Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-transforms/transform-origin-012.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-transforms/transform-origin-012.html@@ -5,7 +5,6 @@ <link rel="author" title="Jieqiong Cui" href="mailto:[email protected]"> <link rel="help" title="8. The 'transform-origin' Property" href="http://www.w3.org/TR/css-transforms-1/#transform-origin-property"> <link rel="match" href="transform-origin-007-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The 'transform-origin' property set 'top' computes to 0% for the vertical position."> <style> .div1 {
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/css-transforms/transform-origin-012.html [Lines 5] [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: The change simply removes an empty meta tag that wasn't serving any apparent purpose. This appears to be a code cleanup rather than a security fix. There's no indication of any security vulnerability being addressed by this change. The "flags" meta tag was empty and doesn't appear to have been used for any security-sensitive functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/windows/nsNativeThemeWin.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/windows/nsNativeThemeWin.cpp@@ -32,14 +32,12 @@ #include "nsLookAndFeel.h" #include "nsMenuFrame.h" #include "nsNameSpaceManager.h"-#include "nsNativeBasicTheme.h"+#include "Theme.h" #include "nsPresContext.h" #include "nsRect.h" #include "nsSize.h" #include "nsStyleConsts.h" #include "nsTransform2D.h"-#include "nsUXThemeData.h"-#include "nsUXThemeConstants.h" #include "nsWindow.h" #include "prinrval.h" #include "WinUtils.h"@@ -48,14 +46,12 @@ using namespace mozilla::gfx; using namespace mozilla::widget;-using ScrollbarDrawingWin = mozilla::widget::ScrollbarDrawingWin;- extern mozilla::LazyLogModule gWindowsLog;-NS_IMPL_ISUPPORTS_INHERITED(nsNativeThemeWin, nsNativeTheme, nsITheme)+namespace mozilla::widget { nsNativeThemeWin::nsNativeThemeWin()- : nsNativeBasicTheme(DefaultPlatformScrollbarStyle()),+ : Theme(ScrollbarStyle()), mProgressDeterminateTimeStamp(TimeStamp::Now()), mProgressIndeterminateTimeStamp(TimeStamp::Now()), mBorderCacheValid(),@@ -77,8 +73,7 @@ // We only know how to draw light widgets, so we defer to the non-native // theme when appropriate.- if (nsNativeBasicTheme::ThemeSupportsWidget(aFrame->PresContext(), aFrame,- aAppearance) &&+ if (Theme::ThemeSupportsWidget(aFrame->PresContext(), aFrame, aAppearance) && LookAndFeel::ColorSchemeForFrame(aFrame) == LookAndFeel::ColorScheme::Dark) { return NonNative::BecauseColorMismatch;@@ -728,16 +723,6 @@ case StyleAppearance::Tabpanel: case StyleAppearance::Tabpanels: return Some(eUXTab);- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::Scrollcorner:- return Some(eUXScrollbar); case StyleAppearance::Range: case StyleAppearance::RangeThumb: return Some(eUXTrackbar);@@ -1007,67 +992,6 @@ aState = TS_NORMAL; return NS_OK; }- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight: {- aPart = SP_BUTTON;- aState = (int(aAppearance) - int(StyleAppearance::ScrollbarbuttonUp)) * 4;- EventStates eventState = GetContentState(aFrame, aAppearance);- if (!aFrame)- aState += TS_NORMAL;- else if (eventState.HasState(NS_EVENT_STATE_DISABLED))- aState += TS_DISABLED;- else {- nsIFrame* parent = aFrame->GetParent();- EventStates parentState = GetContentState(- parent, parent->StyleDisplay()->EffectiveAppearance());- if (eventState.HasAllStates(NS_EVENT_STATE_HOVER |- NS_EVENT_STATE_ACTIVE))- aState += TS_ACTIVE;- else if (eventState.HasState(NS_EVENT_STATE_HOVER))- aState += TS_HOVER;- else if (parentState.HasState(NS_EVENT_STATE_HOVER))- aState =- (int(aAppearance) - int(StyleAppearance::ScrollbarbuttonUp)) +- SP_BUTTON_IMPLICIT_HOVER_BASE;- else- aState += TS_NORMAL;- }- return NS_OK;- }- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical: {- aPart = (aAppearance == StyleAppearance::ScrollbarHorizontal)- ? SP_TRACKSTARTHOR- : SP_TRACKSTARTVERT;- aState = TS_NORMAL;- return NS_OK;- }- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarthumbVertical: {- aPart = (aAppearance == StyleAppearance::ScrollbarthumbHorizontal)- ? SP_THUMBHOR- : SP_THUMBVERT;- EventStates eventState = GetContentState(aFrame, aAppearance);- if (!aFrame)- aState = TS_NORMAL;- else if (eventState.HasState(NS_EVENT_STATE_DISABLED))- aState = TS_DISABLED;- else {- if (eventState.HasState(- NS_EVENT_STATE_ACTIVE)) // Hover is not also a requirement for- // the thumb, since the drag is not- // canceled when you move outside the- // thumb.- aState = TS_ACTIVE;- else if (eventState.HasState(NS_EVENT_STATE_HOVER))- aState = TS_HOVER;- else- aState = TS_NORMAL;- }- return NS_OK;- } case StyleAppearance::Range: { if (IsRangeHorizontal(aFrame)) { aPart = TKP_TRACK;@@ -1123,8 +1047,7 @@ case StyleAppearance::MozWinMediaToolbox: case StyleAppearance::MozWinCommunicationsToolbox: case StyleAppearance::MozWinBrowsertabbarToolbox:- case StyleAppearance::Statusbar:- case StyleAppearance::Scrollcorner: {+ case StyleAppearance::Statusbar: { aState = 0; aPart = RP_BACKGROUND; return NS_OK;@@ -1280,7 +1203,7 @@ if (isHTML) { nsComboboxControlFrame* ccf = do_QueryFrame(aFrame);- isOpen = (ccf && ccf->IsDroppedDownOrHasParentPopup());+ isOpen = (ccf && ccf->IsDroppedDown()); } else isOpen = IsOpenButton(aFrame);@@ -1501,15 +1424,8 @@ const nsRect& aDirtyRect, DrawOverflow aDrawOverflow) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::DrawWidgetBackground(- aContext, aFrame, aAppearance, aRect, aDirtyRect, aDrawOverflow);- }-- if (IsWidgetScrollbarPart(aAppearance)) {- if (MayDrawCustomScrollbarPart(aContext, aFrame, aAppearance, aRect,- aDirtyRect)) {- return NS_OK;- }+ return Theme::DrawWidgetBackground(aContext, aFrame, aAppearance, aRect,+ aDirtyRect, aDrawOverflow); } HANDLE theme = GetTheme(aAppearance);@@ -1865,26 +1781,6 @@ widgetRect.bottom = widgetRect.top + TB_SEPARATOR_HEIGHT; DrawThemeEdge(theme, hdc, RP_BAND, 0, &widgetRect, EDGE_ETCHED, BF_TOP, nullptr);- } else if (aAppearance == StyleAppearance::ScrollbarthumbHorizontal ||- aAppearance == StyleAppearance::ScrollbarthumbVertical) {- // Draw the decorative gripper for the scrollbar thumb button, if it fits-- SIZE gripSize;- MARGINS thumbMgns;- int gripPart = (aAppearance == StyleAppearance::ScrollbarthumbHorizontal)- ? SP_GRIPPERHOR- : SP_GRIPPERVERT;-- if (GetThemePartSize(theme, hdc, gripPart, state, nullptr, TS_TRUE,- &gripSize) == S_OK &&- GetThemeMargins(theme, hdc, part, state, TMT_CONTENTMARGINS, nullptr,- &thumbMgns) == S_OK &&- gripSize.cx + thumbMgns.cxLeftWidth + thumbMgns.cxRightWidth <=- widgetRect.right - widgetRect.left &&- gripSize.cy + thumbMgns.cyTopHeight + thumbMgns.cyBottomHeight <=- widgetRect.bottom - widgetRect.top) {- DrawThemeBackground(theme, hdc, gripPart, state, &widgetRect, &clipRect);- } } nativeDrawing.EndNativeDrawing();@@ -1902,7 +1798,7 @@ layers::RenderRootStateManager* aManager, nsIFrame* aFrame, StyleAppearance aAppearance, const nsRect& aRect) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::CreateWebRenderCommandsForWidget(+ return Theme::CreateWebRenderCommandsForWidget( aBuilder, aResources, aSc, aManager, aFrame, aAppearance, aRect); } return false;@@ -1948,9 +1844,6 @@ aAppearance == StyleAppearance::Statusbar || aAppearance == StyleAppearance::Resizer || aAppearance == StyleAppearance::Tabpanel ||- aAppearance == StyleAppearance::ScrollbarHorizontal ||- aAppearance == StyleAppearance::ScrollbarVertical ||- aAppearance == StyleAppearance::Scrollcorner || aAppearance == StyleAppearance::Menuitem || aAppearance == StyleAppearance::Checkmenuitem || aAppearance == StyleAppearance::Radiomenuitem ||@@ -2159,8 +2052,8 @@ StyleAppearance aAppearance, nsRect* aOverflowRect) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::GetWidgetOverflow(aContext, aFrame, aAppearance,- aOverflowRect);+ return Theme::GetWidgetOverflow(aContext, aFrame, aAppearance,+ aOverflowRect); } /* This is disabled for now, because it causes invalidation problems --@@ -2214,8 +2107,8 @@ LayoutDeviceIntSize* aResult, bool* aIsOverridable) { if (IsWidgetNonNative(aFrame, aAppearance) == NonNative::Always) {- return nsNativeBasicTheme::GetMinimumWidgetSize(- aPresContext, aFrame, aAppearance, aResult, aIsOverridable);+ return Theme::GetMinimumWidgetSize(aPresContext, aFrame, aAppearance,+ aResult, aIsOverridable); } aResult->width = aResult->height = 0;@@ -2266,14 +2159,6 @@ // Windows appears to always use metrics when drawing standard scrollbars) THEMESIZE sizeReq = TS_TRUE; // Best-fit size switch (aAppearance) {- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical: case StyleAppearance::MozMenulistArrowButton: { rv = ClassicGetMinimumWidgetSize(aFrame, aAppearance, aResult, aIsOverridable);@@ -2328,17 +2213,6 @@ } ScaleForFrameDPI(aResult, aFrame); return rv;- }-- case StyleAppearance::Scrollcorner: {- if (nsLookAndFeel::GetInt(nsLookAndFeel::IntID::UseOverlayScrollbars) !