Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/xpcom/threads/nsTimerImpl.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/xpcom/threads/nsTimerImpl.cpp@@ -608,8 +608,15 @@ // If some other thread Cancels/Inits after this, they're just too late. MutexAutoLock lock(mMutex); if (aGeneration != mGeneration) {+ // This timer got rescheduled or cancelled before we fired, so ignore this+ // firing return; }++ // We modify mTimeout, so we must not be in the current TimerThread's+ // mTimers list. Adding to that list calls SetHolder(), so use mHolder+ // as a proxy to know if we're in the list+ MOZ_ASSERT(!mHolder); ++mFiring; callbackDuringFire = mCallback;
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Race Condition Potential [File] xpcom/threads/nsTimerImpl.cpp [Lines] 608-616
[Old Code]
```cpp
MutexAutoLock lock(mMutex);
if (aGeneration != mGeneration) {
return;
}
```
[Fixed Code]
```cpp
MutexAutoLock lock(mMutex);
if (aGeneration != mGeneration) {
// This timer got rescheduled or cancelled before we fired, so ignore this
// firing
return;
}
// We modify mTimeout, so we must not be in the current TimerThread's
// mTimers list. Adding to that list calls SetHolder(), so use mHolder
// as a proxy to know if we're in the list
MOZ_ASSERT(!mHolder);
```
Additional Details: The fix adds assertions and comments about thread safety, suggesting possible race condition concerns, but no explicit vulnerability is identified.
2. Vulnerability Existed: not sure
Missing Validation/Assertion [File] xpcom/threads/nsTimerImpl.cpp [Lines] 608-616
[Old Code]
```cpp
MutexAutoLock lock(mMutex);
if (aGeneration != mGeneration) {
return;
}
```
[Fixed Code]
```cpp
MutexAutoLock lock(mMutex);
if (aGeneration != mGeneration) {
return;
}
MOZ_ASSERT(!mHolder);
```
Additional Details: The added assertion checks for mHolder state, which might prevent invalid timer states, but it's unclear if this was fixing an exploitable vulnerability.
Note: While the changes improve code safety and add defensive programming measures, I cannot conclusively determine if these were fixing actual vulnerabilities or just general code improvements. The changes appear related to thread safety and timer management, but without more context about previous issues, I can only speculate about potential vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/uriloader/exthandler/tests/mochitest/browser_auto_close_window.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/uriloader/exthandler/tests/mochitest/browser_auto_close_window.js@@ -87,6 +87,32 @@ let windowContext = await dialogAppeared; is(windowContext, browser.ownerGlobal, "got the right windowContext");+ });+});++add_task(async function accel_navigation() {+ await BrowserTestUtils.withNewTab({ gBrowser, url: PAGE_URL }, async function(+ browser+ ) {+ let dialogAppeared = promiseHelperAppDialog();+ let tabOpened = BrowserTestUtils.waitForEvent(+ gBrowser.tabContainer,+ "TabOpen"+ ).then(event => {+ return [event.target, BrowserTestUtils.waitForTabClosing(event.target)];+ });++ await BrowserTestUtils.synthesizeMouseAtCenter(+ "#regular_load",+ { accelKey: true },+ browser+ );++ let windowContext = await dialogAppeared;+ is(windowContext, browser.ownerGlobal, "got the right windowContext");+ let [tab, closingPromise] = await tabOpened;+ await closingPromise;+ is(tab.linkedBrowser, null, "tab was opened and closed"); }); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
Potential Cross-Site Scripting (XSS) or Tab Manipulation [uriloader/exthandler/tests/mochitest/browser_auto_close_window.js] [Lines 87-113]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
(The entire new test case for accel_navigation)
Additional Details:
- The diff adds a new test case for accelerator key navigation behavior
- While this appears to be a test case addition rather than a security fix, it's testing functionality that could potentially be related to security (tab/window management)
- The test verifies proper handling of opened/closed tabs during accelerator key navigation
- Without more context about the specific security issue being addressed (if any), it's hard to determine if this directly fixes a vulnerability
- The test might be related to preventing tab/window manipulation attacks, but this is speculative
No clear vulnerability name can be identified from this test case addition alone. The change appears to be adding test coverage rather than directly fixing a security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.fillStyle.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.fillStyle.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.fillStyle;
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security vulnerability is being fixed here, just a code style/consistency change
- The functionality remains exactly the same, just with a different variable name
- No security implications were found in this change
Note: The diff provided is incomplete (cuts off at line 14), so I can only analyze the visible portion. If there were more changes in the full file, additional vulnerabilities might exist.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.rgba-solid-2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.rgba-solid-2.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'rgba( 0 , 255 , 0 , 1.0 )'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily variable renaming and don't involve any security-sensitive modifications. Here's the analysis:
Vulnerability Existed: no
