Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/2d/DrawTargetSkia.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/2d/DrawTargetSkia.h@@ -63,9 +63,14 @@ const DeviceColor& aColor, const Point& aOffset, Float aSigma, CompositionOp aOperator) override;- virtual void ClearRect(const Rect& aRect) override;+ void Clear(const Rect* aRect = nullptr);+ virtual void ClearRect(const Rect& aRect) override { Clear(&aRect); }+ void BlendSurface(SourceSurface* aSurface, const IntRect& aSourceRect,+ const IntPoint& aDestination, CompositionOp aOperator); virtual void CopySurface(SourceSurface* aSurface, const IntRect& aSourceRect,- const IntPoint& aDestination) override;+ const IntPoint& aDestination) override {+ BlendSurface(aSurface, aSourceRect, aDestination, CompositionOp::OP_SOURCE);+ } virtual void FillRect(const Rect& aRect, const Pattern& aPattern, const DrawOptions& aOptions = DrawOptions()) override; virtual void StrokeRect(const Rect& aRect, const Pattern& aPattern,
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Functionality Change] [gfx/2d/DrawTargetSkia.h] [Lines 63-71]
[Old Code]
virtual void ClearRect(const Rect& aRect) override;
virtual void CopySurface(SourceSurface* aSurface, const IntRect& aSourceRect,
const IntPoint& aDestination) override;
[Fixed Code]
void Clear(const Rect* aRect = nullptr);
virtual void ClearRect(const Rect& aRect) override { Clear(&aRect); }
void BlendSurface(SourceSurface* aSurface, const IntRect& aSourceRect,
const IntPoint& aDestination, CompositionOp aOperator);
virtual void CopySurface(SourceSurface* aSurface, const IntRect& aSourceRect,
const IntPoint& aDestination) override {
BlendSurface(aSurface, aSourceRect, aDestination, CompositionOp::OP_SOURCE);
}
Additional Details: The changes introduce new functionality (BlendSurface) and modify how CopySurface works by routing it through BlendSurface. While this doesn't appear to be a direct security fix, it could potentially affect security if the new blending behavior introduces any edge cases. The explicit CompositionOp::OP_SOURCE in CopySurface might be more secure than whatever default was used before.
2. Vulnerability Existed: not sure
[Potential Parameter Validation] [gfx/2d/DrawTargetSkia.h] [Lines 63-65]
[Old Code]
virtual void ClearRect(const Rect& aRect) override;
[Fixed Code]
void Clear(const Rect* aRect = nullptr);
virtual void ClearRect(const Rect& aRect) override { Clear(&aRect); }
Additional Details: The change to make ClearRect call Clear with a pointer parameter could potentially add null checks or other validation in the Clear implementation, but we can't see that implementation in this diff. This might be related to defensive programming against null references.
Note: Without seeing the implementation of the new Clear and BlendSurface functions, it's difficult to determine if these changes actually fix specific vulnerabilities or are just general improvements. The changes appear to be more about code structure and functionality than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,10 +27,10 @@ ctx.lineTo(200, 200); ctx.lineTo(1000, 200); ctx.stroke();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");+_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references in the `_assertPixel` calls. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.worker.js
Lines: 13-27
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixel(offscreenCanvas, ...)
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixel(canvas, ...)
This appears to be a code style/readability change rather than a security fix. The functionality remains identical, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-040.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-040.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-backgrounds-3/#the-box-shadow"> <link rel="match" href="reference/box-shadow-040-ref.html">- <meta content="" name="flags"> <!--
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-backgrounds/box-shadow-040.html [Lines] 8 [Old Code] `<meta content="" name="flags">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty `<meta>` tag with a "flags" attribute, which doesn't appear to be security-related - No known vulnerabilities are associated with this change - This appears to be a minor cleanup rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.zero.1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.zero.1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -33,7 +33,7 @@ ctx.moveTo(0, -25); ctx.arcTo(50, -25, 50, 50, 0); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18, 33]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
This appears to be a simple variable renaming change from `offscreenCanvas` to `canvas`. There are no security implications in this change as it's purely a naming convention modification. The functionality remains exactly the same, just with a different variable name. No actual security vulnerability was addressed or introduced by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/remote/doc/marionette/Prefs.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/remote/doc/marionette/Prefs.md@@ -11,7 +11,7 @@ Delay server startup until a modal dialogue has been clicked to allow time for user to set breakpoints in the [Browser Toolbox].-[Browser Toolbox]: https://developer.mozilla.org/en-US/docs/Tools/Browser_Toolbox+[Browser Toolbox]: /devtools-user/browser_toolbox/index.rst `marionette.log.level` (deprecated)@@ -42,5 +42,5 @@ preference file when the server has started and is also logged to stdout.-[Remote Agent Preferences]: ../../remote/Prefs.html+[Remote Agent Preferences]: /remote/Prefs.md
Based on the provided diff, this appears to be a documentation change rather than a security fix. Here's the analysis following your requested format: Vulnerability Existed: no Documentation Link Update [File] remote/doc/marionette/Prefs.md [Lines 11,42] [Old Code] [Browser Toolbox]: https://developer.mozilla.org/en-US/docs/Tools/Browser_Toolbox [Remote Agent Preferences]: ../../remote/Prefs.html [Fixed Code] [Browser Toolbox]: /devtools-user/browser_toolbox/index.rst [Remote Agent Preferences]: /remote/Prefs.md Additional Details: - The changes only update documentation links, changing from external MDN links to internal documentation paths - No security vulnerabilities are addressed in this diff - The changes appear to be part of documentation maintenance rather than security fixes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.linear.nonfinite.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.linear.nonfinite.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(TypeError, function() { ctx.createLinearGradient(Infinity, 0, 1, 0); }); assert_throws_js(TypeError, function() { ctx.createLinearGradient(-Infinity, 0, 1, 0); });
Analyzing the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found in this diff. The changes appear to be variable renaming (offscreenCanvas to canvas) which doesn't impact security. 2. Vulnerability Existed: no The test assertions for non-finite values (Infinity, -Infinity, NaN) in createLinearGradient() were already present and correct in both versions. These checks prevent potential issues with invalid gradient parameters. The changes in this diff are purely cosmetic (variable renaming) and don't represent any security fixes. The test continues to properly verify that the canvas API rejects non-finite values for gradient coordinates, which is a defensive programming practice but not a security vulnerability per se.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/child/ext-test.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/child/ext-test.js@@ -231,16 +231,24 @@ return promise.then( result => {- assertTrue(false, `Promise resolved, expected rejection: ${msg}`);+ let message = `Promise resolved, expected rejection '${toSource(+ expectedError+ )}'`;+ if (msg) {+ message += `: ${msg}`;+ }+ assertTrue(false, message); }, error => {- let errorMessage = toSource(error && error.message);+ let expected = toSource(expectedError);+ let message = `got '${toSource(error)}'`;+ if (msg) {+ message += `: ${msg}`;+ } assertTrue( errorMatches(error, expectedError, context),- `Promise rejected, expecting rejection to match ${toSource(- expectedError- )}, got ${errorMessage}: ${msg}`+ `Promise rejected, expecting rejection to match '${expected}', ${message}` ); } );@@ -250,15 +258,23 @@ try { func();- assertTrue(false, `Function did not throw, expected error: ${msg}`);+ let message = `Function did not throw, expected error '${toSource(+ expectedError+ )}'`;+ if (msg) {+ message += `: ${msg}`;+ }+ assertTrue(false, message); } catch (error) {- let errorMessage = toSource(error && error.message);+ let expected = toSource(expectedError);+ let message = `got '${toSource(error)}'`;+ if (msg) {+ message += `: ${msg}`;+ } assertTrue( errorMatches(error, expectedError, context),- `Function threw, expecting error to match ${toSource(- expectedError- )}, got ${errorMessage}: ${msg}`+ `Function threw, expecting error to match '${expected}', ${message}` ); } },