=- 0) {- aResult->SizeTo(::GetSystemMetrics(SM_CXHSCROLL),- ::GetSystemMetrics(SM_CYVSCROLL));- ScaleForFrameDPI(aResult, aFrame);- return rv;- }- break; } case StyleAppearance::Separator:@@ -2535,8 +2409,7 @@ } if (IsWidgetNonNative(aFrame, aAppearance) == NonNative::Always) {- return nsNativeBasicTheme::ThemeSupportsWidget(aPresContext, aFrame,- aAppearance);+ return Theme::ThemeSupportsWidget(aPresContext, aFrame, aAppearance); } HANDLE theme = nullptr;@@ -2568,7 +2441,7 @@ bool nsNativeThemeWin::ThemeDrawsFocusForWidget(nsIFrame* aFrame, StyleAppearance aAppearance) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::ThemeDrawsFocusForWidget(aFrame, aAppearance);+ return Theme::ThemeDrawsFocusForWidget(aFrame, aAppearance); } switch (aAppearance) { case StyleAppearance::Menulist:@@ -2616,12 +2489,7 @@ nsITheme::Transparency nsNativeThemeWin::GetWidgetTransparency( nsIFrame* aFrame, StyleAppearance aAppearance) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::GetWidgetTransparency(aFrame, aAppearance);- }-- if (auto transparency = GetScrollbarDrawing().GetScrollbarPartTransparency(- aFrame, aAppearance)) {- return *transparency;+ return Theme::GetWidgetTransparency(aFrame, aAppearance); } switch (aAppearance) {@@ -2687,15 +2555,6 @@ case StyleAppearance::Range: case StyleAppearance::RangeThumb: case StyleAppearance::Groupbox:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::Scrollcorner: case StyleAppearance::Menulist: case StyleAppearance::MenulistButton: case StyleAppearance::MozMenulistArrowButton:@@ -2848,31 +2707,6 @@ (*aResult).height = 8; // No good metrics available for this *aIsOverridable = false; break;- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- // For scrollbar-width:thin, we don't display the buttons.- if (!ScrollbarDrawing::IsScrollbarWidthThin(aFrame)) {- (*aResult).width = ::GetSystemMetrics(SM_CXVSCROLL);- (*aResult).height = ::GetSystemMetrics(SM_CYVSCROLL);- }- *aIsOverridable = false;- break;- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- // For scrollbar-width:thin, we don't display the buttons.- if (!ScrollbarDrawing::IsScrollbarWidthThin(aFrame)) {- (*aResult).width = ::GetSystemMetrics(SM_CXHSCROLL);- (*aResult).height = ::GetSystemMetrics(SM_CYHSCROLL);- }- *aIsOverridable = false;- break;- case StyleAppearance::ScrollbarVertical:- // XXX HACK We should be able to have a minimum height for the scrollbar- // track. However, this causes problems when uncollapsing a scrollbar- // inside a tree. See bug 201379 for details.-- // (*aResult).height = ::GetSystemMetrics(SM_CYVTHUMB) << 1;- break; case StyleAppearance::RangeThumb: { if (IsRangeHorizontal(aFrame)) { (*aResult).width = 12;@@ -2918,39 +2752,6 @@ *aIsOverridable = false; break; }- case StyleAppearance::ScrollbarthumbVertical:- (*aResult).width = ::GetSystemMetrics(SM_CXVSCROLL);- (*aResult).height = ::GetSystemMetrics(SM_CYVTHUMB);- // Without theming, divide the thumb size by two in order to look more- // native- if (!GetTheme(aAppearance)) {- (*aResult).height >>= 1;- }- // If scrollbar-width is thin, divide the thickness by two to make- // it look more compact.- if (ScrollbarDrawing::IsScrollbarWidthThin(aFrame)) {- aResult->width >>= 1;- }- *aIsOverridable = false;- break;- case StyleAppearance::ScrollbarthumbHorizontal:- (*aResult).width = ::GetSystemMetrics(SM_CXHTHUMB);- (*aResult).height = ::GetSystemMetrics(SM_CYHSCROLL);- // Without theming, divide the thumb size by two in order to look more- // native- if (!GetTheme(aAppearance)) {- (*aResult).width >>= 1;- }- // If scrollbar-width is thin, divide the thickness by two to make- // it look more compact.- if (ScrollbarDrawing::IsScrollbarWidthThin(aFrame)) {- aResult->height >>= 1;- }- *aIsOverridable = false;- break;- case StyleAppearance::ScrollbarHorizontal:- (*aResult).width = ::GetSystemMetrics(SM_CXHTHUMB) << 1;- break; case StyleAppearance::Menuseparator: { aResult->width = 0; aResult->height = 10;@@ -3000,25 +2801,6 @@ return NS_OK; }-auto nsNativeThemeWin::GetScrollbarSizes(nsPresContext* aPresContext,- StyleScrollbarWidth aWidth, Overlay)- -> ScrollbarSizes {- ScrollbarSizes sizes{::GetSystemMetrics(SM_CXVSCROLL),- ::GetSystemMetrics(SM_CYHSCROLL)};- if (aWidth == StyleScrollbarWidth::Thin) {- sizes.mVertical = sizes.mVertical >> 1;- sizes.mHorizontal = sizes.mHorizontal >> 1;- }-- double themeScale = GetThemeDpiScaleFactor(aPresContext);- if (themeScale != 1.0) {- sizes.mVertical = NSToIntRound(sizes.mVertical * themeScale);- sizes.mHorizontal = NSToIntRound(sizes.mHorizontal * themeScale);- }-- return sizes;-}- nsresult nsNativeThemeWin::ClassicGetThemePartAndState( nsIFrame* aFrame, StyleAppearance aAppearance, int32_t& aPart, int32_t& aState, bool& aFocused) {@@ -3163,11 +2945,6 @@ case StyleAppearance::MenulistButton: case StyleAppearance::Range: case StyleAppearance::RangeThumb:- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::Scrollcorner: case StyleAppearance::Statusbar: case StyleAppearance::Statusbarpanel: case StyleAppearance::Resizerpanel:@@ -3204,7 +2981,7 @@ if (isHTML) { nsComboboxControlFrame* ccf = do_QueryFrame(aFrame);- isOpen = (ccf && ccf->IsDroppedDownOrHasParentPopup());+ isOpen = (ccf && ccf->IsDroppedDown()); } else isOpen = IsOpenButton(aFrame);@@ -3215,39 +2992,6 @@ // Dropdown button active state doesn't need :hover. if (eventState.HasState(NS_EVENT_STATE_ACTIVE)) aState |= DFCS_PUSHED | DFCS_FLAT;-- return NS_OK;- }- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight: {- EventStates contentState = GetContentState(aFrame, aAppearance);-- aPart = DFC_SCROLL;- switch (aAppearance) {- case StyleAppearance::ScrollbarbuttonUp:- aState = DFCS_SCROLLUP;- break;- case StyleAppearance::ScrollbarbuttonDown:- aState = DFCS_SCROLLDOWN;- break;- case StyleAppearance::ScrollbarbuttonLeft:- aState = DFCS_SCROLLLEFT;- break;- case StyleAppearance::ScrollbarbuttonRight:- aState = DFCS_SCROLLRIGHT;- break;- default:- break;- }-- if (contentState.HasState(NS_EVENT_STATE_DISABLED)) {- aState |= DFCS_INACTIVE;- } else if (contentState.HasAllStates(NS_EVENT_STATE_HOVER |- NS_EVENT_STATE_ACTIVE)) {- aState |= DFCS_PUSHED | DFCS_FLAT;- } return NS_OK; }@@ -3548,10 +3292,6 @@ // Draw controls supported by DrawFrameControl case StyleAppearance::Checkbox: case StyleAppearance::Radio:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight: case StyleAppearance::SpinnerUpbutton: case StyleAppearance::SpinnerDownbutton: case StyleAppearance::MozMenulistArrowButton:@@ -3627,12 +3367,6 @@ break; }- // Draw scrollbar thumb- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- ::DrawEdge(hdc, &widgetRect, EDGE_RAISED, BF_RECT | BF_MIDDLE);-- break; case StyleAppearance::RangeThumb: { EventStates eventState = GetContentState(aFrame, aAppearance);@@ -3644,32 +3378,6 @@ } break;- }- // Draw scrollbar track background- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbarHorizontal: {- // Windows fills in the scrollbar track differently- // depending on whether these are equal- DWORD color3D, colorScrollbar, colorWindow;-- color3D = ::GetSysColor(COLOR_3DFACE);- colorWindow = ::GetSysColor(COLOR_WINDOW);- colorScrollbar = ::GetSysColor(COLOR_SCROLLBAR);-- if ((color3D != colorScrollbar) && (colorWindow != colorScrollbar))- // Use solid brush- ::FillRect(hdc, &widgetRect, (HBRUSH)(COLOR_SCROLLBAR + 1));- else {- DrawCheckedRect(hdc, widgetRect, COLOR_3DHILIGHT, COLOR_3DFACE,- (HBRUSH)COLOR_SCROLLBAR + 1);- }- // XXX should invert the part of the track being clicked here- // but the track is never :active-- break;- }- case