstreams-qr/debug:+ build-platform: linux64-domstreams/debug+ test-sets:+ - domstreams-tests ## # Windows platforms (matching /windows.*/)@@ -145,7 +143,6 @@ - awsy - desktop-screenshot-capture - web-platform-tests- - web-platform-tests-wdspec-headless - windows32-2004-tests@@ -155,7 +152,6 @@ - awsy - desktop-screenshot-capture - web-platform-tests- - web-platform-tests-wdspec-headless - windows32-2004-tests windows10-32-2004-qr/debug:@@ -164,7 +160,6 @@ - web-platform-tests - windows-7-tests - windows32-2004-tests- - windows10-32-2004-failure-tests windows10-32-2004-mingwclang-qr/debug: build-platform: win32-mingwclang/debug@@ -212,7 +207,6 @@ build-platform: win64/debug test-sets: - web-platform-tests- - web-platform-tests-wdspec-headless - windows10-2004-tests windows10-64-2004-qr/opt:@@ -222,9 +216,7 @@ - desktop-screenshot-capture - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless- - windows10-2004-tests- - windows10-64-2004-failure-tests+ - windows10-2004-tests - talos-xperf windows10-64-2004-shippable-qr/opt:@@ -234,11 +226,8 @@ - desktop-screenshot-capture - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless- - windows10-2004-tests- - windows10-64-2004-failure-tests+ - windows10-2004-tests - talos-xperf- - windows-talos windows10-64-2004-devedition-qr/opt: build-platform: win64-devedition/opt@@ -292,7 +281,6 @@ - talos-profiling - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless macosx1015-64-devedition-qr/opt: build-platform: macosx64-devedition/opt@@ -307,7 +295,6 @@ - macosx1015-64-qr-tests - web-platform-tests - web-platform-tests-backlog- - web-platform-tests-wdspec-headless macosx1015-64-qr/debug: build-platform: macosx64/debug@@ -319,12 +306,6 @@ build-platform: macosx64-ccov/opt test-sets: - macosx1015-64-qr-tests--macosx1014-64-shippable-qr/opt:- build-platform: macosx64-shippable/opt- test-sets:- - browsertime- - macosx64-talos ## # Android platforms (matching /android-em.*/)
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily test configuration updates where certain test sets are being removed or reorganized. Here's my analysis: 1. Vulnerability Existed: no Test Configuration Cleanup [File] taskcluster/ci/test/test-platforms.yml [Lines] Various [Old Code] Various test sets included (e.g., marionette-headless, mochitest-headless, web-platform-tests-wdspec-headless) [Fixed Code] These test sets removed from multiple configurations 2. Vulnerability Existed: no Test Platform Updates [File] taskcluster/ci/test/test-platforms.yml [Lines] Various [Old Code] Various platform configurations with certain test sets [Fixed Code] Updated platform configurations with test sets reorganized/removed The changes appear to be focused on: - Removing headless test configurations (marionette-headless, mochitest-headless, web-platform-tests-wdspec-headless) - Removing some failure test sets (windows10-32-2004-failure-tests, windows10-64-2004-failure-tests) - Adding new test configurations (linux1804-64-domstreams-qr/debug) - General test suite reorganization These changes don't appear to be security-related but rather maintenance and configuration updates to the testing infrastructure.