No vulnerability found [File] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'rgba( 0 , 255 , 0 , 1.0 )';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'rgba( 0 , 255 , 0 , 1.0 )';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are:
1. Renamed variable `offscreenCanvas` to `canvas`
2. Updated the variable name in the `_assertPixel` call
3. No security-related changes were made
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/utils/tests/source.spec.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/utils/tests/source.spec.js@@ -11,7 +11,7 @@ getSourceLineCount, isThirdParty, isJavaScript,- underRoot,+ isDescendantOfRoot, isUrlExtension, isExtensionDirectoryPath, getLineText,@@ -496,7 +496,7 @@ }); });- describe("underRoot", () => {+ describe("isDescendantOfRoot", () => { const threads = [ makeMockThread({ actor: "server0.conn1.child1/thread19" }), ];@@ -505,25 +505,25 @@ const source = makeMockSource( "resource://activity-stream/vendor/react.js" );- expect(underRoot(source, "resource://activity-stream", threads)).toBe(- true- );+ expect(+ isDescendantOfRoot(source, "resource://activity-stream", threads)+ ).toBe(true); }); it("should detect source urls under chrome:// as root", () => { const source = makeMockSource( "chrome://browser/content/contentSearchUI.js" );- expect(underRoot(source, "chrome://", threads)).toBe(true);+ expect(isDescendantOfRoot(source, "chrome://", threads)).toBe(true); }); it("should detect source urls if root is a thread actor Id", () => { const source = makeMockSource( "resource://activity-stream/vendor/react-dom.js" );- expect(underRoot(source, "server0.conn1.child1/thread19", threads)).toBe(- true- );+ expect(+ isDescendantOfRoot(source, "server0.conn1.child1/thread19", threads)+ ).toBe(true); }); });
Based on the provided code diff, here's the analysis following the specified format: 1. Vulnerability Existed: no Function Renaming [devtools/client/debugger/src/utils/tests/source.spec.js] [Lines 11, 496-505] Old Code: `underRoot` Fixed Code: `isDescendantOfRoot` Additional Details: This appears to be a simple function renaming for better clarity, not a security fix. 2. Vulnerability Existed: no Test Case Updates [devtools/client/debugger/src/utils/tests/source.spec.js] [Lines 505-529] Old Code: Tests using `underRoot` function Fixed Code: Tests updated to use `isDescendantOfRoot` function Additional Details: The changes are test updates to match the renamed function, not security-related. The diff shows no evidence of security vulnerabilities being fixed. The changes are purely: 1. A function name change from `underRoot` to `isDescendantOfRoot` (likely for better clarity) 2. Corresponding updates to test cases to use the new function name No security vulnerabilities or potential security improvements were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/compositing/mix-blend-mode/mix-blend-mode-parent-element-overflow-scroll-blended-position-fixed.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/compositing/mix-blend-mode/mix-blend-mode-parent-element-overflow-scroll-blended-position-fixed.html@@ -7,7 +7,6 @@ <link rel="author" title="Ion Roșca" href="mailto:[email protected]"> <link rel="reviewer" title="Mihai Țică" href="mailto:[email protected]"> <link rel="help" href="https://drafts.fxtf.org/compositing-1/#mix-blend-mode">- <meta name="flags" content=""> <meta name="assert" content="Test checks that an element with mix-blend-mode blends with the parent element with overflow:scroll"> <link rel="match" href="reference/mix-blend-mode-parent-element-overflow-scroll-blended-position-fixed-ref.html"> <style type="text/css">
Analyzing the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 7] [Old Code] `<meta name="flags" content="">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag for "flags" which appears to be test-related metadata - No security implications or vulnerabilities are apparent in this change - This seems to be a cleanup of test configuration rather than a security fix No other changes were present in the diff that would indicate security fixes. The modification appears to be purely related to test configuration cleanup.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/CommonPropertyNames.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/CommonPropertyNames.h@@ -219,6 +219,8 @@ MACRO_(global, global, "global") \ MACRO_(globalThis, globalThis, "globalThis") \ MACRO_(group, group, "group") \+ MACRO_(groupBy, groupBy, "groupBy") \+ MACRO_(groupByToMap, groupByToMap, "groupByToMap") \ MACRO_(groups, groups, "groups") \ MACRO_(h11, h11, "h11") \ MACRO_(h12, h12, "h12") \
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be adding new property names rather than addressing security issues. Here's the analysis following your requested format: Vulnerability Existed: no [No security vulnerability found] [js/src/vm/CommonPropertyNames.h] [Lines 219-221] [Old Code] MACRO_(global, global, "global") \ MACRO_(globalThis, globalThis, "globalThis") \ MACRO_(group, group, "group") \ [Fixed Code] MACRO_(global, global, "global") \ MACRO_(globalThis, globalThis, "globalThis") \ MACRO_(group, group, "group") \ MACRO_(groupBy, groupBy, "groupBy") \ MACRO_(groupByToMap, groupByToMap, "groupByToMap") \ Additional Notes: - The diff shows two new MACRO entries being added (groupBy and groupByToMap) - These appear to be standard property name additions for new functionality - No security-related changes are visible in this diff - No existing security vulnerabilities are being patched in this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-45.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-45.xml@@ -7,7 +7,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div class="stub">