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: no The changes in the diff appear to be primarily focused on improving error message formatting and clarity in test assertions. There's no indication of security vulnerabilities being fixed. The modifications include: - Better formatting of error messages when promises resolve unexpectedly - More consistent error message construction - Improved source representation of expected errors - Better handling of optional message parameters The changes are quality improvements rather than security fixes, making error messages more informative and consistent in test cases. No specific vulnerability patterns (like XSS, injection, etc.) are being addressed here. The diff shows test code improvements where: - Error messages are now constructed more systematically - The `toSource()` function is used more consistently - Optional message parameters are handled more uniformly - The output format is standardized between promise rejections and thrown exceptions These are all test infrastructure improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/back/msl/writer.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/back/msl/writer.rs@@ -47,20 +47,20 @@ // work around Metal toolchain bug with `uint` typedef crate::ScalarKind::Uint => write!(out, "{}::uint", NAMESPACE), _ => {- let kind_str = scalar_kind_string(kind);+ let kind_str = kind.to_msl_name(); write!(out, "{}", kind_str) } } } crate::TypeInner::Atomic { kind, .. } => {- write!(out, "{}::atomic_{}", NAMESPACE, scalar_kind_string(kind))+ write!(out, "{}::atomic_{}", NAMESPACE, kind.to_msl_name()) } crate::TypeInner::Vector { size, kind, .. } => { write!( out, "{}::{}{}", NAMESPACE,- scalar_kind_string(kind),+ kind.to_msl_name(), back::vector_size_str(size), ) }@@ -69,7 +69,7 @@ out, "{}::{}{}x{}", NAMESPACE,- scalar_kind_string(crate::ScalarKind::Float),+ crate::ScalarKind::Float.to_msl_name(), back::vector_size_str(columns), back::vector_size_str(rows), )@@ -96,7 +96,7 @@ Some(name) => name, None => return Ok(()), };- write!(out, "{} {}&", class_name, scalar_kind_string(kind),)+ write!(out, "{} {}&", class_name, kind.to_msl_name(),) } crate::TypeInner::ValuePointer { size: Some(size),@@ -113,7 +113,7 @@ "{} {}::{}{}&", class_name, NAMESPACE,- scalar_kind_string(kind),+ kind.to_msl_name(), back::vector_size_str(size), ) }@@ -178,7 +178,7 @@ ("texture", "", format.into(), access) } };- let base_name = scalar_kind_string(kind);+ let base_name = kind.to_msl_name(); let array_str = if arrayed { "_array" } else { "" }; write!( out,@@ -316,12 +316,14 @@ struct_member_pads: FastHashSet<(Handle<crate::Type>, u32)>, }-fn scalar_kind_string(kind: crate::ScalarKind) -> &'static str {- match kind {- crate::ScalarKind::Float => "float",- crate::ScalarKind::Sint => "int",- crate::ScalarKind::Uint => "uint",- crate::ScalarKind::Bool => "bool",+impl crate::ScalarKind {+ fn to_msl_name(self) -> &'static str {+ match self {+ Self::Float => "float",+ Self::Sint => "int",+ Self::Uint => "uint",+ Self::Bool => "bool",+ } } }@@ -480,6 +482,29 @@ index: index::GuardedIndex, ) -> Option<index::IndexableLength> { index::access_needs_check(base, index, self.module, self.function, self.info)+ }++ // Because packed vectors such as `packed_float3` cannot be directly loaded,+ // we convert them to unpacked vectors like `float3` on load.+ fn get_packed_vec_kind(+ &self,+ expr_handle: Handle<crate::Expression>,+ ) -> Option<crate::ScalarKind> {+ match self.function.expressions[expr_handle] {+ crate::Expression::AccessIndex { base, index } => {+ let ty = match *self.resolve_type(base) {+ crate::TypeInner::Pointer { base, .. } => &self.module.types[base].inner,+ ref ty => ty,+ };+ match *ty {+ crate::TypeInner::Struct {+ ref members, span, ..+ } => should_pack_struct_member(members, span, index as usize, self.module),+ _ => None,+ }+ }+ _ => None,+ } } }@@ -557,7 +582,10 @@ match dim { crate::ImageDimension::D1 => { write!(self.out, "int(")?;- self.put_image_query(image, "width", level, context)?;+ // Since 1D textures never have mipmaps, MSL requires that the+ // `level` argument be a constexpr 0. It's simplest for us just+ // to omit the level entirely.+ self.put_image_query(image, "width", None, context)?; write!(self.out, ")")?; } crate::ImageDimension::D2 => {@@ -591,7 +619,7 @@ context: &ExpressionContext, ) -> BackendResult { // coordinates in IR are int, but Metal expects uint- let size_str = match *context.info[expr].ty.inner_with(&context.module.types) {+ let size_str = match *context.resolve_type(expr) { crate::TypeInner::Scalar { .. } => "", crate::TypeInner::Vector { size, .. } => back::vector_size_str(size), _ => return Err(Error::Validation),@@ -652,7 +680,7 @@ ) -> BackendResult { match context.module.types[ty].inner { crate::TypeInner::Scalar { width: 4, kind } if components.len() == 1 => {- write!(self.out, "{}", scalar_kind_string(kind))?;+ write!(self.out, "{}", kind.to_msl_name())?; self.put_call_parameters(components.iter().cloned(), context)?; } crate::TypeInner::Vector { size, kind, .. } => {@@ -660,7 +688,7 @@ self.out, "{}::{}{}", NAMESPACE,- scalar_kind_string(kind),+ kind.to_msl_name(), back::vector_size_str(size) )?; self.put_call_parameters(components.iter().cloned(), context)?;@@ -671,7 +699,7 @@ self.out, "{}::{}{}x{}", NAMESPACE,- scalar_kind_string(kind),+ kind.to_msl_name(), back::vector_size_str(columns), back::vector_size_str(rows) )?;@@ -845,7 +873,7 @@ crate::TypeInner::Scalar { kind, .. } => kind, _ => return Err(Error::Validation), };- let scalar = scalar_kind_string(scalar_kind);+ let scalar = scalar_kind.to_msl_name(); let size = back::vector_size_str(size); write!(self.out, "{}::{}{}(", NAMESPACE, scalar, size)?;@@ -896,18 +924,23 @@ crate::Expression::ImageSample { image, sampler,+ gather, coordinate, array_index, offset, level, depth_ref, } => {- let op = match depth_ref {- Some(_) => "sample_compare",+ let main_op = match gather {+ Some(_) => "gather", None => "sample", };+ let comparison_op = match depth_ref {+ Some(_) => "_compare",+ None => "",+ }; self.put_expression(image, context, false)?;- write!(self.out, ".{}(", op)?;+ write!(self.out, ".{}{}(", main_op, comparison_op)?; self.put_expression(sampler, context, true)?; write!(self.out, ", ")?; self.put_expression(coordinate, context, true)?;@@ -930,6 +963,25 @@ first_time: false, }; write!(self.out, ", {}", coco)?;+ }+ match gather {+ None | Some(crate::SwizzleComponent::X) => {}+ Some(component) => {+ let is_cube_map = match *context.resolve_type(image) {+ crate::TypeInner::Image {+ dim: crate::ImageDimension::Cube,+ ..+ } => true,+ _ => false,+ };+ // Offset always comes before the gather, except+ // in cube maps where it's not applicable+ if offset.is_none() && !is_cube_map {+ write!(self.out, ", int2(0)")?;+ }+ let letter = ['x', 'y', 'z', 'w'][component as usize];+ write!(self.out, ", {}::component::{}", NAMESPACE, letter)?;+ } } write!(self.out, ")")?; }@@ -947,8 +999,18 @@ self.put_expression(expr, context, true)?; } if let Some(index) = index {- write!(self.out, ", ")?;- self.put_expression(index, context, true)?;+ // Metal requires that the `level` argument to+ // `texture1d::read` be a constexpr equal to zero.+ if let crate::TypeInner::Image {+ dim: crate::ImageDimension::D1,+ ..+ } = *context.resolve_type(image)+ {+ // The argument defaults to zero.+ } else {+ write!(self.out, ", ")?;+ self.put_expression(index, context, true)?+ } } write!