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/gmp/GMPChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/gmp/GMPChild.cpp@@ -25,6 +25,8 @@ #include "GMPVideoEncoderChild.h" #include "GMPVideoHost.h" #include "mozilla/Algorithm.h"+#include "mozilla/FOGIPC.h"+#include "mozilla/glean/GleanMetrics.h" #include "mozilla/ipc/CrashReporterClient.h" #include "mozilla/ipc/Endpoint.h" #include "mozilla/ipc/ProcessChild.h"@@ -35,6 +37,7 @@ #include "nsReadableUtils.h" #include "nsThreadManager.h" #include "nsXULAppAPI.h"+#include "nsIXULRuntime.h" #include "prio.h" #ifdef XP_WIN # include <stdlib.h> // for _exit()@@ -209,6 +212,7 @@ u"ole32.dll", // required for OPM u"psapi.dll", // For GetMappedFileNameW, see bug 1383611 u"softokn3.dll", // NSS for clearkey CDM+ u"winmm.dll", // Dependency for widevine }; constexpr static bool (*IsASCII)(const char16_t*) = IsAsciiNullTerminated<char16_t>;@@ -584,6 +588,12 @@ ProcessChild::QuickExit(); }+#if !defined(XP_WIN) || !defined(_ARM64_)+ // Send the last bits of Glean data over to the main process.+ glean::FlushFOGData(+ [](ByteBuf&& aBuf) { glean::SendFOGData(std::move(aBuf)); });+#endif+ if (mProfilerController) { mProfilerController->Shutdown(); mProfilerController = nullptr;@@ -676,6 +686,22 @@ return IPC_OK(); }+mozilla::ipc::IPCResult GMPChild::RecvFlushFOGData(+ FlushFOGDataResolver&& aResolver) {+ GMP_CHILD_LOG_DEBUG("GMPChild RecvFlushFOGData");+ glean::FlushFOGData(std::move(aResolver));+ return IPC_OK();+}++mozilla::ipc::IPCResult GMPChild::RecvTestTriggerMetrics(+ TestTriggerMetricsResolver&& aResolve) {+ GMP_CHILD_LOG_DEBUG("GMPChild RecvTestTriggerMetrics");+ mozilla::glean::test_only_ipc::a_counter.Add(+ nsIXULRuntime::PROCESS_TYPE_GMPLUGIN);+ aResolve(true);+ return IPC_OK();+}+ void GMPChild::GMPContentChildActorDestroy(GMPContentChild* aGMPContentChild) { for (uint32_t i = mGMPContentChildren.Length(); i > 0; i--) { RefPtr<GMPContentChild>& destroyedActor = mGMPContentChildren[i - 1];
Based on the provided code diff, I'll analyze it for security vulnerabilities. Here's the analysis following the required format:
1. Vulnerability Existed: not sure
[Potential Missing DLL Validation] [dom/media/gmp/GMPChild.cpp] [Lines 209-215]
[Old Code]
u"ole32.dll", // required for OPM
u"psapi.dll", // For GetMappedFileNameW, see bug 1383611
u"softokn3.dll", // NSS for clearkey CDM
[Fixed Code]
u"ole32.dll", // required for OPM
u"psapi.dll", // For GetMappedFileNameW, see bug 1383611
u"softokn3.dll", // NSS for clearkey CDM
u"winmm.dll", // Dependency for widevine
Additional Details: The change adds winmm.dll to the list of loaded DLLs. While this appears to be a legitimate dependency addition, DLL loading should always be carefully reviewed for potential DLL hijacking vulnerabilities.
2. Vulnerability Existed: not sure
[Potential Information Leak] [dom/media/gmp/GMPChild.cpp] [Lines 584-591]
[Old Code]
(No equivalent code)
[Fixed Code]
#if !defined(XP_WIN) || !defined(_ARM64_)
// Send the last bits of Glean data over to the main process.
glean::FlushFOGData(
[](ByteBuf&& aBuf) { glean::SendFOGData(std::move(aBuf)); });
#endif
Additional Details: The addition of telemetry data flushing could potentially expose sensitive information if not properly sanitized, though this appears to be a standard telemetry mechanism.
3. Vulnerability Existed: not sure
[Potential IPC Security Issue] [dom/media/gmp/GMPChild.cpp] [Lines 676-694]
[Old Code]
(No equivalent code)
[Fixed Code]
mozilla::ipc::IPCResult GMPChild::RecvFlushFOGData(
FlushFOGDataResolver&& aResolver) {
GMP_CHILD_LOG_DEBUG("GMPChild RecvFlushFOGData");
glean::FlushFOGData(std::move(aResolver));
return IPC_OK();
}
mozilla::ipc::IPCResult GMPChild::RecvTestTriggerMetrics(
TestTriggerMetricsResolver&& aResolve) {
GMP_CHILD_LOG_DEBUG("GMPChild RecvTestTriggerMetrics");
mozilla::glean::test_only_ipc::a_counter.Add(
nsIXULRuntime::PROCESS_TYPE_GMPLUGIN);
aResolve(true);
return IPC_OK();
}
Additional Details: The new IPC message handlers should be reviewed for proper validation of incoming data and appropriate permissions, though no obvious vulnerabilities are visible in this implementation.