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 7] [Old Code] <meta name="flags" content="" /> [Fixed Code] (line removed) Additional Details: - The diff shows only the removal of an empty meta tag with a "flags" attribute. This doesn't appear to be a security-related change. - The change seems to be more about code cleanup or test case modification rather than addressing a security vulnerability. - No known vulnerability patterns (XSS, injection, etc.) are present in this change. - The modification is in a test file (css3-modsel-45.xml) which typically doesn't contain production security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/test/mochitest/examples/doc-duplicate-functions.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/test/mochitest/examples/doc-duplicate-functions.html@@ -8,16 +8,19 @@ <body> <h1> debugger test page2</h1> <script type="text/javascript">+ var func; function a() { function render() { console.log('a'); }+ func = render; } function b() { function render() { console.log('b'); }+ func = render; } </script> </body>
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[No specific vulnerability found] [devtools/client/debugger/test/mochitest/examples/doc-duplicate-functions.html] [Lines 8-19]
[Old Code]
function a() {
function render() {
console.log('a');
}
}
function b() {
function render() {
console.log('b');
}
}
[Fixed Code]
var func;
function a() {
function render() {
console.log('a');
}
func = render;
}
function b() {
function render() {
console.log('b');
}
func = render;
}
The changes appear to be functional rather than security-related. The modification adds a global variable 'func' and assigns the inner 'render' functions to it. This doesn't appear to fix any security vulnerability but rather changes the behavior for testing purposes. No common vulnerabilities (XSS, injection, etc.) are present in either version of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/background-size-043.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/background-size-043.html@@ -27,7 +27,6 @@ <link rel="match" href="reference/background-size-043-ref.html">- <meta content="" name="flags"> <meta content="This test checks that when one 'background-size' is 'auto' and the image has no intrinsic size and no intrinsic ratio, then it should use 100%. In this test, the 'auto' value should use 100% of the height of the background positioning area of the div, which is 400px." name="assert"> <style>
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 27] [Old Code] <meta content="" name="flags"> [Fixed Code] (line removed) Additional Details: - The diff shows removal of a meta tag with empty "flags" content. This doesn't appear to be related to any security vulnerability. - The change seems to be a cleanup of unnecessary metadata rather than a security fix. - No known vulnerability patterns (XSS, injection, etc.) are present in this change. - The "flags" meta tag appears to be test-related metadata rather than security-relevant code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/ffmpeg/FFmpegLibWrapper.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/ffmpeg/FFmpegLibWrapper.h@@ -18,8 +18,10 @@ struct PRLibrary; #ifdef MOZ_WAYLAND struct AVCodecHWConfig;+struct AVVAAPIHWConfig;+struct AVHWFramesConstraints;+#endif struct AVBufferRef;-#endif namespace mozilla {@@ -84,12 +86,20 @@ uint8_t** poutbuf, int* poutbuf_size, const uint8_t* buf, int buf_size, int64_t pts, int64_t dts, int64_t pos);+ AVCodec* (*av_codec_iterate)(void** opaque);+ int (*av_codec_is_decoder)(const AVCodec* codec);+ void (*avcodec_align_dimensions)(AVCodecContext* s, int* width, int* height); // only used in libavcodec <= 54 AVFrame* (*avcodec_alloc_frame)(); void (*avcodec_get_frame_defaults)(AVFrame* pic);+ // libavcodec v54 only void (*avcodec_free_frame)(AVFrame** frame);++ // libavcodec >= v55+ int (*avcodec_default_get_buffer2)(AVCodecContext* s, AVFrame* frame,+ int flags); // libavcodec v58 and later only int (*avcodec_send_packet)(AVCodecContext* avctx, const AVPacket* avpkt);@@ -104,11 +114,21 @@ void (*av_log_set_level)(int level); void* (*av_malloc)(size_t size); void (*av_freep)(void* ptr);+ int (*av_image_check_size)(unsigned int w, unsigned int h, int log_offset,+ void* log_ctx);+ int (*av_image_get_buffer_size)(int pix_fmt, int width, int height,+ int align); // libavutil v55 and later only AVFrame* (*av_frame_alloc)(); void (*av_frame_free)(AVFrame** frame); void (*av_frame_unref)(AVFrame* frame);+ AVBufferRef* (*av_buffer_create)(uint8_t* data, int size,+ void (*free)(void* opaque, uint8_t* data),+ void* opaque, int flags);++ // libavutil >= v56+ void* (*av_buffer_get_opaque)(const AVBufferRef* buf); // libavutil optional int (*av_frame_get_colorspace)(const AVFrame* frame);@@ -119,6 +139,10 @@ int index); AVBufferRef* (*av_hwdevice_ctx_alloc)(int); int (*av_hwdevice_ctx_init)(AVBufferRef* ref);+ AVVAAPIHWConfig* (*av_hwdevice_hwconfig_alloc)(AVBufferRef* device_ctx);+ AVHWFramesConstraints* (*av_hwdevice_get_hwframe_constraints)(+ AVBufferRef* ref, const void* hwconfig);+ void (*av_hwframe_constraints_free)(AVHWFramesConstraints** constraints); AVBufferRef* (*av_buffer_ref)(AVBufferRef* buf); void (*av_buffer_unref)(AVBufferRef** buf);@@ -130,12 +154,13 @@ int (*av_dict_set)(AVDictionary** pm, const char* key, const char* value, int flags); void (*av_dict_free)(AVDictionary** m);+ const char* (*avcodec_get_name)(int id);+ char* (*av_get_pix_fmt_string)(char* buf, int buf_size, int pix_fmt); int (*vaExportSurfaceHandle)(void*, unsigned int, uint32_t, uint32_t, void*); int (*vaSyncSurface)(void*, unsigned int); int (*vaInitialize)(void* dpy, int* major_version, int* minor_version); int (*vaTerminate)(void* dpy);- void* (*vaGetDisplayWl)(struct wl_display* display); void* (*vaGetDisplayDRM)(int fd); #endif@@ -143,7 +168,6 @@ PRLibrary* mAVUtilLib; #ifdef MOZ_WAYLAND PRLibrary* mVALib;- PRLibrary* mVALibWayland; PRLibrary* mVALibDrm; #endif