(self.out, ")")?; }@@ -1074,6 +1136,21 @@ let scalar_argument = match *context.resolve_type(arg) { crate::TypeInner::Scalar { .. } => true, _ => false,+ };+ let argument_size_suffix = match *context.resolve_type(arg) {+ crate::TypeInner::Vector {+ size: crate::VectorSize::Bi,+ ..+ } => "2",+ crate::TypeInner::Vector {+ size: crate::VectorSize::Tri,+ ..+ } => "3",+ crate::TypeInner::Vector {+ size: crate::VectorSize::Quad,+ ..+ } => "4",+ _ => "", }; let fun_name = match fun {@@ -1096,6 +1173,8 @@ Mf::Asinh => "asinh", Mf::Acosh => "acosh", Mf::Atanh => "atanh",+ Mf::Radians => "",+ Mf::Degrees => "", // decomposition Mf::Ceil => "ceil", Mf::Floor => "floor",@@ -1138,11 +1217,13 @@ Mf::ReverseBits => "reverse_bits", Mf::ExtractBits => "extract_bits", Mf::InsertBits => "insert_bits",+ Mf::FindLsb => "",+ Mf::FindMsb => "", // data packing- Mf::Pack4x8snorm => "pack_float_to_unorm4x8",- Mf::Pack4x8unorm => "pack_float_to_snorm4x8",- Mf::Pack2x16snorm => "pack_float_to_unorm2x16",- Mf::Pack2x16unorm => "pack_float_to_snorm2x16",+ Mf::Pack4x8snorm => "pack_float_to_snorm4x8",+ Mf::Pack4x8unorm => "pack_float_to_unorm4x8",+ Mf::Pack2x16snorm => "pack_float_to_snorm2x16",+ Mf::Pack2x16unorm => "pack_float_to_unorm2x16", Mf::Pack2x16float => "", // data unpacking Mf::Unpack4x8snorm => "unpack_snorm4x8_to_float",@@ -1158,6 +1239,22 @@ write!(self.out, " - ")?; self.put_expression(arg1.unwrap(), context, false)?; write!(self.out, ")")?;+ } else if fun == Mf::FindLsb {+ write!(+ self.out,+ "(((1 + int{}({}::ctz(",+ argument_size_suffix, NAMESPACE+ )?;+ self.put_expression(arg, context, true)?;+ write!(self.out, "))) % 33) - 1)")?;+ } else if fun == Mf::FindMsb {+ write!(+ self.out,+ "(((1 + int{}({}::clz(",+ argument_size_suffix, NAMESPACE+ )?;+ self.put_expression(arg, context, true)?;+ write!(self.out, "))) % 33) - 1)")?; } else if fun == Mf::Unpack2x16float { write!(self.out, "float2(as_type<half2>(")?; self.put_expression(arg, context, false)?;@@ -1166,6 +1263,14 @@ write!(self.out, "as_type<uint>(half2(")?; self.put_expression(arg, context, false)?; write!(self.out, "))")?;+ } else if fun == Mf::Radians {+ write!(self.out, "((")?;+ self.put_expression(arg, context, false)?;+ write!(self.out, ") * 0.017453292519943295474)")?;+ } else if fun == Mf::Degrees {+ write!(self.out, "((")?;+ self.put_expression(arg, context, false)?;+ write!(self.out, ") * 57.295779513082322865)")?; } else { write!(self.out, "{}::{}", NAMESPACE, fun_name)?; self.put_call_parameters(@@ -1179,7 +1284,7 @@ kind, convert, } => {- let scalar = scalar_kind_string(kind);+ let scalar = kind.to_msl_name(); let (src_kind, src_width) = match *context.resolve_type(expr) { crate::TypeInner::Scalar { kind, width } | crate::TypeInner::Vector { kind, width, .. } => (kind, width),@@ -1309,7 +1414,7 @@ crate::Expression::AccessIndex { base, index } => { // Don't try to check indices into structs. Validation already took // care of them, and index::needs_guard doesn't handle that case.- let mut base_inner = context.info[base].ty.inner_with(&context.module.types);+ let mut base_inner = context.resolve_type(base); if let crate::TypeInner::Pointer { base, .. } = *base_inner { base_inner = &context.module.types[base].inner; }@@ -1383,7 +1488,7 @@ ) -> BackendResult { match context.function.expressions[chain] { crate::Expression::Access { base, index } => {- let mut base_ty = context.info[base].ty.inner_with(&context.module.types);+ let mut base_ty = context.resolve_type(base); // Look through any pointers to see what we're really indexing. if let crate::TypeInner::Pointer { base, class: _ } = *base_ty {@@ -1420,7 +1525,15 @@ write!(self.out, ".{}", name)?; } crate::TypeInner::ValuePointer { .. } | crate::TypeInner::Vector { .. } => {- self.put_access_chain(base, policy, context)?;+ let wrap_packed_vec_scalar_kind = context.get_packed_vec_kind(base);+ //Note: this doesn't work for left-hand side+ if let Some(scalar_kind) = wrap_packed_vec_scalar_kind {+ write!(self.out, "{}::{}3(", NAMESPACE, scalar_kind.to_msl_name())?;+ self.put_access_chain(base, policy, context)?;+ write!(self.out, ")")?;+ } else {+ self.put_access_chain(base, policy, context)?;+ } write!(self.out, ".{}", back::COMPONENTS[index as usize])?; } _ => {@@ -1547,23 +1660,7 @@ policy: index::BoundsCheckPolicy, context: &ExpressionContext, ) -> BackendResult {- // Because packed vectors such as `packed_float3` cannot be directly multipied by- // matrices, we convert them to unpacked vectors like `float3` on load.- let wrap_packed_vec_scalar_kind = match context.function.expressions[pointer] {- crate::Expression::AccessIndex { base, index } => {- let ty = match *context.resolve_type(base) {- crate::TypeInner::Pointer { base, .. } => &context.module.types[base].inner,- ref ty => ty,- };- match *ty {- crate::TypeInner::Struct {- ref members, span, ..- } => should_pack_struct_member(members, span, index as usize, context.module),- _ => None,- }- }- _ => None,- };+ let wrap_packed_vec_scalar_kind = context.get_packed_vec_kind(pointer); let is_atomic = match *context.resolve_type(pointer) { crate::TypeInner::Pointer { base, .. } => match context.module.types[base].inner { crate::TypeInner::Atomic { .. } => true,@@ -1573,12 +1670,7 @@ }; if let Some(scalar_kind) = wrap_packed_vec_scalar_kind {- write!(- self.out,- "{}::{}3(",- NAMESPACE,- scalar_kind_string(scalar_kind)- )?;+ write!(self.out, "{}::{}3(", NAMESPACE, scalar_kind.to_msl_name())?; self.put_access_chain(pointer, policy, context)?; write!(self.out, ")")?; } else if is_atomic {@@ -1694,15 +1786,22 @@ }; write!(self.out, "{}", ty_name)?; }+ TypeResolution::Value(crate::TypeInner::Scalar {+ kind: crate::ScalarKind::Uint,+ ..+ }) => {+ // work around Metal toolchain bug with `uint` typedef+ write!(self.out, "{}::uint", NAMESPACE)?;+ } TypeResolution::Value(crate::TypeInner::Scalar { kind, .. }) => {- write!(self.out, "{}", scalar_kind_string(kind))?;+ write!(self.out, "{}", kind.to_msl_name())?; } TypeResolution::Value(crate::TypeInner::Vector { size, kind, .. }) => { write!( self.out, "{}::{}{}", NAMESPACE,- scalar_kind_string(kind),+ kind.to_msl_name(), back::vector_size_str(size) )?; }@@ -1711,7 +1810,7 @@ self.out, "{}::{}{}x{}", NAMESPACE,- scalar_kind_string(crate::ScalarKind::Float),+ crate::ScalarKind::Float.to_msl_name(), back::vector_size_str(columns), back::vector_size_str(rows), )?;@@ -2086,21 +2185,20 @@ level: back::Level, context: &StatementContext, ) -> BackendResult {- let pointer_info = &context.expression.info[pointer];- let (array_size, is_atomic) =- match *pointer_info.ty.inner_with(&context.expression.module.types) {- crate::TypeInner::Pointer { base, .. } => {- match context.expression.module.types[base].inner {- crate::TypeInner::Array {- size: crate::ArraySize::Constant(ch),- ..- } => (Some(ch), false),- crate::TypeInner::Atomic { .. } => (None, true),- _ => (None, false),- }- }- _ => (None, false),- };+ let pointer_inner = context.expression.resolve_type(pointer);+ let (array_size, is_atomic) = match *pointer_inner {+ crate::TypeInner::Pointer { base, .. } => {+ match context.expression.module.types[base].inner {+ crate::TypeInner::Array {+ size: crate::ArraySize::Constant(ch),+ ..+ } => (Some(ch), false),+ crate::TypeInner::Atomic { .. } => (None, true),+ _ => (None, false),+ }+ }+ _ => (None, false),+ }; // we can't assign fixed-size arrays if let Some(const_handle) = array_size {@@ -2290,9 +2388,10 @@ Some(kind) => { writeln!( self.out,- "{}packed_{}3 {};",+ "{}{}::packed_{}3 {};", back::INDENT,- scalar_kind_string(kind),+ NAMESPACE,+ kind.to_msl_name(), member_name )?; }@@ -3125,7 +3224,7 @@ let stack_size = addresses.end - addresses.start; // check the size (in debug only) // last observed macOS value: 20528 (CI)- if !(14000..=25000).contains(&stack_size) {+ if !(11000..=25000).contains(&stack_size) { panic!("`put_expression` stack size {} has changed!", stack_size); } }@@ -3140,7 +3239,7 @@ let stack_size = addresses.end - addresses.start; // check the size (in debug only) // last observed macOS value: 19152 (CI)- if !(13000..=20000).contains(&stack_size) {+ if !(11000..=20000).contains(&stack_size) { panic!("`put_block` stack size {} has changed!", stack_size); } }
I'll analyze the code diff for security fixes following the specified format.