Note: While no clear vulnerabilities are evident from the diff, the changes introduce new functionality (telemetry and DLL loading) that should be carefully reviewed for potential security implications. The analysis is marked "not sure" as a thorough security review would require examining the complete context and implementation details of the added features.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/typeaheadfind/nsTypeAheadFind.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/typeaheadfind/nsTypeAheadFind.h@@ -13,7 +13,6 @@ #include "nsIWebBrowserFind.h" #include "nsWeakReference.h" #include "nsITypeAheadFind.h"-#include "nsISound.h" class nsPIDOMWindowInner; class nsPresContext;@@ -100,11 +99,6 @@ // used for disabling the "not found" sound when using backspace or delete uint32_t mLastFindLength;- // Sound is played asynchronously on some platforms.- // If we destroy mSoundInterface before sound has played, it won't play- nsCOMPtr<nsISound> mSoundInterface;- bool mIsSoundInitialized;- // where selection was when user started the find RefPtr<nsRange> mStartFindRange; RefPtr<nsRange> mSearchRange;
Based on the provided diff, here's the analysis: Vulnerability Existed: not sure [Potential Resource Management Issue] [nsTypeAheadFind.h] [Lines 100-106] [Old Code] // Sound is played asynchronously on some platforms. // If we destroy mSoundInterface before sound has played, it won't play nsCOMPtr<nsISound> mSoundInterface; bool mIsSoundInitialized; [Fixed Code] [Removed] Additional Details: 1. The diff shows removal of sound-related functionality (nsISound interface and associated variables). While this might indicate a security fix, there's no clear evidence of a specific vulnerability being addressed. 2. The removal could be related to: - Simplifying the code by removing unused features - Potential resource management issues (though not confirmed) - Security hardening by reducing attack surface (removing sound interface) 3. Without more context from the commit message or related changes, we can't definitively identify a specific vulnerability. Note: The removal of nsISound could potentially be related to security hardening, but there's no clear vulnerability name or evidence that this was fixing an actual exploit. The comment suggests there might have been timing issues with sound playback, but this doesn't necessarily indicate a security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mozglue/baseprofiler/core/platform-linux-android.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mozglue/baseprofiler/core/platform-linux-android.cpp@@ -470,36 +470,21 @@ // // We provide no paf_child() function to run in the child after forking. This // is fine because we always immediately exec() after fork(), and exec()-// clobbers all process state. (At one point we did have a paf_child()-// function, but it caused problems related to locking gPSMutex. See bug-// 1348374.)+// clobbers all process state. Also, we don't want the sampler to resume in the+// child process between fork() and exec(), it would be wasteful. // // Unfortunately all this is only doable on non-Android because Bionic doesn't // have pthread_atfork.-// In the parent, before the fork, record IsSamplingPaused, and then pause.-static void paf_prepare() {- MOZ_RELEASE_ASSERT(CorePS::Exists());-- PSAutoLock lock;-- if (ActivePS::Exists(lock)) {- ActivePS::SetWasSamplingPaused(lock, ActivePS::IsSamplingPaused(lock));- ActivePS::SetIsSamplingPaused(lock, true);- }-}--// In the parent, after the fork, return IsSamplingPaused to the pre-fork state.-static void paf_parent() {- MOZ_RELEASE_ASSERT(CorePS::Exists());-- PSAutoLock lock;-- if (ActivePS::Exists(lock)) {- ActivePS::SetIsSamplingPaused(lock, ActivePS::WasSamplingPaused(lock));- ActivePS::SetWasSamplingPaused(lock, false);- }-}+// In the parent, before the fork, increase gSkipSampling to ensure that+// profiler sampling loops will be skipped. There could be one in progress now,+// causing a small delay, but further sampling will be skipped, allowing `fork`+// to complete.+static void paf_prepare() { ++gSkipSampling; }++// In the parent, after the fork, decrease gSkipSampling to let the sampler+// resume sampling (unless other places have made it non-zero as well).+static void paf_parent() { --gSkipSampling; } static void PlatformInit(PSLockRef aLock) { // Set up the fork handlers.
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Race Condition] [mozglue/baseprofiler/core/platform-linux-android.cpp] [Lines 470-506]
[Old Code]
```cpp
static void paf_prepare() {
MOZ_RELEASE_ASSERT(CorePS::Exists());
PSAutoLock lock;
if (ActivePS::Exists(lock)) {
ActivePS::SetWasSamplingPaused(lock, ActivePS::IsSamplingPaused(lock));
ActivePS::SetIsSamplingPaused(lock, true);
}
}
static void paf_parent() {
MOZ_RELEASE_ASSERT(CorePS::Exists());
PSAutoLock lock;
if (ActivePS::Exists(lock)) {
ActivePS::SetIsSamplingPaused(lock, ActivePS::WasSamplingPaused(lock));
ActivePS::SetWasSamplingPaused(lock, false);
}
}
```
[Fixed Code]
```cpp
static void paf_prepare() { ++gSkipSampling; }
static void paf_parent() { --gSkipSampling; }
```
Additional Details: The change simplifies the fork handling mechanism by using a simple counter instead of complex locking and state management. While not explicitly a security fix, it reduces complexity which could potentially mitigate race conditions or deadlocks in the previous implementation. The comment suggests the previous implementation had issues with locking (bug 1348374).
2. Vulnerability Existed: not sure
[Potential Deadlock Risk] [mozglue/baseprofiler/core/platform-linux-android.cpp] [Lines 470-506]
[Old Code]
```cpp
// Previous implementation with PSAutoLock in fork handlers
```
[Fixed Code]
```cpp
// New implementation using atomic counter without locks
```
Additional Details: The removal of locking operations (PSAutoLock) in fork handlers could be addressing potential deadlock risks, as fork handlers are sensitive contexts where locking can be problematic (especially when combined with other locks in the process). The comment references previous problems with locking gPSMutex.