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Wayland-related cleanup] [dom/media/platforms/ffmpeg/FFmpegLibWrapper.h] [Lines: 18-22, 168-172] [Old Code] ```c #ifdef MOZ_WAYLAND struct AVCodecHWConfig; struct AVBufferRef; #endif ... #ifdef MOZ_WAYLAND PRLibrary* mVALib; PRLibrary* mVALibWayland; PRLibrary* mVALibDrm; #endif ``` [Fixed Code] ```c #ifdef MOZ_WAYLAND struct AVCodecHWConfig; struct AVVAAPIHWConfig; struct AVHWFramesConstraints; #endif struct AVBufferRef; ... #ifdef MOZ_WAYLAND PRLibrary* mVALib; PRLibrary* mVALibDrm; #endif ``` 2. Vulnerability Existed: not sure [Added FFmpeg API functions] [dom/media/platforms/ffmpeg/FFmpegLibWrapper.h] [Lines: 86-130] [Old Code] (Missing several FFmpeg API function pointers) [Fixed Code] ```c AVCodec* (*av_codec_iterate)(void** opaque); int (*av_codec_is_decoder)(const AVCodec* codec); void (*avcodec_align_dimensions)(AVCodecContext* s, int* width, int* height); ... int (*avcodec_default_get_buffer2)(AVCodecContext* s, AVFrame* frame, int flags); ... int (*av_image_check_size)(unsigned int w, unsigned int h, int log_offset, void* log_ctx); int (*av_image_get_buffer_size)(int pix_fmt, int width, int height, int align); ... AVBufferRef* (*av_buffer_create)(uint8_t* data, int size, void (*free)(void* opaque, uint8_t* data), void* opaque, int flags); void* (*av_buffer_get_opaque)(const AVBufferRef* buf); ``` 3. Vulnerability Existed: not sure [Removed Wayland-specific VAAPI function] [dom/media/platforms/ffmpeg/FFmpegLibWrapper.h] [Lines: 160] [Old Code] ```c void* (*vaGetDisplayWl)(struct wl_display* display); ``` [Fixed Code] (Removed completely) Note: While the changes appear to be primarily about updating FFmpeg API bindings and cleaning up Wayland-related code, I couldn't identify any specific security vulnerabilities from the diff alone. The changes seem more like maintenance updates and API additions rather than direct security fixes. However, some of these changes could potentially be related to security improvements in the underlying FFmpeg library handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hex7.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hex7.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = '#ff0000f'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hex7.worker.js] [13-20]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = '#ff0000f'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = '#ff0000f'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't indicate any security fixes. The test's functionality remains the same, just with a different variable name. No security vulnerabilities are apparent in either version of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/public/ProfilerParent.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/public/ProfilerParent.h@@ -37,8 +37,16 @@ base::ProcessId aOtherPid); #ifdef MOZ_GECKO_PROFILER- typedef MozPromise<Shmem, ResponseRejectReason, true>- SingleProcessProfilePromise;+ using SingleProcessProfilePromise =+ MozPromise<Shmem, ResponseRejectReason, true>;++ struct SingleProcessProfilePromiseAndChildPid {+ RefPtr<SingleProcessProfilePromise> profilePromise;+ base::ProcessId childPid;+ };++ using SingleProcessProgressPromise =+ MozPromise<GatherProfileProgress, ResponseRejectReason, true>; // The following static methods can be called on any thread, but they are // no-ops on anything other than the main thread.@@ -51,10 +59,17 @@ // the ProfilerChild background thread, but those processes don't need to // forward these calls any further.- // Returns the number of profiles to expect. The gathered profiles will be- // provided asynchronously with a call to- // ProfileGatherer::ReceiveGatheredProfile.- static nsTArray<RefPtr<SingleProcessProfilePromise>> GatherProfiles();+ // Returns the profiles to expect, as promises and child pids.+ static nsTArray<SingleProcessProfilePromiseAndChildPid> GatherProfiles();++ // Send a request to get the GatherProfiles() progress update from one child+ // process, returns a promise to be resolved with that progress.+ // The promise RefPtr may be null if the child process is unknown.+ // Progress may be invalid, if the request arrived after the child process+ // had already responded to the main GatherProfile() IPC, or something went+ // very wrong in that process.+ static RefPtr<SingleProcessProgressPromise> RequestGatherProfileProgress(+ base::ProcessId aChildPid); static void ProfilerStarted(nsIProfilerStartParams* aParams); static void ProfilerWillStopIfStarted();