Vulnerability Existed: yes
Incorrect Scalar Kind String Handling [third_party/rust/naga/src/back/msl/writer.rs] [Lines: 316-324]
Old Code:
fn scalar_kind_string(kind: crate::ScalarKind) -> &'static str {
match kind {
crate::ScalarKind::Float => "float",
crate::ScalarKind::Sint => "int",
crate::ScalarKind::Uint => "uint",
crate::ScalarKind::Bool => "bool",
}
}
Fixed Code:
impl crate::ScalarKind {
fn to_msl_name(self) -> &'static str {
match self {
Self::Float => "float",
Self::Sint => "int",
Self::Uint => "uint",
Self::Bool => "bool",
}
}
}
Vulnerability Existed: yes
Incorrect Pack/Unpack Function Names [third_party/rust/naga/src/back/msl/writer.rs] [Lines: 1220-1223]
Old Code:
Mf::Pack4x8snorm => "pack_float_to_unorm4x8",
Mf::Pack4x8unorm => "pack_float_to_snorm4x8",
Mf::Pack2x16snorm => "pack_float_to_unorm2x16",
Mf::Pack2x16unorm => "pack_float_to_snorm2x16",
Fixed Code:
Mf::Pack4x8snorm => "pack_float_to_snorm4x8",
Mf::Pack4x8unorm => "pack_float_to_unorm4x8",
Mf::Pack2x16snorm => "pack_float_to_snorm2x16",
Mf::Pack2x16unorm => "pack_float_to_unorm2x16",
Vulnerability Existed: yes
Missing Texture1D Mipmap Level Handling [third_party/rust/naga/src/back/msl/writer.rs] [Lines: 582-585]
Old Code:
self.put_image_query(image, "width", level, context)?;
Fixed Code:
// Since 1D textures never have mipmaps, MSL requires that the
// `level` argument be a constexpr 0. It's simplest for us just
// to omit the level entirely.
self.put_image_query(image, "width", None, context)?;
Vulnerability Existed: yes
Incomplete Texture Read Handling [third_party/rust/naga/src/back/msl/writer.rs] [Lines: 1004-1013]
Old Code:
if let Some(index) = index {
write!(self.out, ", ")?;
self.put_expression(index, context, true)?;
}
Fixed Code:
if let Some(index) = index {
// Metal requires that the `level` argument to
// `texture1d::read` be a constexpr equal to zero.
if let crate::TypeInner::Image {
dim: crate::ImageDimension::D1,
..
} = *context.resolve_type(image)
{
// The argument defaults to zero.
} else {
write!(self.out, ", ")?;
self.put_expression(index, context, true)?
}
}
The changes appear to address several potential security issues:
1. The scalar kind string handling was made more robust by moving it to an implementation method
2. Fixed incorrect pack/unpack function names that could lead to incorrect data handling
3. Added proper handling of texture1D mipmap levels to comply with Metal requirements
4. Improved texture read handling to properly handle texture1D cases
Each of these changes helps prevent potential undefined behavior or incorrect results when the code is executed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/workers/WorkerRunnable.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/workers/WorkerRunnable.h@@ -78,6 +78,10 @@ // If you override Cancel() then you'll need to either call the base class // Cancel() method or override IsCanceled() so that the Run() method bails out // appropriately.+ // Cancel() should not be called more than once and we throw+ // NS_ERROR_UNEXPECTED if it is. If you override it, ensure to call the base+ // class method first and bail out on failure to avoid unexpected side+ // effects. nsresult Cancel() override; // The return value is true if and only if both PreDispatch and@@ -85,6 +89,7 @@ bool Dispatch(); // See above note about Cancel().+ // TODO: Check if we can remove the possibility to override IsCanceled. virtual bool IsCanceled() const { return mCanceled != 0; } // True if this runnable is handled by running JavaScript in some global that
Based on the provided code diff, here's the analysis:
Vulnerability Existed: not sure
Double-Call Protection [dom/workers/WorkerRunnable.h] [Lines 78-82]
[Old Code]
// If you override Cancel() then you'll need to either call the base class
// Cancel() method or override IsCanceled() so that the Run() method bails out
// appropriately.
nsresult Cancel() override;
[Fixed Code]
// If you override Cancel() then you'll need to either call the base class
// Cancel() method or override IsCanceled() so that the Run() method bails out
// appropriately.
// Cancel() should not be called more than once and we throw
// NS_ERROR_UNEXPECTED if it is. If you override it, ensure to call the base
// class method first and bail out on failure to avoid unexpected side
// effects.
nsresult Cancel() override;
Additional Details:
1. The change adds protection against multiple calls to Cancel() by throwing NS_ERROR_UNEXPECTED if called more than once.
2. While this prevents potential issues from multiple cancellations, it's not clear if this was fixing an actual security vulnerability or just improving robustness.
3. The comment suggests this might prevent "unexpected side effects" which could potentially include security issues, but we can't be certain from just this diff.
Vulnerability Existed: not sure
Override Safety Concern [dom/workers/WorkerRunnable.h] [Lines 89]
[Old Code]
virtual bool IsCanceled() const { return mCanceled != 0; }
[Fixed Code]
// TODO: Check if we can remove the possibility to override IsCanceled.
virtual bool IsCanceled() const { return mCanceled != 0; }
Additional Details:
1. The added TODO comment suggests potential concerns about allowing IsCanceled() to be overridden.
2. This might relate to security if improper overrides could lead to unsafe cancellation states, but we can't confirm from just this diff.
3. The change itself doesn't modify functionality, just adds a note about potential future hardening.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/DeviceInputTrack.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/DeviceInputTrack.h@@ -14,21 +14,49 @@ // MediaTrack subclass storing the raw audio data from microphone. class NativeInputTrack : public ProcessedMediaTrack {- ~NativeInputTrack() = default;- NativeInputTrack(TrackRate aSampleRate,- const PrincipalHandle& aPrincipalHandle)- : ProcessedMediaTrack(aSampleRate, MediaSegment::AUDIO,- new AudioSegment()),- mPrincipalHandle(aPrincipalHandle),- mIsBufferingAppended(false) {}- public:- // Main Thread API- static NativeInputTrack* Create(MediaTrackGraphImpl* aGraph,- const PrincipalHandle& aPrincipalHandle);-- size_t AddUser();- size_t RemoveUser();+ // Main Thread APIs:+ // The following two APIs can create and destroy a NativeInputTrack reference+ // on main thread, then open and close the paired audio device accordingly on+ // the graph thread. The user who wants to read the audio input from a certain+ // device should use these APIs to obtain a NativeInputTrack reference and+ // return the reference when the user no longer needs the audio data.+ //+ // There is only one NativeInputTrack per MediaTrackGraph and it will be+ // created when the first user who requests the audio data. Once the+ // NativeInputTrack is created, the paired device will start producing data,+ // so its users can read the data immediately once they obtain the reference.+ // Currently, we only allow one audio device per MediaTrackGraph. If the user+ // requests a different device from the one running in the MediaTrackGraph,+ // the API will return an error. The lifetime of NativeInputTrack is managed+ // by the MediaTrackGraph. When the NativeInputTrack has no user any more,+ // MediaTrackGraph will destroy it. In other words, it occurs when the last+ // reference is returned.+ //+ // Example:+ // // On main thread+ // RefPtr<NativeInputTrack> track = NativeInputTrack::OpenAudio(...);+ // ...+ // // On graph thread+ // AudioSegmen* data = track->GetData<AudioSegment>();+ // ...+ // // On main thread+ // NativeInputTrack::CloseAudio(std::move(track), ...);+ //+ // Returns a reference of NativeInputTrack, storing the input audio data from+ // the given device, in the given MediaTrackGraph, if the MediaTrackGraph has+ // no audio input device, or the given device is the same as the one currently+ // running in the MediaTrackGraph. Otherwise, return an error. The paired+ // audio device will be opened accordingly in the successful case. The+ // NativeInputTrack will access its user's audio settings via the attached+ // AudioDataListener when it needs.