Note: While these changes appear to be reliability/performance improvements rather than explicit security fixes, they do address potential concurrency issues that could have security implications in edge cases. The exact vulnerabilities (if any) being fixed aren't specified in the diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/places/content/editBookmark.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/places/content/editBookmark.js@@ -2,19 +2,30 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */+/* global MozXULElement */++// This is defined in browser.js and only used in the star UI.+/* global setToolbarVisibility */++/* import-globals-from controller.js */+ var { XPCOMUtils } = ChromeUtils.import( "resource://gre/modules/XPCOMUtils.jsm" );+var { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");+ XPCOMUtils.defineLazyModuleGetters(this, { CustomizableUI: "resource:///modules/CustomizableUI.jsm",+ PlacesUtils: "resource://gre/modules/PlacesUtils.jsm",+ PlacesUIUtils: "resource:///modules/PlacesUIUtils.jsm",+ PlacesTransactions: "resource://gre/modules/PlacesTransactions.jsm", }); var gEditItemOverlay = { // Array of PlacesTransactions accumulated by internal changes. It can be used // to wait for completion. transactionPromises: null,- _observersAdded: false, _staticFoldersListBuilt: false, _didChangeFolder: false,@@ -335,23 +346,6 @@ ); }- // Observe changes.- if (!this._observersAdded) {- PlacesUtils.bookmarks.addObserver(this);- this.handlePlacesEvents = this.handlePlacesEvents.bind(this);- PlacesUtils.observers.addListener(- [- "bookmark-moved",- "bookmark-tags-changed",- "bookmark-title-changed",- "bookmark-url-changed",- ],- this.handlePlacesEvents- );- window.addEventListener("unload", this);- this._observersAdded = true;- }- let focusElement = () => { // The focusedElement possible values are: // * preferred: focus the field that the user touched first the last@@ -543,8 +537,6 @@ } },- QueryInterface: ChromeUtils.generateQI(["nsINavBookmarkObserver"]),- _element(aID) { return document.getElementById("editBMPanel_" + aID); },@@ -562,21 +554,6 @@ if (!tagsSelectorRow.collapsed) { this.toggleTagsSelector().catch(Cu.reportError); }- }-- if (this._observersAdded) {- PlacesUtils.bookmarks.removeObserver(this);- PlacesUtils.observers.removeListener(- [- "bookmark-moved",- "bookmark-tags-changed",- "bookmark-title-changed",- "bookmark-url-changed",- ],- this.handlePlacesEvents- );- window.removeEventListener("unload", this);- this._observersAdded = false; } if (this._folderMenuListListenerAdded) {@@ -1148,64 +1125,6 @@ } },- async handlePlacesEvents(events) {- for (const event of events) {- switch (event.type) {- case "bookmark-moved":- if (!this._paneInfo.isItem || this._paneInfo.itemId != event.id) {- return;- }-- this._paneInfo.parentGuid = event.parentGuid;-- if (- !this._paneInfo.visibleRows.has("folderRow") ||- event.parentGuid === this._folderMenuList.selectedItem.folderGuid- ) {- return;- }-- // Just setting selectItem _does not_ trigger oncommand, so we don't- // recurse.- const bm = await PlacesUtils.bookmarks.fetch(event.parentGuid);- this._folderMenuList.selectedItem = this._getFolderMenuItem(- event.parentGuid,- bm.title- );- break;- case "bookmark-tags-changed":- if (this._paneInfo.visibleRows.has("tagsRow")) {- this._onTagsChange(event.guid).catch(Cu.reportError);- }- break;- case "bookmark-title-changed":- if (this._paneInfo.isItem || this._paneInfo.isTag) {- // This also updates titles of folders in the folder menu list.