StyleAppearance::Scrollcorner: {- ::FillRect(hdc, &widgetRect, (HBRUSH)(COLOR_SCROLLBAR + 1)); } // Draw scale track background case StyleAppearance::Range: {@@ -3948,180 +3656,12 @@ } }-static nscolor GetScrollbarTrackColor(nsIFrame* aFrame) {- bool darkScrollbar = false;- ComputedStyle* style =- ScrollbarDrawingWin::GetCustomScrollbarStyle(aFrame, &darkScrollbar);- if (style) {- const nsStyleUI* ui = style->StyleUI();- auto* customColors = ui->mScrollbarColor.IsAuto()- ? nullptr- : &ui->mScrollbarColor.AsColors();- if (customColors) {- return customColors->track.CalcColor(*style);- }- }- return darkScrollbar ? NS_RGBA(20, 20, 25, 77) : NS_RGB(240, 240, 240);-}--static nscolor GetScrollbarThumbColor(nsIFrame* aFrame,- EventStates aEventStates) {- bool darkScrollbar = false;- ComputedStyle* style =- ScrollbarDrawingWin::GetCustomScrollbarStyle(aFrame, &darkScrollbar);- nscolor color =- darkScrollbar ? NS_RGBA(249, 249, 250, 102) : NS_RGB(205, 205, 205);- if (style) {- const nsStyleUI* ui = style->StyleUI();- auto* customColors = ui->mScrollbarColor.IsAuto()- ? nullptr- : &ui->mScrollbarColor.AsColors();- if (customColors) {- color = customColors->thumb.CalcColor(*style);- }- }- return ThemeColors::AdjustUnthemedScrollbarThumbColor(color, aEventStates);-}--// This tries to draw a Windows 10 style scrollbar with given colors.-bool nsNativeThemeWin::MayDrawCustomScrollbarPart(gfxContext* aContext,- nsIFrame* aFrame,- StyleAppearance aAppearance,- const nsRect& aRect,- const nsRect& aClipRect) {- ComputedStyle* style = ScrollbarDrawingWin::GetCustomScrollbarStyle(aFrame);- if (!style) {- return false;- }-- EventStates eventStates = GetContentState(aFrame, aAppearance);-- gfxContextAutoSaveRestore autoSave(aContext);- RefPtr<gfxContext> ctx = aContext;- DrawTarget* dt = ctx->GetDrawTarget();- gfxFloat p2a = gfxFloat(aFrame->PresContext()->AppUnitsPerDevPixel());- gfxRect rect = ThebesRect(NSRectToSnappedRect(aRect, p2a, *dt));- gfxRect clipRect = ThebesRect(NSRectToSnappedRect(aClipRect, p2a, *dt));- ctx->Clip(clipRect);-- nscolor trackColor = GetScrollbarTrackColor(aFrame);-- switch (aAppearance) {- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::Scrollcorner: {- ctx->SetColor(sRGBColor::FromABGR(trackColor));- ctx->Rectangle(rect);- ctx->Fill();- return true;- }- default:- break;- }-- // Scrollbar thumb and button are two CSS pixels thinner than the track.- gfxRect bgRect = rect;- gfxFloat dev2css = round(AppUnitsPerCSSPixel() / p2a);- switch (aAppearance) {- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- bgRect.Deflate(dev2css, 0);- break;- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- bgRect.Deflate(0, dev2css);- break;- default:- MOZ_ASSERT_UNREACHABLE("Unknown widget type");- }-- switch (aAppearance) {- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal: {- nscolor faceColor = GetScrollbarThumbColor(aFrame, eventStates);- ctx->SetColor(sRGBColor::FromABGR(faceColor));- ctx->Rectangle(bgRect);- ctx->Fill();- break;- }- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight: {- nscolor buttonColor = GetScrollbarDrawing().GetScrollbarButtonColor(- trackColor, eventStates);- ctx->SetColor(sRGBColor::FromABGR(buttonColor));- ctx->Rectangle(bgRect);- ctx->Fill();-- // We use the path of scrollbar up arrow on Windows 10 which is- // in a 17x17 area.- const gfxFloat kSize = 17.0;- // Setup the transform matrix.- gfxFloat width = rect.Width();- gfxFloat height = rect.Height();- gfxFloat size = std::min(width, height);- gfxFloat left = (width - size) / 2.0 + rect.x;- gfxFloat top = (height - size) / 2.0 + rect.y;- gfxFloat scale = size / kSize;- gfxFloat rad = 0.0;- if (aAppearance == StyleAppearance::ScrollbarbuttonRight) {- rad = M_PI / 2;- } else if (aAppearance == StyleAppearance::ScrollbarbuttonDown) {- rad = M_PI;- } else if (aAppearance == StyleAppearance::ScrollbarbuttonLeft) {- rad = -M_PI / 2;- }- gfx::Matrix mat = ctx->CurrentMatrix();- mat.PreTranslate(left, top);- mat.PreScale(scale, scale);- if (rad != 0.0) {- const gfxFloat kOffset = kSize / 2.0;- mat.PreTranslate(kOffset, kOffset);- mat.PreRotate(rad);- mat.PreTranslate(-kOffset, -kOffset);- }- ctx->SetMatrix(mat);- // The arrow should not have antialias applied.- ctx->SetAntialiasMode(gfx::AntialiasMode::NONE);- // Set the arrow path.- ctx->NewPath();- ctx->MoveTo(gfxPoint(5.0, 9.0));- ctx->LineTo(gfxPoint(8.5, 6.0));- ctx->LineTo(gfxPoint(12.0, 9.0));- ctx->LineTo(gfxPoint(12.0, 12.0));- ctx->LineTo(gfxPoint(8.5, 9.0));- ctx->LineTo(gfxPoint(5.0, 12.0));- ctx->ClosePath();- // And paint the arrow.- nscolor arrowColor =- GetScrollbarDrawing()- .GetScrollbarArrowColor(buttonColor)- .valueOrFrom(- [&] { return GetScrollbarThumbColor(aFrame, eventStates); });- ctx->SetColor(sRGBColor::FromABGR(arrowColor));- ctx->Fill();- break;- }- default:- MOZ_ASSERT_UNREACHABLE("Unknown widget type");- }- return true;-}+} // namespace mozilla::widget /////////////////////////////////////////// // Creation Routine ///////////////////////////////////////////-already_AddRefed<nsITheme> do_GetNativeThemeDoNotUseDirectly() {- static nsCOMPtr<nsITheme> inst;-- if (!inst) {- inst = new nsNativeThemeWin();- ClearOnShutdown(&inst);- }-- return do_AddRef(inst);-}+already_AddRefed<Theme> do_CreateNativeThemeDoNotUseDirectly() {+ return do_AddRef(new nsNativeThemeWin());+}
Based on the provided code diff, I'll analyze it for security fixes. The changes appear to be primarily architectural refactoring rather than security fixes, but I'll examine them carefully. 1. Vulnerability Existed: no Architectural Refactoring [File] nsNativeThemeWin.cpp [Lines] Throughout [Old Code] Multiple references to nsNativeBasicTheme, scrollbar-related code [Fixed Code] Replaced with Theme class and removed scrollbar implementation The main changes are: 1. Replacing nsNativeBasicTheme with Theme class 2. Removing all scrollbar-related implementation code 3. Changing inheritance from nsNativeBasicTheme to Theme 4. Removing scrollbar drawing functionality These changes appear to be part of a larger architectural refactoring rather than security fixes. The removal of scrollbar code suggests this functionality was moved elsewhere rather than being fixed for security reasons. No specific security vulnerabilities are being addressed in this diff. The changes are focused on code organization and architecture rather than patching security issues. The scrollbar removal might be related to performance or maintainability rather than security. Additional notes: - No CVEs or specific vulnerability patterns are being addressed - No memory safety issues or input validation problems are being fixed - The changes don't introduce any obvious new security concerns - The modifications are consistent with a planned architectural change rather than an emergency security patch
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/printing/tests/browser_window_print.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/printing/tests/browser_window_print.js@@ -274,3 +274,32 @@ } ); });++add_task(async function test_base_uri_srcdoc() {+ is(+ document.querySelector(".printPreviewBrowser"),+ null,+ "There shouldn't be any print preview browser"+ );++ const PARENT_URI = `${TEST_PATH}file_window_print_srcdoc_base_uri.html`;+ await BrowserTestUtils.withNewTab(PARENT_URI, async function(browser) {+ info(+ "Waiting for window.print() to run and ensure we're showing the preview..."+ );++ let helper = new PrintHelper(browser);+ await helper.waitForDialog();++ let previewBrowser = document.querySelector(".printPreviewBrowser");+ isnot(previewBrowser, null, "Should open the print preview correctly");++ let baseURI = await SpecialPowers.spawn(previewBrowser, [], () => {+ return content.document.baseURI;+ });++ is(baseURI, PARENT_URI, "srcdoc print document base uri should be right");++ gBrowser.getTabDialogBox(browser).abortAllDialogs();+ });+});
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: not sure
[Potential Base URI Manipulation] [toolkit/components/printing/tests/browser_window_print.js] [Lines 274-306]
[Old Code]
(No test existed for base URI handling in srcdoc printing context)
[Fixed Code]
add_task(async function test_base_uri_srcdoc() {
// ... test implementation ...