+ static Result<RefPtr<NativeInputTrack>, nsresult> OpenAudio(+ MediaTrackGraphImpl* aGraph, CubebUtils::AudioDeviceID aDeviceId,+ const PrincipalHandle& aPrincipalHandle, AudioDataListener* aListener);+ // Destroy the NativeInputTrack reference obtained by the above API. The+ // paired audio device will be closed accordingly.+ static void CloseAudio(RefPtr<NativeInputTrack>&& aTrack,+ AudioDataListener* aListener); // Graph Thread APIs, for ProcessedMediaTrack void DestroyImpl() override;@@ -36,25 +64,36 @@ uint32_t NumberOfChannels() const override; // Graph thread APIs: Redirect calls from GraphDriver to mDataUsers- void NotifyOutputData(MediaTrackGraphImpl* aGraph, AudioDataValue* aBuffer,- size_t aFrames, TrackRate aRate, uint32_t aChannels);+ void DeviceChanged(MediaTrackGraphImpl* aGraph);++ // Graph thread APIs: Get input audio data and event from graph void NotifyInputStopped(MediaTrackGraphImpl* aGraph); void NotifyInputData(MediaTrackGraphImpl* aGraph, const AudioDataValue* aBuffer, size_t aFrames, TrackRate aRate, uint32_t aChannels, uint32_t aAlreadyBuffered);- void DeviceChanged(MediaTrackGraphImpl* aGraph);++ // Graph thread APIs+ uint32_t MaxRequestedInputChannels() const;+ bool HasVoiceInput() const; // Any thread NativeInputTrack* AsNativeInputTrack() override { return this; } // Any thread+ const CubebUtils::AudioDeviceID mDeviceId; const PrincipalHandle mPrincipalHandle;- // Only accessed on the graph thread.- nsTArray<RefPtr<AudioDataListener>> mDataUsers;+ private:+ NativeInputTrack(TrackRate aSampleRate, CubebUtils::AudioDeviceID aDeviceId,+ const PrincipalHandle& aPrincipalHandle);+ ~NativeInputTrack() = default;- private:+ // Main thread APIs+ void ReevaluateInputDevice();+ void AddDataListener(AudioDataListener* aListener);+ void RemoveDataListener(AudioDataListener* aListener);+ // Indicate whether we append extra frames in mPendingData. The extra number // of frames is in [0, WEBAUDIO_BLOCK_SIZE] range. bool mIsBufferingAppended;@@ -69,6 +108,9 @@ // Only accessed on the main thread. // When this becomes zero, this NativeInputTrack is no longer needed. int32_t mUserCount = 0;++ // Only accessed on the graph thread.+ nsTArray<RefPtr<AudioDataListener>> mDataUsers; }; } // namespace mozilla
After analyzing the code diff, I don't identify any clear security vulnerabilities that were fixed. The changes appear to be primarily architectural improvements and API refinements rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no The changes mainly involve: - Restructuring the NativeInputTrack class interface - Adding new APIs (OpenAudio/CloseAudio) - Adding device ID tracking (mDeviceId) - Reorganizing thread safety documentation - Moving private members around The changes improve code organization and add better device management capabilities, but I don't see any security vulnerabilities being addressed. 2. Vulnerability Existed: no The modifications to the member variables (adding mDeviceId, moving mDataUsers) appear to be structural changes rather than security fixes. The thread safety annotations are maintained, and the access patterns seem appropriate. 3. Vulnerability Existed: no The new OpenAudio/CloseAudio API provides better resource management for audio devices, but this appears to be a feature enhancement rather than a security fix. The error handling through Result<RefPtr<...>> is improved but wasn't addressing a specific vulnerability. The changes seem focused on: 1) Better audio device management 2) Clearer API boundaries 3) Improved documentation 4) More robust reference counting 5) Better error handling Without any specific CVE references or security-related commit messages, and based on the nature of the changes, I conclude this was a refactoring/improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/base/nsLayoutUtils.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/base/nsLayoutUtils.cpp@@ -2221,46 +2221,120 @@ aAppearance == StyleAppearance::MenulistButton; }+static SVGTextFrame* GetContainingSVGTextFrame(const nsIFrame* aFrame) {+ if (!SVGUtils::IsInSVGTextSubtree(aFrame)) {+ return nullptr;+ }++ return static_cast<SVGTextFrame*>(nsLayoutUtils::GetClosestFrameOfType(+ aFrame->GetParent(), LayoutFrameType::SVGText));+}++static bool TransformGfxPointFromAncestor(RelativeTo aFrame,+ const Point& aPoint,+ RelativeTo aAncestor,+ Maybe<Matrix4x4Flagged>& aMatrixCache,+ Point* aOut) {+ SVGTextFrame* text = GetContainingSVGTextFrame(aFrame.mFrame);++ if (!aMatrixCache) {+ auto matrix = nsLayoutUtils::GetTransformToAncestor(+ RelativeTo{text ? text : aFrame.mFrame, aFrame.mViewportType},+ aAncestor);+ if (matrix.IsSingular()) {+ return false;+ }+ matrix.Invert();+ aMatrixCache.emplace(matrix);+ }++ const Matrix4x4Flagged& ctm = *aMatrixCache;+ Point4D point = ctm.ProjectPoint(aPoint);+ if (!point.HasPositiveWCoord()) {+ return false;+ }++ *aOut = point.As2DPoint();++ if (text) {+ *aOut = text->TransformFramePointToTextChild(*aOut, aFrame.mFrame);+ }++ return true;+}++static Point TransformGfxPointToAncestor(+ RelativeTo aFrame, const Point& aPoint, RelativeTo aAncestor,+ Maybe<Matrix4x4Flagged>& aMatrixCache) {+ if (SVGTextFrame* text = GetContainingSVGTextFrame(aFrame.mFrame)) {+ Point result =+ text->TransformFramePointFromTextChild(aPoint, aFrame.mFrame);+ return TransformGfxPointToAncestor(RelativeTo{text}, result, aAncestor,+ aMatrixCache);+ }+ if (!aMatrixCache) {+ aMatrixCache.emplace(+ nsLayoutUtils::GetTransformToAncestor(aFrame, aAncestor));+ }+ return aMatrixCache->ProjectPoint(aPoint).As2DPoint();+}++static Rect TransformGfxRectToAncestor(+ RelativeTo aFrame, const Rect& aRect, RelativeTo aAncestor,+ bool* aPreservesAxisAlignedRectangles = nullptr,+ Maybe<Matrix4x4Flagged>* aMatrixCache = nullptr,+ bool aStopAtStackingContextAndDisplayPortAndOOFFrame = false,+ nsIFrame** aOutAncestor = nullptr) {+ Rect result;+ Matrix4x4Flagged ctm;+ if (SVGTextFrame* text = GetContainingSVGTextFrame(aFrame.mFrame)) {+ result = text->TransformFrameRectFromTextChild(aRect, aFrame.mFrame);++ result = TransformGfxRectToAncestor(+ RelativeTo{text}, result, aAncestor, nullptr, aMatrixCache,+ aStopAtStackingContextAndDisplayPortAndOOFFrame, aOutAncestor);+ if (aPreservesAxisAlignedRectangles) {+ // TransformFrameRectFromTextChild could involve any kind of transform, we+ // could drill down into it to get an answer out of it but we don't yet.+ *aPreservesAxisAlignedRectangles = false;+ }+ return result;+ }+ if (aMatrixCache && *aMatrixCache) {+ // We are given a matrix to use, so use it+ ctm = aMatrixCache->value();+ } else {+ // Else, compute it+ uint32_t flags = 0;+ if (aStopAtStackingContextAndDisplayPortAndOOFFrame) {+ flags |= nsIFrame::STOP_AT_STACKING_CONTEXT_AND_DISPLAY_PORT;+ }+ ctm = nsLayoutUtils::GetTransformToAncestor(aFrame, aAncestor, flags,+ aOutAncestor);+ if (aMatrixCache) {+ // and put it in the cache, if provided+ *aMatrixCache = Some(ctm);+ }+ }+ // Fill out the axis-alignment flag+ if (aPreservesAxisAlignedRectangles) {+ // TransformFrameRectFromTextChild could involve any kind of transform, we+ // could drill down into it to get an answer out of it but we don't yet.