- this._onItemTitleChange(event.id, event.title, event.guid);- }- break;- case "bookmark-url-changed":- if (!this._paneInfo.isItem || this._paneInfo.itemId != event.id) {- return;- }-- const newURI = Services.io.newURI(event.url);- if (!newURI.equals(this._paneInfo.uri)) {- this._paneInfo.uri = newURI;- if (this._paneInfo.visibleRows.has("locationRow")) {- this._initLocationField();- }-- if (this._paneInfo.visibleRows.has("tagsRow")) {- delete this._paneInfo._cachedCommonTags;- this._onTagsChange(event.guid, newURI).catch(Cu.reportError);- }- }- break;- }- }- },- toggleItemCheckbox(item) { // Update the tags field when items are checked/unchecked in the listbox let tags = this._getTagsArrayFromTagsInputField();@@ -1240,92 +1159,6 @@ } this._initTextField(this._tagsField, tags.join(", "));- },-- async _onTagsChange(guid, changedURI = null) {- let paneInfo = this._paneInfo;- let updateTagsField = false;- if (paneInfo.isURI) {- if (paneInfo.isBookmark && guid == paneInfo.itemGuid) {- updateTagsField = true;- } else if (!paneInfo.isBookmark) {- if (!changedURI) {- let href = (await PlacesUtils.bookmarks.fetch(guid)).url.href;- changedURI = Services.io.newURI(href);- }- updateTagsField = changedURI.equals(paneInfo.uri);- }- } else if (paneInfo.bulkTagging) {- if (!changedURI) {- let href = (await PlacesUtils.bookmarks.fetch(guid)).url.href;- changedURI = Services.io.newURI(href);- }- if (paneInfo.uris.some(uri => uri.equals(changedURI))) {- updateTagsField = true;- delete this._paneInfo._cachedCommonTags;- }- } else {- throw new Error("_onTagsChange called unexpectedly");- }-- if (updateTagsField) {- this._initTagsField();- // Any tags change should be reflected in the tags selector.- if (this._element("tagsSelector")) {- await this._rebuildTagsSelectorList();- }- }- },-- _onItemTitleChange(aItemId, aNewTitle, aGuid) {- if (aItemId == this._paneInfo.itemId || aGuid == this._paneInfo.itemGuid) {- this._paneInfo.title = aNewTitle;- this._initTextField(this._namePicker, aNewTitle);- } else if (this._paneInfo.visibleRows.has("folderRow")) {- // If the title of a folder which is listed within the folders- // menulist has been changed, we need to update the label of its- // representing element.- let menupopup = this._folderMenuList.menupopup;- for (let menuitem of menupopup.children) {- if ("folderGuid" in menuitem && menuitem.folderGuid == aGuid) {- menuitem.label = aNewTitle;- break;- }- }- }- // We need to also update title of recent folders.- if (this._recentFolders) {- for (let folder of this._recentFolders) {- if (folder.folderGuid == aGuid) {- folder.title = aNewTitle;- break;- }- }- }- },-- // nsINavBookmarkObserver- onItemChanged(- aItemId,- aProperty,- aIsAnnotationProperty,- aValue,- aLastModified,- aItemType,- aParentId,- aGuid- ) {- if (!this._paneInfo.isItem || this._paneInfo.itemId != aItemId) {- return;- }-- switch (aProperty) {- case "keyword":- if (this._paneInfo.visibleRows.has("keywordRow")) {- this._initKeywordField(aValue).catch(Cu.reportError);- }- break;- } }, };
Based on the provided code diff, I'll analyze the changes for potential security fixes. The main changes involve removing bookmark observer functionality and related code. 1. Vulnerability Existed: not sure [Potential Memory Leak/Unregistering Observers] [browser/components/places/content/editBookmark.js] [Lines: 335-23, 543, 562-21, 1148-64, 1240-92, 1159-6] [Old Code: Various observer registration and handling code] [Fixed Code: Removed all observer-related code] Additional Details: - The diff shows removal of all bookmark observer functionality including: - Removal of `_observersAdded` flag and related checks - Removal of observer registration (`PlacesUtils.bookmarks.addObserver`, `PlacesUtils.observers.addListener`) - Removal of observer cleanup code - Removal of all observer handler methods (`handlePlacesEvents`, `_onTagsChange`, `_onItemTitleChange`, `onItemChanged`) - Removal of `QueryInterface` implementation for `nsINavBookmarkObserver` While this doesn't appear to fix a specific named vulnerability, it could potentially address: 1. Memory leaks from unregistered observers 2. Race conditions in observer handling 3. Cleaner resource management 4. Potential security issues from stale observer references The changes suggest a refactoring to move away from direct observer pattern to a more controlled transaction-based approach (note the added `PlacesTransactions` import). This architectural change likely improves reliability and security by reducing the attack surface of live observers.