let baseURI = await SpecialPowers.spawn(previewBrowser, [], () => {
return content.document.baseURI;
});
is(baseURI, PARENT_URI, "srcdoc print document base uri should be right");
});
Additional Details:
1. The diff adds a new test case for verifying base URI handling in srcdoc printing scenarios.
2. While this isn't fixing an explicit vulnerability, it's testing security-sensitive behavior (base URI inheritance) that could potentially be exploited if implemented incorrectly.
3. The test ensures that when printing srcdoc content, the base URI is properly inherited from the parent document rather than being set to some default or attacker-controlled value.
Note: This appears to be a proactive test addition rather than a fix for a known vulnerability, but it's testing security-relevant behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.copy.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.copy.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -24,8 +24,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming for better code clarity. Here's the analysis:
1. Vulnerability Existed: no
No Vulnerability Found [File] testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.copy.worker.js
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d');
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No Vulnerability Found [File] testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.copy.worker.js
Old Code: _assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255"); _assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
Fixed Code: _assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255"); _assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't appear to address any security issues but rather improves code consistency or readability. No security-related functionality was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ppv-lite86/src/x86_64/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ppv-lite86/src/x86_64/mod.rs@@ -119,16 +119,16 @@ p } }-impl<'a> Into<&'a [u32; 4]> for &'a vec128_storage {- #[inline(always)]- fn into(self) -> &'a [u32; 4] {- unsafe { &self.u32x4 }- }-}-impl Into<vec128_storage> for [u32; 4] {- #[inline(always)]- fn into(self) -> vec128_storage {- vec128_storage { u32x4: self }+impl<'a> From<&'a vec128_storage> for &'a [u32; 4] {+ #[inline(always)]+ fn from(x: &'a vec128_storage) -> Self {+ unsafe { &x.u32x4 }+ }+}+impl From<[u32; 4]> for vec128_storage {+ #[inline(always)]+ fn from(u32x4: [u32; 4]) -> Self {+ vec128_storage { u32x4 } } } impl Default for vec128_storage {@@ -154,10 +154,10 @@ sse2: [vec128_storage; 2], avx: __m256i, }-impl Into<vec256_storage> for [u64; 4] {- #[inline(always)]- fn into(self) -> vec256_storage {- vec256_storage { u64x4: self }+impl From<[u64; 4]> for vec256_storage {+ #[inline(always)]+ fn from(u64x4: [u64; 4]) -> Self {+ vec256_storage { u64x4 } } } impl Default for vec256_storage {@@ -221,10 +221,10 @@ macro_rules! impl_into { ($storage:ident, $array:ty, $name:ident) => {- impl Into<$array> for $storage {+ impl From<$storage> for $array { #[inline(always)]- fn into(self) -> $array {- unsafe { self.$name }+ fn from(vec: $storage) -> Self {+ unsafe { vec.$name } } } };
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: no
[Code Style Improvement] [third_party/rust/ppv-lite86/src/x86_64/mod.rs] [119-131, 154-158, 221-226]
[Old Code]
impl<'a> Into<&'a [u32; 4]> for &'a vec128_storage {
#[inline(always)]
fn into(self) -> &'a [u32; 4] {
unsafe { &self.u32x4 }
}
}
impl Into<vec128_storage> for [u32; 4] {
#[inline(always)]
fn into(self) -> vec128_storage {
vec128_storage { u32x4: self }
}
}
[Fixed Code]
impl<'a> From<&'a vec128_storage> for &'a [u32; 4] {
#[inline(always)]
fn from(x: &'a vec128_storage) -> Self {
unsafe { &x.u32x4 }
}
}
impl From<[u32; 4]> for vec128_storage {
#[inline(always)]
fn from(u32x4: [u32; 4]) -> Self {
vec128_storage { u32x4 }
}
}
Additional Details:
This appears to be a code style improvement rather than a security fix. The changes convert `Into` trait implementations to `From` trait implementations, which is the preferred style in Rust since `From` implementations automatically provide `Into` implementations. The unsafe blocks remain unchanged, suggesting no security vulnerability was addressed. Similar changes were made for other type conversions in the file.
Vulnerability Existed: no
[Code Style Improvement] [third_party/rust/ppv-lite86/src/x86_64/mod.rs] [154-158]
[Old Code]
impl Into<vec256_storage> for [u64; 4] {
#[inline(always)]
fn into(self) -> vec256_storage {
vec256_storage { u64x4: self }
}
}
[Fixed Code]
impl From<[u64; 4]> for vec256_storage {
#[inline(always)]
fn from(u64x4: [u64; 4]) -> Self {
vec256_storage { u64x4 }
}
}
Vulnerability Existed: no
[Code Style Improvement] [third_party/rust/ppv-lite86/src/x86_64/mod.rs] [221-226]
[Old Code]
impl Into<$array> for $storage {
#[inline(always)]
fn into(self) -> $array {
unsafe { self.$name }
}
}
[Fixed Code]
impl From<$storage> for $array {
#[inline(always)]
fn from(vec: $storage) -> Self {
unsafe { vec.$name }
}
}
The changes appear to be purely stylistic improvements following Rust best practices, with no indication of security vulnerabilities being addressed. The unsafe blocks remain in place, suggesting the security implications of those operations were not changed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/webxr/resources/webxr_util.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/webxr/resources/webxr_util.js@@ -129,6 +129,7 @@ xr_debug(name, 'session start'); testSession = session; session.mode = sessionMode;+ session.sessionInit = sessionInit; let glLayer = new XRWebGLLayer(session, sessionObjects.gl, gllayerProperties); glLayer.context = sessionObjects.gl; // Session must have a baseLayer or frame requests
Let me analyze the code diff for potential security fixes.
Vulnerability Existed: not sure
[Potential Session Initialization Issue] [testing/web-platform/tests/webxr/resources/webxr_util.js] [Lines 129-132]
[Old Code]
testSession = session;
session.mode = sessionMode;
let glLayer = new XRWebGLLayer(session, sessionObjects.gl, gllayerProperties);
[Fixed Code]
testSession = session;
session.mode = sessionMode;
session.sessionInit = sessionInit;
let glLayer = new XRWebGLLayer(session, sessionObjects.gl, gllayerProperties);
Additional Details:
The diff shows the addition of `session.sessionInit = sessionInit;`. While this doesn't appear to fix a known named vulnerability, it might address potential initialization issues by ensuring session initialization parameters are properly stored. Without more context about the sessionInit object and its usage, I can't definitively determine if this was fixing a security issue or just improving code correctness.