Let me analyze the code diff for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Information Leak] [tools/profiler/public/ProfilerParent.h] [Lines 37-59] [Old Code: Simple typedef for SingleProcessProfilePromise] [Fixed Code: Added new struct SingleProcessProfilePromiseAndChildPid and SingleProcessProgressPromise] The changes introduce more detailed profile gathering capabilities, including child process IDs and progress tracking. While this doesn't immediately show a vulnerability, exposing more process information could potentially lead to information leaks if not properly secured. 2. Vulnerability Existed: not sure [Potential Race Condition] [tools/profiler/public/ProfilerParent.h] [Lines 51-69] [Old Code: Simple GatherProfiles() returning promises] [Fixed Code: More complex GatherProfiles() and new RequestGatherProfileProgress()] The addition of progress tracking and more detailed profile gathering could introduce race conditions if the state management between main process and child processes isn't properly synchronized. However, the diff doesn't show enough implementation details to confirm this. 3. Vulnerability Existed: not sure [Potential Improper Access Control] [tools/profiler/public/ProfilerParent.h] [Lines 59-69] [Old Code: N/A] [Fixed Code: Added RequestGatherProfileProgress() function] The new function allows querying progress from child processes, which could potentially be abused if there's no proper access control to verify which process can request progress updates from which other processes. Note: The changes appear to be more about functionality expansion than direct security fixes, but they introduce new interfaces that could have security implications if not properly implemented. The diff doesn't show the complete implementation details, making it difficult to assess actual vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/color_encoding_internal.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/color_encoding_internal.h@@ -450,6 +450,8 @@ Status ConvertExternalToInternalColorEncoding(const JxlColorEncoding& external, jxl::ColorEncoding* internal);+Status PrimariesToXYZ(float rx, float ry, float gx, float gy, float bx,+ float by, float wx, float wy, float matrix[9]); Status PrimariesToXYZD50(float rx, float ry, float gx, float gy, float bx, float by, float wx, float wy, float matrix[9]); Status AdaptToXYZD50(float wx, float wy, float matrix[9]);
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Missing Input Validation] [third_party/jpeg-xl/lib/jxl/color_encoding_internal.h] [Lines 450-452]
[Old Code]
(No previous declaration of PrimariesToXYZ function)
[Fixed Code]
Status PrimariesToXYZ(float rx, float ry, float gx, float gy, float bx,
float by, float wx, float wy, float matrix[9]);
2. Vulnerability Existed: not sure
[Potential Arithmetic Precision Issues] [third_party/jpeg-xl/lib/jxl/color_encoding_internal.h] [Lines 450-452]
[Old Code]
(No previous declaration of PrimariesToXYZ function)
[Fixed Code]
Status PrimariesToXYZ(float rx, float ry, float gx, float gy, float bx,
float by, float wx, float wy, float matrix[9]);
Note: The diff shows the addition of a new function declaration `PrimariesToXYZ`. While no direct vulnerability is evident from this change alone, there are potential security considerations:
1. The function takes several float parameters which could potentially be used for calculations without proper validation
2. The function writes to a matrix array which could be vulnerable to buffer overflows if not properly handled
3. Floating-point operations could lead to precision issues or unexpected behavior with extreme values
However, without seeing the implementation of this function, we cannot definitively determine if vulnerabilities exist. The change appears to be adding functionality rather than fixing an existing issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-002.html@@ -23,7 +23,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] layout/reftests/css-grid/grid-fragmentation-002.html [Lines] 23
[Old Code] border: 2px dashed;
[Fixed Code] border: 2px solid salmon;
Additional Details:
- The change appears to be purely cosmetic/visual, modifying the border style from dashed to solid and changing the color to salmon.
- This is part of a CSS grid fragmentation test file, and the modification doesn't affect any security-related aspects.
- No known vulnerability patterns (XSS, injection, etc.) are present in either the old or new code.
- The change is likely related to improving test visibility or accuracy rather than addressing any security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/unicode-normalization/src/normalize.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/unicode-normalization/src/normalize.rs@@ -9,102 +9,60 @@ // except according to those terms. //! Functions for computing canonical and compatible decompositions for Unicode characters.--use std::cmp::Ordering::{Equal, Less, Greater};+use std::char; use std::ops::FnMut;-use tables::normalization::{canonical_table, canonical_table_STRTAB};-use tables::normalization::{compatibility_table, compatibility_table_STRTAB};-use tables::normalization::{composition_table, composition_table_STRTAB};-use tables::normalization::Slice;--fn bsearch_table<T>(c: char, r: &'static [(char, Slice)], strtab: &'static [T]) -> Option<&'static [T]> {- match r.binary_search_by(|&(val, _)| {- if c == val { Equal }- else if val < c { Less }- else { Greater }- }) {- Ok(idx) => {- let ref slice = r[idx].1;- let offset = slice.offset as usize;- let length = slice.length as usize;- Some(&strtab[offset..(offset + length)])- }- Err(_) => None- }-}+use tables; /// Compute canonical Unicode decomposition for character. /// See [Unicode Standard Annex #15](http://www.unicode.org/reports/tr15/) /// for more information.-pub fn decompose_canonical<F>(c: char, mut i: F) where F: FnMut(char) { d(c, &mut i, false); }+#[inline]+pub fn decompose_canonical<F>(c: char, emit_char: F) where F: FnMut(char) {+ decompose(c, tables::canonical_fully_decomposed, emit_char)+} /// Compute canonical or compatible Unicode decomposition for character. /// See [Unicode Standard Annex #15](http://www.unicode.org/reports/tr15/) /// for more information.