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/quote/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/quote/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"4057136f408f566a2c06bcce49711d67bedcc8ce7a49351538086503afe59762","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"c9a75f18b9ab2927829a208fc6aa2cf4e63b8420887ba29cdb265d6619ae82d5","README.md":"9209682116de84bb9cc7be6ccf44478b46b909c7857f9e186d90bcff522af864","benches/bench.rs":"5dd3181a97b772e5691d4e6a48e00447250fa893fd63e49d154b519bc1b85fb9","src/ext.rs":"a9fed3a1a4c9d3f2de717ba808af99291b995db2cbf8067f4b6927c39cc62bc6","src/format.rs":"a9c3e3a333c6dacf6e330d02b4c726862e273df1c2c6be6da199049cd1e521db","src/ident_fragment.rs":"3ad27e331af8b54a4b97d19e7ae2bb45e01fb51dc410b24c083345ba6a0b20a8","src/lib.rs":"9c423facea42fe5c63763ba9a269d3f119865d43b4be16cb767ade7659e9356b","src/runtime.rs":"9257f094aefaefa4cf0653c39b5b72bb1922d8b8ac5f5cd45efb29e33acd0b98","src/spanned.rs":"adc0ed742ad17327c375879472d435cea168c208c303f53eb93cb2c0f10f3650","src/to_tokens.rs":"a351a680577d520ebb35905633c77533e8bc4b20642a5c438a51c94b2cc85145","tests/compiletest.rs":"0a52a44786aea1c299c695bf948b2ed2081e4cc344e5c2cadceab4eb03d0010d","tests/test.rs":"e2e829990115b51946d4776ade8eb65f3be1b9398b364bd3cfd4e1969b3a13be","tests/ui/does-not-have-iter-interpolated-dup.rs":"ad13eea21d4cdd2ab6c082f633392e1ff20fb0d1af5f2177041e0bf7f30da695","tests/ui/does-not-have-iter-interpolated-dup.stderr":"bd6a510c807eeda4c2207006d303bcc4bdb59b6122614d16af339ce1ac595449","tests/ui/does-not-have-iter-interpolated.rs":"83a5b3f240651adcbe4b6e51076d76d653ad439b37442cf4054f1fd3c073f3b7","tests/ui/does-not-have-iter-interpolated.stderr":"a0176a2091928037bba14a659d9619117b57112a4640e86466434a2a9cd2e362","tests/ui/does-not-have-iter-separated.rs":"fe413c48331d5e3a7ae5fef6a5892a90c72f610d54595879eb49d0a94154ba3f","tests/ui/does-not-have-iter-separated.stderr":"19287dc8cba743d89996c2d3ded0d5df292f591e6c148a92ea5e9e23d1250837","tests/ui/does-not-have-iter.rs":"09dc9499d861b63cebb0848b855b78e2dc9497bfde37ba6339f3625ae009a62f","tests/ui/does-not-have-iter.stderr":"fb595f24e0a133f705cf585692206ed9dce59b2872cc11eed9bf0ebc184c1d20","tests/ui/not-quotable.rs":"5759d0884943417609f28faadc70254a3e2fd3d9bd6ff7297a3fb70a77fafd8a","tests/ui/not-quotable.stderr":"2ed46f3d6975cc48852b63ece071fd170628c8bd4a4e89e3bb7b156dd139248b","tests/ui/not-repeatable.rs":"a4b115c04e4e41049a05f5b69450503fbffeba031218b4189cb931839f7f9a9c","tests/ui/not-repeatable.stderr":"49991d2b634c8620eb7c76653e2c546223baa473031b0fb4784eb2355f8e6b65","tests/ui/wrong-type-span.rs":"5f310cb7fde3ef51bad01e7f286d244e3b6e67396cd2ea7eab77275c9d902699","tests/ui/wrong-type-span.stderr":"6672d2c5995fe188228c2b24630a3ad658c27383accc03cdf90c30923eaf6906"},"package":"38bc8cc6a5f2e3655e0899c1b848643b2562f853f114bfec7be120678e3ace05"}+{"files":{"Cargo.toml":"c4d90730d45d60e14b3848cd2a5a897463ec7d9381fd3c47affc12942da61213","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"c9a75f18b9ab2927829a208fc6aa2cf4e63b8420887ba29cdb265d6619ae82d5","README.md":"9209682116de84bb9cc7be6ccf44478b46b909c7857f9e186d90bcff522af864","rust-toolchain.toml":"6bbb61302978c736b2da03e4fb40e3beab908f85d533ab46fd541e637b5f3e0f","src/ext.rs":"a9fed3a1a4c9d3f2de717ba808af99291b995db2cbf8067f4b6927c39cc62bc6","src/format.rs":"c9afa364ab1c9ac0f4cc500dc648559cfdb335c1cdf721f513c72d89d7eb968a","src/ident_fragment.rs":"3ad27e331af8b54a4b97d19e7ae2bb45e01fb51dc410b24c083345ba6a0b20a8","src/lib.rs":"7c8e4034c3179f5c50c70a15229a108da2fdea8d54a5a9bf0e332640ec5edb95","src/runtime.rs":"da0db0c8205d58d016b743019535058fe688baf6c9124a21fcf0c472a81f8265","src/spanned.rs":"adc0ed742ad17327c375879