Note: There are no other visible changes in this diff that would indicate additional security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/media/libwebp/src/utils/huffman_encode_utils.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/media/libwebp/src/utils/huffman_encode_utils.c@@ -161,7 +161,7 @@ // especially when population counts are longer than 2**tree_limit, but // we are not planning to use this with extremely long blocks. //-// See http://en.wikipedia.org/wiki/Huffman_coding+// See https://en.wikipedia.org/wiki/Huffman_coding static void GenerateOptimalTree(const uint32_t* const histogram, int histogram_size, HuffmanTree* tree, int tree_depth_limit,
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No vulnerability found] [media/libwebp/src/utils/huffman_encode_utils.c] [Lines 161] [Old Code: See http://en.wikipedia.org/wiki/Huffman_coding] [Fixed Code: See https://en.wikipedia.org/wiki/Huffman_coding] Additional Details: 1. The change only involves updating a URL reference from HTTP to HTTPS, which is a security improvement but doesn't fix any actual vulnerability in the code. 2. This is a documentation/comment change rather than a code logic change. 3. No actual functionality or security-relevant code was modified. 4. The change improves security by using encrypted HTTPS instead of unencrypted HTTP for the reference link, but this doesn't affect the program's execution.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsl-4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsl-4.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%, 20%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");+_assertPixel(canvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%, 20%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%, 20%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");
The changes appear to be purely cosmetic/refactoring, renaming the variable `offscreenCanvas` to `canvas` and updating the references accordingly. There are no security-related changes or vulnerability fixes in this diff. The functionality remains exactly the same, only the variable name has changed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,7 +27,7 @@ ctx.clip(); ctx.lineTo(0, 0); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.worker.js [Lines] 13-27
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` throughout the file. There are no security-related changes in this diff, just a refactoring of variable names for consistency or clarity. No known vulnerability patterns are being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/canvas/OffscreenCanvas.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/canvas/OffscreenCanvas.h@@ -36,7 +36,7 @@ struct ImageEncodeOptions; using OwningOffscreenRenderingContext = class- OwningImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext;+ OwningOffscreenCanvasRenderingContext2DOrImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext; // This is helper class for transferring OffscreenCanvas to worker thread. // Because OffscreenCanvas is not thread-safe. So we cannot pass Offscreen-@@ -151,6 +151,8 @@ bool ShouldResistFingerprinting() const;+ bool IsTransferredFromElement() const { return !!mDisplay; }+ private: ~OffscreenCanvas();
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Type Confusion/Incomplete Context Handling] [File: dom/canvas/OffscreenCanvas.h] [Lines: 36-37]
[Old Code]
using OwningOffscreenRenderingContext = class
OwningImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext;
[Fixed Code]
using OwningOffscreenRenderingContext = class
OwningOffscreenCanvasRenderingContext2DOrImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext;
Additional Details: The change adds OffscreenCanvasRenderingContext2D to the union type. While this could be related to security (preventing potential type confusion), without more context it's unclear if this was fixing an actual vulnerability.
2. Vulnerability Existed: not sure
[Potential Information Leak] [File: dom/canvas/OffscreenCanvas.h] [Lines: 151]
[Old Code]
(no IsTransferredFromElement method)
[Fixed Code]
bool IsTransferredFromElement() const { return !!mDisplay; }
Additional Details: The addition of this method could be related to security checks for canvas fingerprinting resistance (given the nearby ShouldResistFingerprinting() method), but without more context it's unclear if this was fixing an actual vulnerability or just adding functionality.
Note: Neither change clearly indicates a specific vulnerability fix, but both could be related to security hardening. More context about the actual security issues being addressed would be needed to make a definitive determination.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/tests/mochitest/bugs/test_bug1171215.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/tests/mochitest/bugs/test_bug1171215.html@@ -13,7 +13,21 @@ SimpleTest.waitForExplicitFinish(); /** Test for Bug 1022869 **/- function startTest() {+ async function startTest() {+ // Bug 1746646: Make mochitests work with TCP enabled (cookieBehavior = 5)+ // Acquire storage access permission here so that the storage used to+ // hold cookies with the opened windows works in xorigin tests. Otherwise,+ // the iframe containing this page is isolated from first-party storage+ // access, which denies access to the same cookie store+ if (isXOrigin) {+ SpecialPowers.wrap(document).notifyUserGestureActivation();+ await SpecialPowers.addPermission(+ "storageAccessAPI",+ true,+ window.location.href+ );+ await SpecialPowers.wrap(document).requestStorageAccess();+ } // Initialize our cookie. document.cookie = "a=b";
Analyzing the provided code diff, here's the security analysis:
Vulnerability Existed: not sure
[Cross-Origin Storage Access Issue] [dom/tests/mochitest/bugs/test_bug1171215.html] [Lines 13-21]
[Old Code]
```javascript
function startTest() {
```
[Fixed Code]
```javascript
async function startTest() {
// Bug 1746646: Make mochitests work with TCP enabled (cookieBehavior = 5)
// Acquire storage access permission here so that the storage used to
// hold cookies with the opened windows works in xorigin tests. Otherwise,
// the iframe containing this page is isolated from first-party storage
// access, which denies access to the same cookie store
if (isXOrigin) {
SpecialPowers.wrap(document).notifyUserGestureActivation();
await SpecialPowers.addPermission(
"storageAccessAPI",
true,
window.location.href
);
await SpecialPowers.wrap(document).requestStorageAccess();
}
```
Additional Details:
1. The change adds storage access permission handling for cross-origin tests, suggesting there might have been a potential issue with cross-origin storage access in test environments.
2. The fix implements proper storage access API usage with user gesture activation, which is a security best practice.
3. While this appears to be more of a test reliability fix than a direct security vulnerability fix, it does address potential test failures that could mask real security issues.
4. The comment references "Bug 1746646" which relates to Total Cookie Protection (TCP) mode, suggesting this is part of Firefox's enhanced privacy protections.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling/tests/split_declaration.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling/tests/split_declaration.rs@@ -1,16 +1,8 @@ //! When input is split across multiple attributes on one element, //! darling should collapse that into one struct.-#[macro_use]-extern crate darling;-#[macro_use]-extern crate syn;-#[macro_use]-extern crate quote;--use std::string::ToString;- use darling::{Error, FromDeriveInput};+use syn::parse_quote; #[derive(Debug, FromDeriveInput, PartialEq, Eq)] #[darling(attributes(split))]@@ -47,10 +39,7 @@ let pr = Lorem::from_derive_input(&di).unwrap_err(); assert!(pr.has_span());- assert_eq!(- pr.to_string(),- Error::duplicate_field("foo").to_string()- );+ assert_eq!(pr.to_string(), Error::duplicate_field("foo").to_string()); } #[test]
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily code cleanup and modernization rather than security fixes. Here's my analysis:
1. Vulnerability Existed: no