-pub fn decompose_compatible<F>(c: char, mut i: F) where F: FnMut(char) { d(c, &mut i, true); }+#[inline]+pub fn decompose_compatible<F: FnMut(char)>(c: char, emit_char: F) {+ let decompose_char = |c| tables::compatibility_fully_decomposed(c)+ .or_else(|| tables::canonical_fully_decomposed(c));+ decompose(c, decompose_char, emit_char)+}-// FIXME(#19596) This is a workaround, we should use `F` instead of `&mut F`-fn d<F>(c: char, i: &mut F, k: bool) where F: FnMut(char) {+#[inline]+fn decompose<D, F>(c: char, decompose_char: D, mut emit_char: F)+ where D: Fn(char) -> Option<&'static [char]>, F: FnMut(char)+{ // 7-bit ASCII never decomposes- if c <= '\x7f' { (*i)(c); return; }-- // Perform decomposition for Hangul- if (c as u32) >= S_BASE && (c as u32) < (S_BASE + S_COUNT) {- decompose_hangul(c, i);+ if c <= '\x7f' {+ emit_char(c); return; }- // First check the canonical decompositions- match bsearch_table(c, canonical_table, canonical_table_STRTAB) {- Some(canon) => {- for x in canon {- d(*x, i, k);- }- return;- }- None => ()+ // Perform decomposition for Hangul+ if is_hangul_syllable(c) {+ decompose_hangul(c, emit_char);+ return; }- // Bottom out if we're not doing compat.- if !k { (*i)(c); return; }-- // Then check the compatibility decompositions- match bsearch_table(c, compatibility_table, compatibility_table_STRTAB) {- Some(compat) => {- for x in compat {- d(*x, i, k);- }- return;+ if let Some(decomposed) = decompose_char(c) {+ for &d in decomposed {+ emit_char(d); }- None => ()+ return; } // Finally bottom out.- (*i)(c);+ emit_char(c); } /// Compose two characters into a single character, if possible. /// See [Unicode Standard Annex #15](http://www.unicode.org/reports/tr15/) /// for more information. pub fn compose(a: char, b: char) -> Option<char> {- compose_hangul(a, b).or_else(|| {- match bsearch_table(a, composition_table, composition_table_STRTAB) {- None => None,- Some(candidates) => {- match candidates.binary_search_by(|&(val, _)| {- if b == val { Equal }- else if val < b { Less }- else { Greater }- }) {- Ok(idx) => {- let (_, result) = candidates[idx];- Some(result)- }- Err(_) => None- }- }- }- })+ compose_hangul(a, b).or_else(|| tables::composition_table(a, b)) } // Constants from Unicode 9.0.0 Section 3.12 Conjoining Jamo Behavior@@ -119,49 +77,76 @@ const N_COUNT: u32 = (V_COUNT * T_COUNT); const S_COUNT: u32 = (L_COUNT * N_COUNT);-// FIXME(#19596) This is a workaround, we should use `F` instead of `&mut F`+const S_LAST: u32 = S_BASE + S_COUNT - 1;+const L_LAST: u32 = L_BASE + L_COUNT - 1;+const V_LAST: u32 = V_BASE + V_COUNT - 1;+const T_LAST: u32 = T_BASE + T_COUNT - 1;++// Composition only occurs for `TPart`s in `U+11A8 ... U+11C2`,+// i.e. `T_BASE + 1 ... T_LAST`.+const T_FIRST: u32 = T_BASE + 1;++pub(crate) fn is_hangul_syllable(c: char) -> bool {+ (c as u32) >= S_BASE && (c as u32) < (S_BASE + S_COUNT)+}+ // Decompose a precomposed Hangul syllable #[allow(unsafe_code)] #[inline(always)]-fn decompose_hangul<F>(s: char, f: &mut F) where F: FnMut(char) {- use std::mem::transmute;+fn decompose_hangul<F>(s: char, mut emit_char: F) where F: FnMut(char) {+ let s_index = s as u32 - S_BASE;+ let l_index = s_index / N_COUNT;+ unsafe {+ emit_char(char::from_u32_unchecked(L_BASE + l_index));- let si = s as u32 - S_BASE;+ let v_index = (s_index % N_COUNT) / T_COUNT;+ emit_char(char::from_u32_unchecked(V_BASE + v_index));- let li = si / N_COUNT;- unsafe {- (*f)(transmute(L_BASE + li));-- let vi = (si % N_COUNT) / T_COUNT;- (*f)(transmute(V_BASE + vi));-- let ti = si % T_COUNT;- if ti > 0 {- (*f)(transmute(T_BASE + ti));+ let t_index = s_index % T_COUNT;+ if t_index > 0 {+ emit_char(char::from_u32_unchecked(T_BASE + t_index)); } }+}++#[inline]+pub(crate) fn hangul_decomposition_length(s: char) -> usize {+ let si = s as u32 - S_BASE;+ let ti = si % T_COUNT;+ if ti > 0 { 3 } else { 2 } } // Compose a pair of Hangul Jamo #[allow(unsafe_code)] #[inline(always)] fn compose_hangul(a: char, b: char) -> Option<char> {- use std::mem::transmute;+ let (a, b) = (a as u32, b as u32);+ match (a, b) {+ // Compose a leading consonant and a vowel together into an LV_Syllable+ (L_BASE ... L_LAST, V_BASE ... V_LAST) => {+ let l_index = a - L_BASE;+ let v_index = b - V_BASE;+ let lv_index = l_index * N_COUNT + v_index * T_COUNT;+ let s = S_BASE + lv_index;+ Some(unsafe {char::from_u32_unchecked(s)})+ },+ // Compose an LV_Syllable and a trailing consonant into an LVT_Syllable+ (S_BASE ... S_LAST, T_FIRST ... T_LAST) if (a - S_BASE) % T_COUNT == 0 => {+ Some(unsafe {char::from_u32_unchecked(a + (b - T_BASE))})+ },+ _ => None,+ }+}- let l = a as u32;- let v = b as u32;- // Compose an LPart and a VPart- if L_BASE <= l && l < (L_BASE + L_COUNT) // l should be an L choseong jamo- && V_BASE <= v && v < (V_BASE + V_COUNT) { // v should be a V jungseong jamo- let r = S_BASE + (l - L_BASE) * N_COUNT + (v - V_BASE) * T_COUNT;- return unsafe { Some(transmute(r)) };+#[cfg(test)]+mod tests {+ use super::compose_hangul;++ // Regression test from a bugfix where we were composing an LV_Syllable with+ // T_BASE directly. (We should only compose an LV_Syllable with a character+ // in the range `T_BASE + 1 ... T_LAST`.)+ #[test]+ fn test_hangul_composition() {+ assert_eq!(compose_hangul('\u{c8e0}', '\u{11a7}'), None); }- // Compose an LVPart and a TPart- if S_BASE <= l && l <= (S_BASE+S_COUNT-T_COUNT) // l should be a syllable block- && T_BASE <= v && v < (T_BASE+T_COUNT) // v should be a T jongseong jamo- && (l - S_BASE) % T_COUNT == 0 { // l should be an LV syllable block (not LVT)- let r = l + (v - T_BASE);- return unsafe { Some(transmute(r)) };- }- None }
I'll analyze the code diff for security vulnerabilities following the specified format.