472d435cea168c208c303f53eb93cb2c0f10f3650","src/to_tokens.rs":"a351a680577d520ebb35905633c77533e8bc4b20642a5c438a51c94b2cc85145","tests/compiletest.rs":"0a52a44786aea1c299c695bf948b2ed2081e4cc344e5c2cadceab4eb03d0010d","tests/test.rs":"a8f5a0e85854dc0232686989a7f451bb5baea3b5d48c80251da46442015b084b","tests/ui/does-not-have-iter-interpolated-dup.rs":"ad13eea21d4cdd2ab6c082f633392e1ff20fb0d1af5f2177041e0bf7f30da695","tests/ui/does-not-have-iter-interpolated-dup.stderr":"833ccb8e0b7f5327eaba20d2f1975c63c8d152a5da9bf7be50e874fd617263dc","tests/ui/does-not-have-iter-interpolated.rs":"83a5b3f240651adcbe4b6e51076d76d653ad439b37442cf4054f1fd3c073f3b7","tests/ui/does-not-have-iter-interpolated.stderr":"4f1dee2aed73362fa761b17430c34d7d050f03cedb49dbe6ef51c456a03c07af","tests/ui/does-not-have-iter-separated.rs":"fe413c48331d5e3a7ae5fef6a5892a90c72f610d54595879eb49d0a94154ba3f","tests/ui/does-not-have-iter-separated.stderr":"a731b784d867ad1503c56511ef4c25f5938a6aab86196df0e7196df5ac08c2d6","tests/ui/does-not-have-iter.rs":"09dc9499d861b63cebb0848b855b78e2dc9497bfde37ba6339f3625ae009a62f","tests/ui/does-not-have-iter.stderr":"ada583e7f9043521e0dbfc013fda9d63853acb982901ee73c4481814bc522610","tests/ui/not-quotable.rs":"5759d0884943417609f28faadc70254a3e2fd3d9bd6ff7297a3fb70a77fafd8a","tests/ui/not-quotable.stderr":"3f04500a826311e60da500d165005e6f4c6438caaa84f32288771010c232c6ce","tests/ui/not-repeatable.rs":"a4b115c04e4e41049a05f5b69450503fbffeba031218b4189cb931839f7f9a9c","tests/ui/not-repeatable.stderr":"b17b74b25e7fb2e37593a9c11755be033a2d8fd44090f74124c872d91154d7e7","tests/ui/wrong-type-span.rs":"6195e35ea844c0c52ba1cff5d790c3a371af6915d137d377834ad984229ef9ea","tests/ui/wrong-type-span.stderr":"c986de5cb858272636c9e36ae5f57e5ee13589d4f1a73a050b21824010314f8d"},"package":"47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"}=========accessible/windows/msaa/MsaaAccessible.cpp========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/windows/msaa/MsaaAccessible.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/windows/msaa/MsaaAccessible.cpp@@ -1439,12 +1439,9 @@ if (accessible) { return accessible->get_accDefaultAction(kVarChildIdSelf, pszDefaultAction); }- if (mAcc->IsRemote()) {- return E_NOTIMPL; // XXX Not supported for RemoteAccessible yet.- } nsAutoString defaultAction;- LocalAcc()->ActionNameAt(0, defaultAction);+ mAcc->ActionNameAt(0, defaultAction); *pszDefaultAction = ::SysAllocStringLen(defaultAction.get(), defaultAction.Length());@@ -1528,7 +1525,7 @@ kVarChildIdSelf); }- nsIntRect rect = Acc()->Bounds();+ LayoutDeviceIntRect rect = Acc()->Bounds(); *pxLeft = rect.X(); *pyTop = rect.Y(); *pcxWidth = rect.Width();@@ -1659,7 +1656,7 @@ // This is an OOP iframe. ChildAtPoint can't traverse inside it. If the // coordinates are inside this iframe, return the COM proxy for the // OOP document.- nsIntRect docRect = mAcc->AsLocal()->Bounds();+ LayoutDeviceIntRect docRect = mAcc->AsLocal()->Bounds(); if (docRect.Contains(xLeft, yTop)) { pvarChild->vt = VT_DISPATCH; disp.forget(&pvarChild->pdispVal);@@ -1684,11 +1681,8 @@ if (accessible) { return accessible->accDoDefaultAction(kVarChildIdSelf); }- if (mAcc->IsRemote()) {- return E_NOTIMPL; // XXX Not supported for RemoteAccessible yet.- }-- return LocalAcc()->DoAction(0) ? S_OK : E_INVALIDARG;++ return mAcc->DoAction(0) ? S_OK : E_INVALIDARG; } STDMETHODIMP
Analyzing the provided code diff for security fixes:
1. For the rust/quote/.cargo-checksum.json file:
Vulnerability Existed: no
No specific vulnerability found in checksum file update
[This appears to be a routine dependency version update with checksum changes]
2. For accessible/windows/msaa/MsaaAccessible.cpp:
Vulnerability Existed: not sure
Potential Remote Code Execution [accessible/windows/msaa/MsaaAccessible.cpp] [1439-1447, 1681-1684]
Old Code:
if (mAcc->IsRemote()) {
return E_NOTIMPL; // XXX Not supported for RemoteAccessible yet.