+ Matrix matrix2d;+ *aPreservesAxisAlignedRectangles =+ ctm.Is2D(&matrix2d) && matrix2d.PreservesAxisAlignedRectangles();+ }+ const nsIFrame* ancestor = aOutAncestor ? *aOutAncestor : aAncestor.mFrame;+ float factor = ancestor->PresContext()->AppUnitsPerDevPixel();+ Rect maxBounds =+ Rect(float(nscoord_MIN) / factor * 0.5, float(nscoord_MIN) / factor * 0.5,+ float(nscoord_MAX) / factor, float(nscoord_MAX) / factor);+ return ctm.TransformAndClipBounds(aRect, maxBounds);+}+ nsLayoutUtils::TransformResult nsLayoutUtils::TransformPoints(- nsIFrame* aFromFrame, nsIFrame* aToFrame, uint32_t aPointCount,+ RelativeTo aFromFrame, RelativeTo aToFrame, uint32_t aPointCount, CSSPoint* aPoints) {- const nsIFrame* nearestCommonAncestor =- FindNearestCommonAncestorFrame(aFromFrame, aToFrame);- if (!nearestCommonAncestor) {- return NO_COMMON_ANCESTOR;- }- Matrix4x4Flagged downToDest = GetTransformToAncestor(- RelativeTo{aToFrame}, RelativeTo{nearestCommonAncestor});- if (downToDest.IsSingular()) {- return NONINVERTIBLE_TRANSFORM;- }- downToDest.Invert();- Matrix4x4Flagged upToAncestor = GetTransformToAncestor(- RelativeTo{aFromFrame}, RelativeTo{nearestCommonAncestor});- CSSToLayoutDeviceScale devPixelsPerCSSPixelFromFrame =- aFromFrame->PresContext()->CSSToDevPixelScale();- CSSToLayoutDeviceScale devPixelsPerCSSPixelToFrame =- aToFrame->PresContext()->CSSToDevPixelScale();- for (uint32_t i = 0; i < aPointCount; ++i) {- LayoutDevicePoint devPixels = aPoints[i] * devPixelsPerCSSPixelFromFrame;- // What should the behaviour be if some of the points aren't invertible- // and others are? Just assume all points are for now.- Point toDevPixels =- downToDest- .ProjectPoint(- (upToAncestor.TransformPoint(Point(devPixels.x, devPixels.y))))- .As2DPoint();- // Divide here so that when the devPixelsPerCSSPixels are the same, we get- // the correct answer instead of some inaccuracy multiplying a number by its- // reciprocal.- aPoints[i] = LayoutDevicePoint(toDevPixels.x, toDevPixels.y) /- devPixelsPerCSSPixelToFrame;- }- return TRANSFORM_SUCCEEDED;-}--nsLayoutUtils::TransformResult nsLayoutUtils::TransformPoint(- RelativeTo aFromFrame, RelativeTo aToFrame, nsPoint& aPoint) { // Conceptually, {ViewportFrame, Visual} is an ancestor of // {ViewportFrame, Layout}, so factor that into the nearest ancestor // computation.@@ -2273,30 +2347,41 @@ if (!nearestCommonAncestor.mFrame) { return NO_COMMON_ANCESTOR; }- Matrix4x4Flagged downToDest =- GetTransformToAncestor(aToFrame, nearestCommonAncestor);- if (downToDest.IsSingular()) {- return NONINVERTIBLE_TRANSFORM;- }- downToDest.Invert();- Matrix4x4Flagged upToAncestor =- GetTransformToAncestor(aFromFrame, nearestCommonAncestor);-- float devPixelsPerAppUnitFromFrame =- 1.0f / aFromFrame.mFrame->PresContext()->AppUnitsPerDevPixel();- float devPixelsPerAppUnitToFrame =- 1.0f / aToFrame.mFrame->PresContext()->AppUnitsPerDevPixel();- Point4D toDevPixels = downToDest.ProjectPoint(upToAncestor.TransformPoint(- Point(aPoint.x * devPixelsPerAppUnitFromFrame,- aPoint.y * devPixelsPerAppUnitFromFrame)));- if (!toDevPixels.HasPositiveWCoord()) {- // Not strictly true, but we failed to get a valid point in this- // coordinate space.- return NONINVERTIBLE_TRANSFORM;- }- aPoint.x = NSToCoordRound(toDevPixels.x / devPixelsPerAppUnitToFrame);- aPoint.y = NSToCoordRound(toDevPixels.y / devPixelsPerAppUnitToFrame);+ CSSToLayoutDeviceScale devPixelsPerCSSPixelFromFrame =+ aFromFrame.mFrame->PresContext()->CSSToDevPixelScale();+ CSSToLayoutDeviceScale devPixelsPerCSSPixelToFrame =+ aToFrame.mFrame->PresContext()->CSSToDevPixelScale();+ Maybe<Matrix4x4Flagged> cacheTo;+ Maybe<Matrix4x4Flagged> cacheFrom;+ for (uint32_t i = 0; i < aPointCount; ++i) {+ LayoutDevicePoint devPixels = aPoints[i] * devPixelsPerCSSPixelFromFrame;+ // What should the behaviour be if some of the points aren't invertible+ // and others are? Just assume all points are for now.+ Point toDevPixels =+ TransformGfxPointToAncestor(aFromFrame, Point(devPixels.x, devPixels.y),+ nearestCommonAncestor, cacheTo);+ Point result;+ if (!TransformGfxPointFromAncestor(+ aToFrame, toDevPixels, nearestCommonAncestor, cacheFrom, &result)) {+ return NONINVERTIBLE_TRANSFORM;+ }+ // Divide here so that when the devPixelsPerCSSPixels are the same, we get+ // the correct answer instead of some inaccuracy multiplying a number by its+ // reciprocal.+ aPoints[i] =+ LayoutDevicePoint(result.x, result.y) / devPixelsPerCSSPixelToFrame;+ } return TRANSFORM_SUCCEEDED;+}++nsLayoutUtils::TransformResult nsLayoutUtils::TransformPoint(+ RelativeTo aFromFrame, RelativeTo aToFrame, nsPoint& aPoint) {+ CSSPoint point = CSSPoint::FromAppUnits(aPoint);+ auto result = TransformPoints(aFromFrame, aToFrame, 1, &point);+ if (result == TRANSFORM_SUCCEEDED) {+ aPoint = CSSPoint::ToAppUnits(point);+ }+ return result; } nsLayoutUtils::TransformResult nsLayoutUtils::TransformRect(@@ -2312,23 +2397,18 @@ return NONINVERTIBLE_TRANSFORM; } downToDest.Invert();- Matrix4x4Flagged upToAncestor = GetTransformToAncestor(- RelativeTo{aFromFrame}, RelativeTo{nearestCommonAncestor});+ aRect = TransformFrameRectToAncestor(aFromFrame, aRect,+ RelativeTo{nearestCommonAncestor}); float devPixelsPerAppUnitFromFrame =- 1.0f / aFromFrame->PresContext()->AppUnitsPerDevPixel();+ 1.0f / nearestCommonAncestor->PresContext()->AppUnitsPerDevPixel(); float devPixelsPerAppUnitToFrame = 1.0f / aToFrame->PresContext()->AppUnitsPerDevPixel(); gfx::Rect toDevPixels = downToDest.ProjectRectBounds(- upToAncestor.ProjectRectBounds(- gfx::Rect(aRect.x * devPixelsPerAppUnitFromFrame,- aRect.y * devPixelsPerAppUnitFromFrame,- aRect.width * devPixelsPerAppUnitFromFrame,- aRect.height * devPixelsPerAppUnitFromFrame),- Rect(-std::numeric_limits<Float>::max() * 0.5f,- -std::numeric_limits<Float>::max() * 0.5f,- std::numeric_limits<Float>::max(),- std::numeric_limits<Float>::max())),+ gfx::Rect(aRect.x * devPixelsPerAppUnitFromFrame,+ aRect.y * devPixelsPerAppUnitFromFrame,+ aRect.width * devPixelsPerAppUnitFromFrame,+ aRect.height * devPixelsPerAppUnitFromFrame), Rect(-std::numeric_limits<Float>::max() * devPixelsPerAppUnitFromFrame * 0.5f, -std::numeric_limits<Float>::max() * devPixelsPerAppUnitFromFrame *@@ -2436,83 +2516,17 @@ return true; }-static bool TransformGfxPointFromAncestor(RelativeTo aFrame,- const Point& aPoint,- RelativeTo aAncestor, Point* aOut) {- Matrix4x4Flagged ctm =- nsLayoutUtils::GetTransformToAncestor(aFrame, aAncestor);- ctm.Invert();- Point4D point = ctm.ProjectPoint(aPoint);- if (!point.HasPositiveWCoord()) {- return false;- }- *aOut = point.As2DPoint();- return true;-}--static Rect TransformGfxRectToAncestor(- RelativeTo aFrame, const Rect& aRect, RelativeTo aAncestor,- bool* aPreservesAxisAlignedRectangles = nullptr,- Maybe<Matrix4x4Flagged>* aMatrixCache = nullptr,- bool aStopAtStackingContextAndDisplayPortAndOOFFrame = false,- nsIFrame** aOutAncestor = nullptr) {- Matrix4x4Flagged ctm;- if (aMatrixCache && *aMatrixCache) {- // We are given a matrix to use, so use it- ctm = aMatrixCache->value();- } else {- // Else, compute it- uint32_t flags = 0;- if (aStopAtStackingContextAndDisplayPortAndOOFFrame) {- flags |= nsIFrame::STOP_AT_STACKING_CONTEXT_AND_DISPLAY_PORT;- }- ctm = nsLayoutUtils::GetTransformToAncestor(aFrame, aAncestor, flags,- aOutAncestor);- if (aMatrixCache) {- // and put it in the cache, if provided- *aMatrixCache = Some(ctm);- }- }- // Fill out the axis-alignment flag- if (aPreservesAxisAlignedRectangles) {- Matrix matrix2d;- *aPreservesAxisAlignedRectangles =- ctm.Is2D(&matrix2d) && matrix2d.PreservesAxisAlignedRectangles();- }- const nsIFrame* ancestor = aOutAncestor ? *aOutAncestor : aAncestor.mFrame;- float factor = ancestor->PresContext()->AppUnitsPerDevPixel();- Rect maxBounds =- Rect(float(nscoord_MIN) / factor * 0.5, float(nscoord_MIN) / factor * 0.5,- float(nscoord_MAX) / factor, float(nscoord_MAX) / factor);- return ctm.TransformAndClipBounds(aRect, maxBounds);-}--static SVGTextFrame* GetContainingSVGTextFrame(const nsIFrame* aFrame) {- if (!SVGUtils::IsInSVGTextSubtree(aFrame)) {- return nullptr;- }-- return static_cast<SVGTextFrame*>(nsLayoutUtils::GetClosestFrameOfType(- aFrame->GetParent(), LayoutFrameType::SVGText));-}- nsPoint nsLayoutUtils::TransformAncestorPointToFrame(RelativeTo aFrame, const nsPoint& aPoint, RelativeTo aAncestor) {- SVGTextFrame* text = GetContainingSVGTextFrame(aFrame.mFrame);- float factor = aFrame.mFrame->PresContext()->AppUnitsPerDevPixel(); Point