Vulnerability Existed: yes
Incorrect Hangul Composition [third_party/rust/unicode-normalization/src/normalize.rs] [Lines 119-140 (old), 77-140 (new)]
[Old Code]
// Compose an LVPart and a TPart
if S_BASE <= l && l <= (S_BASE+S_COUNT-T_COUNT) // l should be a syllable block
&& T_BASE <= v && v < (T_BASE+T_COUNT) // v should be a T jongseong jamo
&& (l - S_BASE) % T_COUNT == 0 { // l should be an LV syllable block (not LVT)
let r = l + (v - T_BASE);
return unsafe { Some(transmute(r)) };
}
[Fixed Code]
// Compose an LV_Syllable and a trailing consonant into an LVT_Syllable
(S_BASE ... S_LAST, T_FIRST ... T_LAST) if (a - S_BASE) % T_COUNT == 0 => {
Some(unsafe {char::from_u32_unchecked(a + (b - T_BASE))})
}
Additional Details:
The vulnerability was in the Hangul composition logic where the old code would incorrectly compose characters with T_BASE (U+11A7) which should not be composed. The fix properly restricts composition to only T characters in the range T_BASE+1 to T_LAST (U+11A8 to U+11C2). This could have potentially caused incorrect Unicode normalization.
Vulnerability Existed: not sure
Potential Unsafe Casting [third_party/rust/unicode-normalization/src/normalize.rs] [Lines 93-103 (old), 77-140 (new)]
[Old Code]
unsafe {
(*f)(transmute(L_BASE + li));
(*f)(transmute(V_BASE + vi));
if ti > 0 {
(*f)(transmute(T_BASE + ti));
}
}
[Fixed Code]
unsafe {
emit_char(char::from_u32_unchecked(L_BASE + l_index));
emit_char(char::from_u32_unchecked(V_BASE + v_index));
if t_index > 0 {
emit_char(char::from_u32_unchecked(T_BASE + t_index));
}
}
Additional Details:
The old code used transmute for type conversion which is generally more dangerous than the new code which uses char::from_u32_unchecked. While both are unsafe, the new version is more explicit about what it's doing. However, I'm not certain if this qualifies as a security vulnerability or just a code quality improvement.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/gtest/TestAudioSegment.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/gtest/TestAudioSegment.cpp@@ -372,4 +372,73 @@ EXPECT_FALSE(c.mBuffer->IsShared()); }+TEST(AudioSegment, CombineChunksInAppendAndConsumeChunk)+{+ AudioChunk source;+ fillChunk<float, 2>(&source, 10);++ auto checkChunks = [&](const AudioSegment& aSegement,+ const nsTArray<TrackTime>& aDurations) {+ size_t i = 0;+ for (AudioSegment::ConstChunkIterator iter(aSegement); !iter.IsEnded();+ iter.Next()) {+ EXPECT_EQ(iter->GetDuration(), aDurations[i++]);+ }+ EXPECT_EQ(i, aDurations.Length());+ };++ // The chunks can be merged if their duration are adjacent.+ {+ AudioChunk c1(source);+ c1.SliceTo(2, 5);++ AudioChunk c2(source);+ c2.SliceTo(5, 9);++ AudioSegment s;+ s.AppendAndConsumeChunk(std::move(c1));+ EXPECT_EQ(s.GetDuration(), 3);++ s.AppendAndConsumeChunk(std::move(c2));+ EXPECT_EQ(s.GetDuration(), 7);++ checkChunks(s, {7});+ }+ // Otherwise, they cannot be merged.+ {+ // If durations of chunks are overlapped, they cannot be merged.+ AudioChunk c1(source);+ c1.SliceTo(2, 5);++ AudioChunk c2(source);+ c2.SliceTo(4, 9);++ AudioSegment s;+ s.AppendAndConsumeChunk(std::move(c1));+ EXPECT_EQ(s.GetDuration(), 3);++ s.AppendAndConsumeChunk(std::move(c2));+ EXPECT_EQ(s.GetDuration(), 8);++ checkChunks(s, {3, 5});+ }+ {+ // If durations of chunks are discontinuous, they cannot be merged.+ AudioChunk c1(source);+ c1.SliceTo(2, 4);++ AudioChunk c2(source);+ c2.SliceTo(5, 9);++ AudioSegment s;+ s.AppendAndConsumeChunk(std::move(c1));+ EXPECT_EQ(s.GetDuration(), 2);++ s.AppendAndConsumeChunk(std::move(c2));+ EXPECT_EQ(s.GetDuration(), 6);++ checkChunks(s, {2, 4});+ }+}+ } // namespace audio_segment
Analyzing the provided code diff, which adds test cases for audio segment chunk merging functionality, I don't find any security vulnerabilities being fixed. The changes appear to be purely functional tests for audio processing behavior. Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test cases for audio segment chunk merging functionality. The diff adds test cases to verify: 1. Adjacent audio chunks can be merged 2. Overlapping audio chunks remain separate 3. Discontinuous audio chunks remain separate These are functional tests rather than security fixes. No old code was modified - only new test cases were added. The tests verify correct behavior of the audio segment merging logic but don't address any security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.globalalpha.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.globalalpha.