Code Cleanup [third_party/rust/darling/tests/split_declaration.rs] [Lines 1-16]
Old Code:
```rust
#[macro_use]
extern crate darling;
#[macro_use]
extern crate syn;
#[macro_use]
extern crate quote;
use std::string::ToString;
```
Fixed Code:
```rust
use darling::{Error, FromDeriveInput};
use syn::parse_quote;
```
2. Vulnerability Existed: no
Code Formatting [third_party/rust/darling/tests/split_declaration.rs] [Lines 47-50]
Old Code:
```rust
assert_eq!(
pr.to_string(),
Error::duplicate_field("foo").to_string()
);
```
Fixed Code:
```rust
assert_eq!(pr.to_string(), Error::duplicate_field("foo").to_string());
```
The changes consist of:
1. Removing old-style extern crate declarations and unused imports (modern Rust code typically doesn't need these)
2. Formatting code to be more compact
3. Adding necessary imports in a more modern way
None of these changes appear to be security-related fixes. They're more about code quality and modernization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/DMABufSurface.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/DMABufSurface.cpp@@ -54,14 +54,6 @@ #define BUFFER_FLAGS 0-#ifndef VA_FOURCC_NV12-# define VA_FOURCC_NV12 0x3231564E-#endif--#ifndef VA_FOURCC_YV12-# define VA_FOURCC_YV12 0x32315659-#endif- static RefPtr<GLContext> sSnapshotContext; static Atomic<int> gNewSurfaceUID(1);@@ -157,7 +149,6 @@ DMABufSurface::DMABufSurface(SurfaceType aSurfaceType) : mSurfaceType(aSurfaceType),- mBufferModifier(DRM_FORMAT_MOD_INVALID), mBufferPlaneCount(0), mDrmFormats(), mStrides(),@@ -173,6 +164,9 @@ for (auto& slot : mDmabufFds) { slot = -1; }+ for (auto& modifier : mBufferModifiers) {+ modifier = DRM_FORMAT_MOD_INVALID;+ } } DMABufSurface::~DMABufSurface() {@@ -318,7 +312,7 @@ } else { uint32_t handle = nsGbmLib::GetHandleForPlane(mGbmBufferObject[0], aPlane).u32;- int ret = nsGbmLib::DrmPrimeHandleToFD(GetDMABufDevice()->GetGbmDeviceFd(),+ int ret = nsGbmLib::DrmPrimeHandleToFD(GetDMABufDevice()->GetDRMFd(), handle, 0, &mDmabufFds[aPlane]); if (ret < 0) { mDmabufFds[aPlane] = -1;@@ -366,7 +360,7 @@ GetDMABufDevice()->GetGbmDevice(), mWidth, mHeight, mGmbFormat->mFormat, mGmbFormat->mModifiers, mGmbFormat->mModifiersCount); if (mGbmBufferObject[0]) {- mBufferModifier = nsGbmLib::GetModifier(mGbmBufferObject[0]);+ mBufferModifiers[0] = nsGbmLib::GetModifier(mGbmBufferObject[0]); } }@@ -376,7 +370,7 @@ mGbmBufferObject[0] = nsGbmLib::Create(GetDMABufDevice()->GetGbmDevice(), mWidth, mHeight, mGmbFormat->mFormat, mGbmBufferFlags);- mBufferModifier = DRM_FORMAT_MOD_INVALID;+ mBufferModifiers[0] = DRM_FORMAT_MOD_INVALID; } if (!mGbmBufferObject[0]) {@@ -384,7 +378,7 @@ return false; }- if (mBufferModifier != DRM_FORMAT_MOD_INVALID) {+ if (mBufferModifiers[0] != DRM_FORMAT_MOD_INVALID) { mBufferPlaneCount = nsGbmLib::GetPlaneCount(mGbmBufferObject[0]); if (mBufferPlaneCount > DMABUF_BUFFER_PLANES) { LOGDMABUF((" There's too many dmabuf planes!"));@@ -411,8 +405,8 @@ mWidth = desc.width()[0]; mHeight = desc.height()[0];- mBufferModifier = desc.modifier();- if (mBufferModifier != DRM_FORMAT_MOD_INVALID) {+ mBufferModifiers[0] = desc.modifier()[0];+ if (mBufferModifiers[0] != DRM_FORMAT_MOD_INVALID) { mGmbFormat = GetDMABufDevice()->GetExactGbmFormat(desc.format()[0]); } else { mDrmFormats[0] = desc.format()[0];@@ -466,6 +460,7 @@ AutoTArray<uint32_t, DMABUF_BUFFER_PLANES> strides; AutoTArray<uint32_t, DMABUF_BUFFER_PLANES> offsets; AutoTArray<uintptr_t, DMABUF_BUFFER_PLANES> images;+ AutoTArray<uint64_t, DMABUF_BUFFER_PLANES> modifiers; AutoTArray<ipc::FileDescriptor, 1> fenceFDs; AutoTArray<ipc::FileDescriptor, 1> refCountFDs;@@ -479,6 +474,7 @@ width.AppendElement(mWidth); height.AppendElement(mHeight); format.AppendElement(mGmbFormat->mFormat);+ modifiers.AppendElement(mBufferModifiers[0]); for (int i = 0; i < mBufferPlaneCount; i++) { fds.AppendElement(ipc::FileDescriptor(mDmabufFds[i])); strides.AppendElement(mStrides[i]);@@ -496,8 +492,8 @@ } aOutDescriptor = SurfaceDescriptorDMABuf(- mSurfaceType, mBufferModifier, mGbmBufferFlags, fds, width, height,- format, strides, offsets, GetYUVColorSpace(), mColorRange, fenceFDs, mUID,+ mSurfaceType, modifiers, mGbmBufferFlags, fds, width, height, format,+ strides, offsets, GetYUVColorSpace(), mColorRange, fenceFDs, mUID, refCountFDs); return true; }@@ -524,13 +520,13 @@ attribs.AppendElement((int)mOffsets[plane_idx]); \ attribs.AppendElement(LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_PITCH_EXT); \ attribs.AppendElement((int)mStrides[plane_idx]); \- if (mBufferModifier != DRM_FORMAT_MOD_INVALID) { \+ if (mBufferModifiers[0] != DRM_FORMAT_MOD_INVALID) { \ attribs.AppendElement( \ LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_MODIFIER_LO_EXT); \- attribs.AppendElement(mBufferModifier & 0xFFFFFFFF); \+ attribs.AppendElement(mBufferModifiers[0] & 0xFFFFFFFF); \ attribs.AppendElement( \ LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_MODIFIER_HI_EXT); \- attribs.AppendElement(mBufferModifier >> 32); \+ attribs.AppendElement(mBufferModifiers[0] >> 32); \ } \ }@@ -579,9 +575,21 @@ void DMABufSurfaceRGBA::ReleaseTextures() { FenceDelete();+ if (!mTexture) {+ return;+ }+ if (!mGL) {+#ifdef NIGHTLY+ MOZ_DIAGNOSTIC_ASSERT(mGL, "Missing GL context!");+#else+ NS_WARNING(+ "DMABufSurfaceRGBA::ReleaseTextures(): Missing GL context! We're "+ "leaking textures!"); return;- }+#endif+ }+ const auto& gle = gl::GLContextEGL::Cast(mGL); const auto& egl = gle->mEgl;@@ -591,9 +599,9 @@ mGL = nullptr; }- if (mEGLImage) {+ if (mEGLImage != LOCAL_EGL_NO_IMAGE) { egl->fDestroyImage(mEGLImage);- mEGLImage = nullptr;+ mEGLImage = LOCAL_EGL_NO_IMAGE; } }@@ -619,8 +627,8 @@ struct zwp_linux_buffer_params_v1* params = zwp_linux_dmabuf_v1_create_params(waylandDisplay->GetDmabuf()); zwp_linux_buffer_params_v1_add(params, mDmabufFds[0], 0, mOffsets[0],- mStrides[0], mBufferModifier >> 32,- mBufferModifier & 0xffffffff);+ mStrides[0], mBufferModifiers[0] >> 32,+ mBufferModifiers[0] & 0xffffffff); mWlBuffer = zwp_linux_buffer_params_v1_create_immed( params, GetWidth(), GetHeight(), mGmbFormat->mFormat, 0);@@ -888,6 +896,8 @@ } if (aDesc.fourcc == VA_FOURCC_NV12) { mSurfaceType = SURFACE_NV12;+ } else if (aDesc.fourcc == VA_FOURCC_P010) {+ mSurfaceType = SURFACE_NV12; } else if (aDesc.fourcc == VA_FOURCC_YV12) { mSurfaceType = SURFACE_YUV420; } else {@@ -897,15 +907,16 @@ } mBufferPlaneCount = aDesc.num_layers;- mBufferModifier = aDesc.objects[0].drm_format_modifier; for (unsigned int i = 0; i < aDesc.num_layers; i++) {+ unsigned int object = aDesc.layers[i].object_index[0]; // Intel exports VA-API surfaces in one object,planes have the same FD. // AMD exports surfaces in two objects with different FDs.- bool dupFD = (aDesc.layers[i].object_index[0] != i);- int fd = aDesc.objects[aDesc.layers[i].object_index[0]].fd;+ int fd = aDesc.objects[object].fd;+ bool dupFD = (object != i); mDmabufFds[i] = dupFD ? dup(fd) : fd;+ mBufferModifiers[i] = aDesc.objects[object].drm_format_modifier; mDrmFormats[i] = aDesc.layers[i].drm_format; mOffsets[i] = aDesc.layers[i].offset[0]; mStrides[i] = aDesc.layers[i].pitch[0];@@ -1030,7 +1041,6 @@ const SurfaceDescriptorDMABuf& aDesc) { mBufferPlaneCount = aDesc.fds().Length(); mSurfaceType = (mBufferPlaneCount == 2) ? SURFACE_NV12 : SURFACE_YUV420;- mBufferModifier = aDesc.modifier(); mColorSpace = aDesc.yUVColorSpace(); mColorRange = aDesc.colorRange(); mUID = aDesc.uid();@@ -1050,6 +1060,7 @@ mDrmFormats[i] = aDesc.format()[i]; mStrides[i] = aDesc.strides()[i]; mOffsets[i] = aDesc.offsets()[i];+ mBufferModifiers[i] = aDesc.modifier()[i]; LOGDMABUF((" plane %d fd %d size %d x %d format %x", i, mDmabufFds[i], mWidth[i], mHeight[i], mDrmFormats[i])); }@@ -1078,6 +1089,7 @@ AutoTArray<ipc::FileDescriptor, DMABUF_BUFFER_PLANES> fds; AutoTArray<uint32_t, DMABUF_BUFFER_PLANES> strides; AutoTArray<uint32_t, DMABUF_BUFFER_PLANES> offsets;+ AutoTArray<uint64_t, DMABUF_BUFFER_PLANES> modifiers; AutoTArray<ipc::FileDescriptor, 1> fenceFDs; AutoTArray<ipc::FileDescriptor, 1> refCountFDs;@@ -1095,6 +1107,7 @@ fds.AppendElement(ipc::FileDescriptor(mDmabufFds[i])); strides.AppendElement(mStrides[i]); offsets.AppendElement(mOffsets[i]);+ modifiers.AppendElement(mBufferModifiers[i]); } CloseFileDescriptors(lockFD);@@ -1108,23 +1121,24 @@ } aOutDescriptor = SurfaceDescriptorDMABuf(- mSurfaceType, mBufferModifier, 0, fds, width, height, format, strides,- offsets, GetYUVColorSpace(), mColorRange, fenceFDs, mUID, refCountFDs);- return true;-}--bool DMABufSurfaceYUV::CreateTexture(GLContext* aGLContext, int aPlane) {+ mSurfaceType, modifiers, 0, fds, width, height, format, strides, offsets,+ GetYUVColorSpace(), mColorRange, fenceFDs, mUID, refCountFDs);+ return true;+}++bool DMABufSurfaceYUV::CreateEGLImage(GLContext* aGLContext, int aPlane) { LOGDMABUF(- ("DMABufSurfaceYUV::CreateTexture() UID %d plane %d", mUID, aPlane));- MOZ_ASSERT(!mEGLImage[aPlane] && !mTexture[aPlane],- "EGLImage/Texture is already created!");-- if (!aGLContext) return false;+ ("DMABufSurfaceYUV::CreateEGLImage() UID %d plane %d", mUID, aPlane));+ MOZ_ASSERT(mEGLImage[aPlane] == LOCAL_EGL_NO_IMAGE,+ "EGLImage is already created!");+ MOZ_ASSERT(aGLContext, "Missing GLContext!");+ const auto& gle = gl::GLContextEGL::Cast(aGLContext); const auto& egl = gle->mEgl; MutexAutoLock lockFD(mSurfaceLock); if (!OpenFileDescriptorForPlane(lockFD, aPlane)) {+ LOGDMABUF((" failed to open dmabuf file descriptors")); return false; }@@ -1142,13 +1156,13 @@ attribs.AppendElement((int)mOffsets[aPlane]); \ attribs.AppendElement(LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_PITCH_EXT); \ attribs.AppendElement((int)mStrides[aPlane]); \- if (mBufferModifier != DRM_FORMAT_MOD_INVALID) { \+ if (mBufferModifiers[aPlane] != DRM_FORMAT_MOD_INVALID) { \ attribs.AppendElement( \ LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_MODIFIER_LO_EXT); \- attribs.AppendElement(mBufferModifier & 0xFFFFFFFF); \+ attribs.AppendElement(mBufferModifiers[aPlane] & 0xFFFFFFFF); \ attribs.AppendElement( \ LOCAL_EGL_DMA_BUF_PLANE##plane_idx##_MODIFIER_HI_EXT); \- attribs.AppendElement(mBufferModifier >> 32); \+ attribs.AppendElement(mBufferModifiers[aPlane] >> 32); \ } ADD_PLANE_ATTRIBS_NV12(0); #undef ADD_PLANE_ATTRIBS_NV12@@ -1161,7 +1175,36 @@ CloseFileDescriptorForPlane(lockFD, aPlane); if (mEGLImage[aPlane] == LOCAL_EGL_NO_IMAGE) {- LOGDMABUF((" EGLImageKHR creation failed"));+ LOGDMABUF((" EGLImageKHR creation failed"));+ return false;+ }++ LOGDMABUF((" Success."));+ return true;+}++void DMABufSurfaceYUV::ReleaseEGLImages(GLContext* aGLContext) {+ LOGDMABUF(("DMABufSurfaceYUV::ReleaseEGLImages() UID %d", mUID));+ MOZ_ASSERT(aGLContext, "Missing GLContext!");++ const auto& gle = gl::GLContextEGL::Cast(aGLContext);+ const auto& egl = gle->mEgl;++ for (int i = 0; i < mBufferPlaneCount; i++) {+ if (mEGLImage[i] != LOCAL_EGL_NO_IMAGE) {+ egl->fDestroyImage(mEGLImage[i]);+ mEGLImage[i] = LOCAL_EGL_NO_IMAGE;+ }+ }+}++bool DMABufSurfaceYUV::CreateTexture(GLContext* aGLContext, int aPlane) {+ LOGDMABUF(+ ("DMABufSurfaceYUV::CreateTexture() UID %d plane %d", mUID, aPlane));+ MOZ_ASSERT(!mTexture[aPlane], "Texture is already created!");+ MOZ_ASSERT(aGLContext, "Missing GLContext!");++ if (!CreateEGLImage(aGLContext, aPlane)) { return false; }@@ -1194,26 +1237,48 @@ } }+ if (!textureActive) {+ return;+ }+ if (!mGL) {+#ifdef NIGHTLY+ MOZ_DIAGNOSTIC_ASSERT(mGL, "Missing GL context!");+#else+ NS_WARNING(+ "DMABufSurfaceYUV::ReleaseTextures(): Missing GL context! We're "+ "leaking textures!"); return;- }- const auto& gle = gl::GLContextEGL::Cast(mGL);- const auto& egl = gle->mEgl;+#endif+ } if (textureActive && mGL->MakeCurrent()) { mGL->fDeleteTextures(DMABUF_BUFFER_PLANES, mTexture); for (int i = 0; i < DMABUF_BUFFER_PLANES; i++) { mTexture[i] = 0; }+ ReleaseEGLImages(mGL); mGL = nullptr; }+}++bool DMABufSurfaceYUV::VerifyTextureCreation() {+ LOGDMABUF(("DMABufSurfaceYUV::VerifyTextureCreation() UID %d", mUID));++ if (!EnsureSnapshotGLContext()) {+ LOGDMABUF((" failed to create GL context!"));+ return false;+ }++ auto release = MakeScopeExit([&] { ReleaseEGLImages(sSnapshotContext); }); for (int i = 0; i < mBufferPlaneCount; i++) {- if (mEGLImage[i]) {- egl->fDestroyImage(mEGLImage[i]);- mEGLImage[i] = nullptr;- }- }+ if (!CreateEGLImage(sSnapshotContext, i)) {+ return false;+ }+ }++ return true; } gfx::SurfaceFormat DMABufSurfaceYUV::GetFormat() {
I'll analyze the code diff for security vulnerabilities. Here are the findings:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [widget/gtk/DMABufSurface.cpp] [Lines 579-591]
Old Code:
```c
void DMABufSurfaceRGBA::ReleaseTextures() {
FenceDelete();
if (!mGL) {
return;
}
```
Fixed Code:
```c
void DMABufSurfaceRGBA::ReleaseTextures() {
FenceDelete();
if (!mTexture) {
return;
}
if (!mGL) {
#ifdef NIGHTLY
MOZ_DIAGNOSTIC_ASSERT(mGL, "Missing GL context!");
#else
NS_WARNING(
"DMABufSurfaceRGBA::ReleaseTextures(): Missing GL context! We're "
"leaking textures!");
return;
#endif
}
```
2. Vulnerability Existed: yes
Resource Leak Vulnerability [widget/gtk/DMABufSurface.cpp] [Lines 591-599]
Old Code:
```c
if (mEGLImage) {
egl->fDestroyImage(mEGLImage);
mEGLImage = nullptr;
}
```
Fixed Code:
```c
if (mEGLImage != LOCAL_EGL_NO_IMAGE) {
egl->fDestroyImage(mEGLImage);
mEGLImage = LOCAL_EGL_NO_IMAGE;
}
```
3. Vulnerability Existed: yes
Memory Leak Vulnerability [widget/gtk/DMABufSurface.cpp] [Lines 1237-1251]
Old Code:
```c
if (!mGL) {
return;
}
```
Fixed Code:
```c
if (!mGL) {
#ifdef NIGHTLY
MOZ_DIAGNOSTIC_ASSERT(mGL, "Missing GL context!");
#else
NS_WARNING(
"DMABufSurfaceYUV::ReleaseTextures(): Missing GL context! We're "
"leaking textures!");
return;
#endif
}
```
The main vulnerabilities fixed were:
1. Memory leaks when releasing textures without proper GL context checks
2. Resource leaks when handling EGL images by not properly checking for LOCAL_EGL_NO_IMAGE
3. Additional memory leaks in the YUV surface texture release path
The fixes add proper checks and warnings when resources might be leaked, and ensure proper cleanup of EGL resources. The changes also improve error handling and add diagnostic assertions in nightly builds to catch these issues earlier.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/proc/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/proc/mod.rs@@ -221,6 +221,8 @@ Self::Asinh => 1, Self::Acosh => 1, Self::Atanh => 1,+ Self::Radians => 1,+ Self::Degrees => 1, // decomposition Self::Ceil => 1, Self::Floor => 1,@@ -262,6 +264,8 @@ Self::ReverseBits => 1, Self::ExtractBits => 3, Self::InsertBits => 4,+ Self::FindLsb => 1,+ Self::FindMsb => 1, // data packing Self::Pack4x8snorm => 1, Self::Pack4x8unorm => 1,
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be adding new enum variants (`Radians`, `Degrees`, `FindLsb`, `FindMsb`) to a match statement, which is likely a feature addition rather than a security fix. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [third_party/rust/naga/src/proc/mod.rs] [Lines 221-264] [Old Code: Missing enum variants Radians, Degrees, FindLsb, FindMsb] [Fixed Code: Added enum variants Radians, Degrees, FindLsb, FindMsb] The changes are purely additive and don't modify any existing security-sensitive functionality. They appear to be adding support for new mathematical operations in what looks like a shader processing library.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/Element.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/Element.h@@ -1950,6 +1950,8 @@ */ void GetEventTargetParentForLinks(EventChainPreVisitor& aVisitor);+ void DispatchChromeOnlyLinkClickEvent(EventChainPostVisitor& aVisitor);+ /** * Handle default actions for link event if the event isn't consumed yet. */