result(NSAppUnitsToFloatPixels(aPoint.x, factor), NSAppUnitsToFloatPixels(aPoint.y, factor));- if (!TransformGfxPointFromAncestor(- text ? RelativeTo{text, aFrame.mViewportType} : aFrame, result,- aAncestor, &result)) {+ Maybe<Matrix4x4Flagged> matrixCache;+ if (!TransformGfxPointFromAncestor(aFrame, result, aAncestor, matrixCache,+ &result)) { return nsPoint(NS_UNCONSTRAINEDSIZE, NS_UNCONSTRAINEDSIZE);- }-- if (text) {- result = text->TransformFramePointToTextChild(result, aFrame.mFrame); } return nsPoint(NSFloatPixelsToAppUnits(float(result.x), factor),@@ -2527,39 +2541,15 @@ nsIFrame** aOutAncestor /* = nullptr */) { MOZ_ASSERT(IsAncestorFrameCrossDocInProcess(aAncestor.mFrame, aFrame), "Fix the caller");-- SVGTextFrame* text = GetContainingSVGTextFrame(aFrame);- float srcAppUnitsPerDevPixel = aFrame->PresContext()->AppUnitsPerDevPixel();- Rect result;-- if (text) {- result = ToRect(text->TransformFrameRectFromTextChild(aRect, aFrame));-- // |result| from TransformFrameRectFromTextChild() is in user space (css- // pixel), should convert to device pixel- float devPixelPerCSSPixel =- float(AppUnitsPerCSSPixel()) / srcAppUnitsPerDevPixel;- result.Scale(devPixelPerCSSPixel);-- result = TransformGfxRectToAncestor(- RelativeTo{text}, result, aAncestor, nullptr, aMatrixCache,- aStopAtStackingContextAndDisplayPortAndOOFFrame, aOutAncestor);- // TransformFrameRectFromTextChild could involve any kind of transform, we- // could drill down into it to get an answer out of it but we don't yet.- if (aPreservesAxisAlignedRectangles)- *aPreservesAxisAlignedRectangles = false;- } else {- result =- Rect(NSAppUnitsToFloatPixels(aRect.x, srcAppUnitsPerDevPixel),- NSAppUnitsToFloatPixels(aRect.y, srcAppUnitsPerDevPixel),- NSAppUnitsToFloatPixels(aRect.width, srcAppUnitsPerDevPixel),- NSAppUnitsToFloatPixels(aRect.height, srcAppUnitsPerDevPixel));- result = TransformGfxRectToAncestor(- RelativeTo{aFrame}, result, aAncestor, aPreservesAxisAlignedRectangles,- aMatrixCache, aStopAtStackingContextAndDisplayPortAndOOFFrame,- aOutAncestor);- }+ Rect result(NSAppUnitsToFloatPixels(aRect.x, srcAppUnitsPerDevPixel),+ NSAppUnitsToFloatPixels(aRect.y, srcAppUnitsPerDevPixel),+ NSAppUnitsToFloatPixels(aRect.width, srcAppUnitsPerDevPixel),+ NSAppUnitsToFloatPixels(aRect.height, srcAppUnitsPerDevPixel));+ result = TransformGfxRectToAncestor(+ RelativeTo{aFrame}, result, aAncestor, aPreservesAxisAlignedRectangles,+ aMatrixCache, aStopAtStackingContextAndDisplayPortAndOOFFrame,+ aOutAncestor); float destAppUnitsPerDevPixel = aAncestor.mFrame->PresContext()->AppUnitsPerDevPixel();@@ -3129,15 +3119,6 @@ } MOZ_ASSERT(builder && list && metrics);-- // Retained builder exists, but display list retaining is disabled.- if (!useRetainedBuilder && retainedBuilder) {- // Clear the modified frames lists and frame properties.- retainedBuilder->ClearFramesWithProps();-- // Clear the retained display list.- retainedBuilder->List()->DeleteAll(retainedBuilder->Builder());- } metrics->Reset(); metrics->StartBuild();@@ -3320,15 +3301,11 @@ // If a pref is toggled that adds or removes display list items, // we need to rebuild the display list. The pref may be toggled // manually by the user, or during test setup.- bool shouldAttemptPartialUpdate = useRetainedBuilder;- if (builder->ShouldRebuildDisplayListDueToPrefChange()) {- shouldAttemptPartialUpdate = false;- }-- // Attempt to do a partial build and merge into the existing list.- // This calls BuildDisplayListForStacking context on a subset of the- // viewport.- if (shouldAttemptPartialUpdate) {+ if (useRetainedBuilder &&+ !builder->ShouldRebuildDisplayListDueToPrefChange()) {+ // Attempt to do a partial build and merge into the existing list.+ // This calls BuildDisplayListForStacking context on a subset of the+ // viewport. updateState = retainedBuilder->AttemptPartialUpdate(aBackstop); metrics->EndPartialBuild(updateState); } else {@@ -3349,16 +3326,25 @@ } if (doFullRebuild) {+ if (useRetainedBuilder) {+ retainedBuilder->ClearFramesWithProps();+ retainedBuilder->ClearReuseableDisplayItems();+ mozilla::RDLUtils::AssertFrameSubtreeUnmodified(+ builder->RootReferenceFrame());+ }++ list->DeleteAll(builder);+ list->RestoreState();++ builder->ClearRetainedWindowRegions();+ builder->ClearWillChangeBudgets();++ builder->EnterPresShell(aFrame);+ builder->SetDirtyRect(visibleRect);+ DL_LOGI("Starting full display list build, root frame: %p", builder->RootReferenceFrame());- list->DeleteAll(builder);- list->RestoreState();-- builder->ClearRetainedWindowRegions();- builder->ClearWillChangeBudgets();-- builder->EnterPresShell(aFrame);- builder->SetDirtyRect(visibleRect);+ aFrame->BuildDisplayListForStackingContext(builder, list); AddExtraBackgroundItems(builder, list, aFrame, canvasArea, visibleRegion, aBackstop);@@ -6850,27 +6836,14 @@ return eTransparencyOpaque; }-static bool IsPopupFrame(const nsIFrame* aFrame) {- // aFrame is a popup it's the list control frame dropdown for a combobox.- LayoutFrameType frameType = aFrame->Type();- if (frameType == LayoutFrameType::ListControl) {- const nsListControlFrame* lcf =- static_cast<const nsListControlFrame*>(aFrame);- return lcf->IsInDropDownMode();- }-- // ... or if it's a XUL menupopup frame.- return frameType == LayoutFrameType::MenuPopup;-}- /* static */ bool nsLayoutUtils::IsPopup(const nsIFrame* aFrame) { // Optimization: the frame can't possibly be a popup if it has no view. if (!aFrame->HasView()) {- NS_ASSERTION(!IsPopupFrame(aFrame), "popup frame must have a view");+ NS_ASSERTION(!aFrame->IsMenuPopupFrame(), "popup frame must have a view"); return false; }- return IsPopupFrame(aFrame);+ return aFrame->IsMenuPopupFrame(); } /* static */@@ -8573,9 +8546,6 @@ metrics.SetDisplayPort(CSSRect::FromAppUnits(dp)); DisplayPortUtils::MarkDisplayPortAsPainted(aContent); }- if (DisplayPortUtils::GetCriticalDisplayPort(aContent, &dp)) {- metrics.SetCriticalDisplayPort(CSSRect::FromAppUnits(dp));- } metrics.SetHasNonZeroDisplayPortMargins(false); if (DisplayPortMarginsPropertyData* currentData =@@ -8586,13 +8556,21 @@ } }- // Log the high-resolution display port (which is either the displayport- // or the critical displayport) for test purposes.+ // Note: GetProperty() will return nullptr both in the case where+ // the property hasn't been set, and in the case where the property+ // has been set to false (in which case the property value is+ // `reinterpret_cast<void*>(false)` which is nullptr.+ if (aContent->GetProperty(nsGkAtoms::forceMousewheelAutodir)) {+ metadata.SetForceMousewheelAutodir(true);+ }++ if (aContent->GetProperty(nsGkAtoms::forceMousewheelAutodirHonourRoot)) {+ metadata.SetForceMousewheelAutodirHonourRoot(true);+ }+ if (IsAPZTestLoggingEnabled()) { LogTestDataForPaint(aLayerManager, scrollId, "displayport",- StaticPrefs::layers_low_precision_buffer()- ? metrics.GetCriticalDisplayPort()- : metrics.GetDisplayPort());+ metrics.GetDisplayPort()); } metrics.SetMinimalDisplayPort(
Based on the provided code diff, I'll analyze it for security fixes following the specified format:
1. First Vulnerability Analysis:
Vulnerability Existed: not sure
Potential SVG Text Frame Handling Issue [layout/base/nsLayoutUtils.cpp] [Lines 2221-2527]
[Old Code]
The old code didn't properly handle SVG text frame transformations in various transformation functions, potentially leading to incorrect coordinate transformations.
[Fixed Code]
The new code introduces GetContainingSVGTextFrame() helper function and properly handles SVG text frame transformations in TransformGfxPointFromAncestor, TransformGfxPointToAncestor, and TransformGfxRectToAncestor functions.
2. Second Vulnerability Analysis:
Vulnerability Existed: not sure
Potential Display List Rebuilding Issue [layout/base/nsLayoutUtils.cpp] [Lines 3119-3349]
[Old Code]
The old code had complex logic for handling retained display lists and partial updates.