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.globalAlpha = 0; ctx.strokeStyle = '#f00'; ctx.lineWidth = 50; ctx.strokeRect(25, 24, 50, 2);-_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");+_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.globalalpha.worker.js] [Lines 13-14, 21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` for consistency or readability. There are no apparent security vulnerabilities being fixed in this diff. The functionality remains exactly the same, only the variable name has changed. No security-related patterns or vulnerabilities (like XSS, injection, etc.) are present in either the old or new code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/metrics.yaml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/metrics.yaml@@ -17,6 +17,9 @@ type: timing_distribution description: > The time to build a Gecko display list.+ metadata: &metadata+ tags:+ - "Core :: Graphics" bugs: - https://bugzilla.mozilla.org/show_bug.cgi?id=1728423 data_reviews:@@ -28,38 +31,3 @@ - [email protected] expires: never telemetry_mirror: PAINT_BUILD_DISPLAYLIST_TIME--geckoview.validation:- version:- description: >- The version of the Gecko engine, example: 74.0a1- Mirror of `geckoview.version` for validation of migrated data.- type: string- lifetime: ping- bugs:- - https://bugzilla.mozilla.org/show_bug.cgi?id=1611240- - https://bugzilla.mozilla.org/show_bug.cgi?id=1687219- - https://bugzilla.mozilla.org/show_bug.cgi?id=1732928- data_reviews:- - https://bugzilla.mozilla.org/show_bug.cgi?id=1611240#c2- notification_emails:- - [email protected]- expires: "98"- telemetry_mirror: GECKO_VERSION-- build_id:- description: >- The Buildid of the Gecko engine, example: 20200205124310- Mirror of `geckoview.build_id` for validation of migrated data.- type: string- lifetime: ping- bugs:- - https://bugzilla.mozilla.org/show_bug.cgi?id=1611240- - https://bugzilla.mozilla.org/show_bug.cgi?id=1687219- - https://bugzilla.mozilla.org/show_bug.cgi?id=1732928- data_reviews:- - https://bugzilla.mozilla.org/show_bug.cgi?id=1611240#c2- notification_emails:- - [email protected]- expires: "98"- telemetry_mirror: GECKO_BUILD_ID
After analyzing the provided code diff, here are the findings: 1. Vulnerability Existed: no No specific vulnerability found in the diff. The changes consist of: - Added metadata tags for "Core :: Graphics" in the display list timing metric - Removed the geckoview.validation section (version and build_id metrics) which appears to be cleanup/expiration of old metrics 2. Vulnerability Existed: not sure Potential Information Exposure [File] gfx/metrics.yaml [Lines] Removed geckoview validation section [Old Code] geckoview.validation metrics containing version and build_id information [Fixed Code] Removed entirely Note: While this isn't a direct security fix, removing version/build_id metrics could theoretically reduce information exposure. However, this appears to be more of a cleanup/expiration change rather than a security fix. The main changes appear to be: 1. Adding metadata tags for better metric categorization 2. Removing expired metrics (geckoview.validation) that were set to expire in version 98 No clear security vulnerabilities were fixed in this diff. The changes seem focused on metric maintenance and organization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/modules/metrics.yaml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/modules/metrics.yaml@@ -20,6 +20,9 @@ the foreground, only if it is receiving these interaction events. Migrated from Telemetry's `browser.engagement.active_ticks`.+ metadata: &metadata+ tags:+ - "Firefox :: General" bugs: - https://bugzilla.mozilla.org/show_bug.cgi?id=1376942 # Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=1545172 # Telemetry@@ -34,6 +37,7 @@ send_in_pings: - baseline - metrics+ telemetry_mirror: BROWSER_ENGAGEMENT_MIRROR_FOR_ACTIVE_TICKS no_lint: - BASELINE_PING@@ -46,6 +50,7 @@ Migrated from Telemetry's `browser.engagement.total_uri_count_normal_and_private_mode`.+ metadata: *metadata bugs: - https://bugzilla.mozilla.org/show_bug.cgi?id=1535169 # Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=1741674@@ -59,5 +64,6 @@ send_in_pings: - baseline - metrics+ telemetry_mirror: BROWSER_ENGAGEMENT_MIRROR_FOR_URI_COUNT no_lint: - BASELINE_PING
Here's the analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] browser/modules/metrics.yaml [Lines] 20-64 [Old Code] (No specific security-related old code) [Fixed Code] (No specific security-related fixes, only metadata and telemetry mirror additions) The changes appear to be related to adding metadata tags and telemetry mirror configurations rather than fixing security vulnerabilities. The modifications include: 1. Adding metadata tags for "Firefox :: General" 2. Adding telemetry_mirror configurations for both metrics 3. Reusing the metadata definition via YAML anchor (*metadata) These changes seem to be enhancements to the telemetry system rather than security fixes. No specific vulnerabilities are addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.