Based on the provided diff, here's the analysis: Vulnerability Existed: not sure [Potential Chrome-Only Link Click Security Issue] [dom/base/Element.h] [Lines 1950+] [Old Code] (None - function was missing) [Fixed Code] `void DispatchChromeOnlyLinkClickEvent(EventChainPostVisitor& aVisitor);` Additional Details: 1. The addition of `DispatchChromeOnlyLinkClickEvent` suggests a security-related change where link click events might need special handling for chrome-only contexts 2. The "chrome-only" designation typically indicates privileged code execution context in Firefox 3. Without more context about the implementation, we can't be certain if this fixes a specific vulnerability, but it appears to be a security boundary improvement 4. This could potentially relate to preventing content scripts from triggering privileged link actions Note: The actual vulnerability name is uncertain without more context about the specific security issue being addressed. The change appears to be security-related given the chrome-only designation and link click event handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/dav1d/README.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/dav1d/README.md@@ -78,7 +78,7 @@ # Compile-1. Install [Meson](https://mesonbuild.com/) (0.47 or higher), [Ninja](https://ninja-build.org/), and, for x86\* targets, [nasm](https://nasm.us/) (2.14 or higher)+1. Install [Meson](https://mesonbuild.com/) (0.49 or higher), [Ninja](https://ninja-build.org/), and, for x86\* targets, [nasm](https://nasm.us/) (2.14 or higher) 2. Run `mkdir build && cd build` to create a build directory and enter it 3. Run `meson ..` to configure meson, add `--default-library=static` if static linking is desired 4. Run `ninja` to compile@@ -104,6 +104,14 @@ ``` meson build --cross-file=package/crossfiles/i686-linux32.meson ```++## Build documentation++1. Install [doxygen](https://www.doxygen.nl/) and [graphviz](https://www.graphviz.org/)+2. Run `meson build -Denable_docs=true` to create the build directory+3. Run `ninja -C build doc/html` to build the docs++The result can be found in `build/doc/html/`. An online version built from master can be found [here](https://videolan.videolan.me/dav1d/). # Run tests@@ -146,6 +154,3 @@ ## Will you care about <my_arch>? <my_os>? - We do, but we don't have either the time or the knowledge. Therefore, patches and contributions welcome.--## Where can I find documentation?-- The current library documentation, built from master, can be found [here](https://videolan.videolan.me/dav1d/).
Based on the provided diff, I don't see any security-related changes. The changes are primarily documentation updates and build requirement updates. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found - File: third_party/dav1d/README.md - Lines: 78 Old Code: 1. Install [Meson](https://mesonbuild.com/) (0.47 or higher), [Ninja](https://ninja-build.org/), and, for x86\* targets, [nasm](https://nasm.us/) (2.14 or higher) Fixed Code: 1. Install [Meson](https://mesonbuild.com/) (0.49 or higher), [Ninja](https://ninja-build.org/), and, for x86\* targets, [nasm](https://nasm.us/) (2.14 or higher) 2. Vulnerability Existed: no No security vulnerability found - File: third_party/dav1d/README.md - Lines: 104-114 Old Code: (no content) Fixed Code: (added documentation build instructions) 3. Vulnerability Existed: no No security vulnerability found - File: third_party/dav1d/README.md - Lines: 146-154 Old Code: (contained documentation link) Fixed Code: (removed documentation link as it was moved up) The changes appear to be: 1. Updated minimum Meson version requirement from 0.47 to 0.49 2. Added documentation build instructions 3. Reorganized documentation link location None of these changes indicate any security fixes or vulnerability patches. They are all documentation/build system improvements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/orientation-sensor/META.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/orientation-sensor/META.yml@@ -1,6 +1,5 @@ spec: https://w3c.github.io/orientation-sensor/ suggested_reviewers:- - zqzhang - riju - Honry - rakuco
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: no
No specific vulnerability found [File: testing/web-platform/tests/orientation-sensor/META.yml] [Lines: 2]
Old Code:
```
- - zqzhang
```
Fixed Code:
```
(line removed)
```
Additional Details: This appears to be a simple change in suggested reviewers list, which doesn't indicate any security vulnerability. The removal of a reviewer doesn't suggest a security fix.
2. Vulnerability Existed: no
No specific vulnerability found [File: testing/web-platform/tests/orientation-sensor/META.yml] [Lines: entire file]
Old Code:
```
spec: https://w3c.github.io/orientation-sensor/
suggested_reviewers:
- zqzhang
- riju
- Honry
- rakuco
```
Fixed Code:
```
spec: https://w3c.github.io/orientation-sensor/
suggested_reviewers:
- riju
- Honry
- rakuco
```
Additional Details: The entire change consists only of removing one reviewer from the suggested reviewers list. This is likely an administrative change rather than a security fix.
Note: The diff shows only changes to a test metadata file (META.yml) which typically contains configuration and documentation information rather than executable code. Such changes are unlikely to contain security fixes unless they modify test conditions or expected behaviors.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");@@ -35,6 +35,11 @@ ctx.wordSpacing = '-1px'; _assertSame(ctx.letterSpacing, '-1px', "ctx.letterSpacing", "'-1px'"); _assertSame(ctx.wordSpacing, '-1px', "ctx.wordSpacing", "'-1px'");++ctx.letterSpacing = '1PX';+ctx.wordSpacing = '1EM';+_assertSame(ctx.letterSpacing, '1px', "ctx.letterSpacing", "'1px'");+_assertSame(ctx.wordSpacing, '1em', "ctx.wordSpacing", "'1em'"); t.done(); });
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily variable renaming and adding test cases for text spacing properties. Here's the analysis:
1. Variable Renaming:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Additional Test Cases:
Vulnerability Existed: no
[Test Case Addition] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.html] [Lines 35-39]
[Old Code]
[No previous code at these lines]
[Fixed Code]
ctx.letterSpacing = '1PX';
ctx.wordSpacing = '1EM';
_assertSame(ctx.letterSpacing, '1px', "ctx.letterSpacing", "'1px'");
_assertSame(ctx.wordSpacing, '1em', "ctx.wordSpacing", "'1em'");
The changes appear to be test improvements rather than security fixes. The added test cases verify case-insensitive handling of unit values (PX vs px, EM vs em) in text spacing properties, which is a functionality test rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.none.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.none.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 100, 50, [])}); t.done();
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.none.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
This appears to be a simple variable renaming change (from 'offscreenCanvas' to 'canvas') rather than a security fix. The functionality remains the same, and there's no indication of any security vulnerability being addressed. The change is likely for code consistency or readability purposes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/cache/test/mochitest/test_cache_updateUsage.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/cache/test/mochitest/test_cache_updateUsage.html@@ -85,6 +85,12 @@ ["dom.caches.testing.enabled", true], ["dom.quotaManager.testing", true]], }, async function() {+ // Bug 1746646: Make mochitests work with TCP enabled (cookieBehavior = 5)+ // Acquire storage access permission here so that the Cache API is avaialable+ SpecialPowers.wrap(document).notifyUserGestureActivation();+ await SpecialPowers.addPermission("storageAccessAPI", true, window.location.href);+ await SpecialPowers.wrap(document).requestStorageAccess();+ const name = "cacheUpdateUsage"; const url = "test_cache_add.js"; const other_url = "test_cache_put.js";
Let me analyze the code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Storage Access Issue] [dom/cache/test/mochitest/test_cache_updateUsage.html] [Lines 85-90]
[Old Code: No storage access handling]
[Fixed Code: Added storage access permission handling with notifyUserGestureActivation(), addPermission(), and requestStorageAccess()]
Additional Details:
- The fix adds storage access permission handling, suggesting there might have been issues with Cache API access under strict cookie policies (cookieBehavior = 5)
- The comment references Bug 1746646 which mentions making tests work with TCP (Total Cookie Protection) enabled
- While this appears to be a test file fix, it might indicate broader security implications around storage access permissions
- The exact vulnerability isn't named in the diff, but it relates to proper storage access handling under strict privacy settings
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.