}
nsAutoString defaultAction;
LocalAcc()->ActionNameAt(0, defaultAction);
Fixed Code:
nsAutoString defaultAction;
mAcc->ActionNameAt(0, defaultAction);
Vulnerability Existed: not sure
Potential Type Confusion [accessible/windows/msaa/MsaaAccessible.cpp] [1528]
Old Code:
nsIntRect rect = Acc()->Bounds();
Fixed Code:
LayoutDeviceIntRect rect = Acc()->Bounds();
Vulnerability Existed: not sure
Potential Bounds Checking Issue [accessible/windows/msaa/MsaaAccessible.cpp] [1659]
Old Code:
nsIntRect docRect = mAcc->AsLocal()->Bounds();
Fixed Code:
LayoutDeviceIntRect docRect = mAcc->AsLocal()->Bounds();
Note: The changes in MsaaAccessible.cpp appear to be:
1. Removing RemoteAccessible checks (could potentially affect security if remote objects weren't properly handled before)
2. Changing coordinate types from nsIntRect to LayoutDeviceIntRect (could fix potential integer overflow/underflow issues)
3. Removing redundant local access checks
However, without more context about the threat model and how these interfaces are used, it's difficult to confirm if these were actual security fixes or just code improvements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -23,12 +23,12 @@ ctx.beginPath(); ctx.arc(50, 50, 50, 0, Math.PI, false); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` for consistency or clarity. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.1.worker.js [Lines 13-14, 23-28]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes don't affect any security-related functionality or introduce any security fixes. It's simply a variable name change that doesn't impact the behavior or security of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-cascade/unset-val-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-cascade/unset-val-002.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/css-cascade-3/#inherit-initial"> <link rel="help" href="http://www.w3.org/TR/css-cascade-4/#inherit-initial"> <link rel="match" href="reference/ref-filled-green-100px-square.xht">- <meta name="flags" content=""> <meta name="assert" content="display:unset should be the same as display:initial since 'display' is not an inherited property. display:unset should be the same as display:inline since 'inline' is the initial value of 'display'."> <style> .square {
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-cascade/unset-val-002.html [Lines] 7 Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Details: - The change simply removes an empty meta tag with name="flags" which doesn't appear to have any security implications - This appears to be a test file cleanup rather than a security fix - No known vulnerability patterns are present in this change - The modification doesn't affect any security-sensitive functionality The change seems to be related to test file maintenance rather than addressing any security concerns. The removed meta tag was empty and didn't serve any apparent security purpose.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-tables/absolute-tables-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-tables/absolute-tables-002.html@@ -4,7 +4,6 @@ <script src='/resources/check-layout-th.js'></script> <link rel="author" title="David Grogan" href="mailto:[email protected]"> <link rel="help" href="https://www.w3.org/TR/css-tables-3/#used-width-of-table">-<meta name="flags" content="" /> <meta name="assert" content="When sizing and positioning abspos tables, the intrinsic width is obeyed when the intrinsic width is larger than specified width" /> <style> .cb {
Analysis of the code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 4] Old Code: <meta name="flags" content="" /> Fixed Code: (line removed) Additional Notes: - The diff shows removal of an empty meta tag for "flags", which doesn't appear to be security-related - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification is in a test file (html) and doesn't involve any executable code or security-sensitive operations
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/performance/PerformanceStorageWorker.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/performance/PerformanceStorageWorker.cpp@@ -10,7 +10,7 @@ #include "PerformanceTiming.h" #include "mozilla/dom/WorkerRef.h" #include "mozilla/dom/WorkerRunnable.h"-#include "mozilla/dom/WorkerPrivate.h"+#include "mozilla/dom/WorkerScope.h" namespace mozilla::dom {
Analyzing the provided code diff, here's the security assessment: Vulnerability Existed: not sure [Potential Header Inclusion Issue] [dom/performance/PerformanceStorageWorker.cpp] [Lines 10] [Old Code] #include "mozilla/dom/WorkerPrivate.h" [Fixed Code] #include "mozilla/dom/WorkerScope.h" Additional Details: - The change involves replacing an include of WorkerPrivate.h with WorkerScope.h - Without more context about how these headers are used in the file, it's difficult to determine if this was a security fix - This could potentially be related to better scope management or reducing exposure of worker internals, but we can't confirm this is a security fix without more information - The change might be part of architectural improvements rather than a direct security fix No clear vulnerability name can be associated with this change based on the limited information provided. The modification appears to be more about code organization than addressing a specific security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.