[Fixed Code]
The new code simplifies the display list rebuilding logic and removes some conditional checks, potentially fixing race conditions or inconsistent states during display list updates.
3. Third Vulnerability Analysis:
Vulnerability Existed: not sure
Potential Popup Frame Identification Issue [layout/base/nsLayoutUtils.cpp] [Lines 6836-6848]
[Old Code]
The old code had a separate IsPopupFrame() function with custom logic for identifying popup frames.
[Fixed Code]
The new code simplifies this by using the frame's IsMenuPopupFrame() method directly, potentially fixing incorrect popup identification.
4. Fourth Vulnerability Analysis:
Vulnerability Existed: not sure
Potential Critical DisplayPort Handling Issue [layout/base/nsLayoutUtils.cpp] [Lines 8546-8573]
[Old Code]
The old code handled both displayport and critical displayport properties.
[Fixed Code]
The new code removes handling of critical displayport and adds new properties for mousewheel autodirection handling, potentially fixing displayport-related issues.
Note: While these changes appear to be functional improvements and bug fixes, I cannot definitively confirm they are security fixes without additional context about specific vulnerabilities they might address. The changes do appear to make the code more robust and could potentially prevent certain edge cases that might lead to security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/tests/browser/e10s/browser_treeupdate_move.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/tests/browser/e10s/browser_treeupdate_move.js@@ -9,11 +9,6 @@ loadScripts( { name: "role.js", dir: MOCHITESTS_DIR }, { name: "states.js", dir: MOCHITESTS_DIR }-);--const isCacheEnabled = Services.prefs.getBoolPref(- "accessibility.cache.enabled",- false ); /**@@ -30,12 +25,16 @@ <h1 id="heading">Heading</h1> <p id="para">Para</p> </div>+ <iframe id="iframe" src="https://example.com/"></iframe> </div> `, async function(browser, docAcc) { const textbox = findAccessibleChildByID(docAcc, "textbox"); const heading = findAccessibleChildByID(docAcc, "heading"); const para = findAccessibleChildByID(docAcc, "para");+ const iframe = findAccessibleChildByID(docAcc, "iframe");+ const iframeDoc = iframe.firstChild;+ ok(iframeDoc, "iframe contains a document"); let focused = waitForEvent(EVENT_FOCUS, textbox); textbox.takeFocus();@@ -57,12 +56,9 @@ // heading was a child of textbox, but was removed when textbox // was moved. Ensure it is dead. ok(isDefunct(heading), "heading is dead");+ // Ensure the iframe and its embedded document are alive.+ ok(!isDefunct(iframe), "iframe is alive");+ ok(!isDefunct(iframeDoc), "iframeDoc is alive"); },- {- chrome: true,- // Moves cause RemoteAccessible re-creation without the cache enabled.- topLevel: isCacheEnabled,- iframe: isCacheEnabled,- remoteIframe: isCacheEnabled,- }+ { chrome: true, topLevel: true, iframe: true, remoteIframe: true } );
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: no
No specific vulnerability [File] accessible/tests/browser/e10s/browser_treeupdate_move.js [Lines] 9-11
[Old Code]
```javascript
const isCacheEnabled = Services.prefs.getBoolPref(
"accessibility.cache.enabled",
false
);
```
[Fixed Code]
(Removed entirely)
Additional Details: This appears to be a test configuration cleanup rather than a security fix. The preference check was removed and hardcoded values were used instead.
2. Vulnerability Existed: not sure
Potential XSS via iframe [File] accessible/tests/browser/e10s/browser_treeupdate_move.js [Lines] 25,30-32
[Old Code]
(No iframe in test content)
[Fixed Code]
```javascript
<iframe id="iframe" src="https://example.com/"></iframe>
...
const iframe = findAccessibleChildByID(docAcc, "iframe");
const iframeDoc = iframe.firstChild;
ok(iframeDoc, "iframe contains a document");
```
Additional Details: While adding an iframe could potentially introduce security concerns, this appears to be a test case addition using example.com which is generally safe. However, without more context about how this iframe is used in the broader test suite, I can't be certain.
3. Vulnerability Existed: no
Test configuration hardening [File] accessible/tests/browser/e10s/browser_treeupdate_move.js [Lines] 57-62
[Old Code]
```javascript
{
chrome: true,
// Moves cause RemoteAccessible re-creation without the cache enabled.
topLevel: isCacheEnabled,
iframe: isCacheEnabled,
remoteIframe: isCacheEnabled,
}
```
[Fixed Code]
```javascript
{ chrome: true, topLevel: true, iframe: true, remoteIframe: true }
```
Additional Details: This change simplifies test configuration by removing the dynamic preference check and using static values, which appears to be a test reliability improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.baseline.hanging.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.baseline.hanging.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -27,12 +27,12 @@ ctx.fillStyle = '#0f0'; ctx.textBaseline = 'hanging'; ctx.fillText('CC', 0, 12.5);- _assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2); }).then(t_pass, t_fail); });
After analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.baseline.hanging.worker.js [Lines] 13-27
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.baseline.hanging.worker.js [Lines] 27-33
Old Code:
```
_assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
```
Fixed Code:
```
_assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
```
The changes appear to be purely cosmetic/refactoring in nature, simply renaming the variable `offscreenCanvas` to `canvas` throughout the file. There are no security-related changes or vulnerabilities being addressed in this diff. The modifications don't affect any security-sensitive operations or introduce/remove any security controls.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/glean-core/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/glean-core/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.lock":"4648d6743263ca9feb905d5f706ad214e8d691c865df5ba1c6844faf962db150","Cargo.toml":"5413e453d11bb3bc682e18334640e24d8d2e3cc80192bec297544277e0bb5cab","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","README.md":"026495898699b54608eb4ec16074ffafc57920d80ccb59961c501a1ea28c9985","examples/sample.rs":"05469332ffa58c661628eb2f260dfd59085c371b0ef0f8b6e9cb77c230b9bb04","src/common_metric_data.rs":"0ce52740ab6d880df5127336ced68be30da568cd2a94301dc16d4e3f527134c9","src/coverage.rs":"49613fd310bd24d779472720975fbe6c97ec370a95eb55f10afa43f67539c942","src/database/mod.rs":"458e3c8af2af5345e02dea32b36f7521d4428c2ea65c225337008af56d00c6f6","src/debug.rs":"90158cc5d488ba67b60d06647e54e59a1d7bdeb906087e4fe4cfab4373c1cc6c","src/error.rs":"97172a791efdf8b791a04ae7961085fbef4391b313ff3ffb24e9381f2901fccc","src/error_recording.rs":"42af60683cb30eba821b955fe156ce43a114c0f6f3f3b5b84566659398137671","src/event_database/mod.rs":"95d665a039236ede25dd479b19f0ddc32c0dd79cef2fbcc2ef3bab1540680276","src/histogram/exponential.rs":"389d48bab03f7229445ee4d4c8a4c49f6b43303f658dc954da75142f3c040dc6","src/histogram/functional.rs":"1a63a305b48bcef7bc38136b40d916df4bb8f098dc602514ada54a9b091f6951","src/histogram/linear.rs":"5642c8983c3c1ce9b69c6ac99133c8ed5e67abe2398c5dbcf67e69d66880f4ca","src/histogram/mod.rs":"11e5d3b6440a33a3e5544d0e03ffd69fa2fdcabe603ad75e0327f3ed548e8ce3","src/internal_metrics.rs":"5626effec67bf0f9ee12609b77cf04741eac1827123039999d4adb28a3cc5976","src/internal_pings.rs":"5ed4669b6f09d660401f44c8279e0a5fea0262e48de40e85595bd25dc70b05f3","src/lib.rs":"49f36f867e0412d514fdddee9c40d71e020dbc27fe0efebe6808d9a16872b986","src/lib_unit_tests.rs":"17b0eaad81f946ddef89ee076f4d138e427638ee7536be128b30d4e7280dcf7b","src/macros.rs":"3f3fc8c36dd05b7528b66b27e95b6494505a7a1f48abd013218de23ada6b5a43","src/metrics/boolean.rs":"49e2f5be78055f61543db1d4d57cc06064a812a8f45c9d0e753df8325edc9041","src/metrics/counter.rs":"e3e2a195b597ea1559991b992f44a8a5f291b592a5c6946e93e01066f276efbb","src/metrics/custom_distribution.rs":"7ea1c54802e15bb490fdc8b396998ec474bfca2f135902a4028a9530fbb5dd98","src/metrics/datetime.rs":"75f0b7c41301eb881decff363947510a6cc1a9d2203357be32d1ee169c22ff4c","src/metrics/denominator.rs":"511e4123779a6d9159bb0911069f7dcb979899a0fae0d200da854685b59d3348","src/metrics/event.rs":"d6e4a52dbde7fbd44c21df567508c35acf046e08c6ea593bbb65fa25223a2b40","src/metrics/experiment.rs":"3f3ede015bb63fd5f71fc6a90421b25d8002faf71c0766b27bf59b5ae8b8d0da","src/metrics/jwe.rs":"8e1c2e204c285a428cf58f0e7d7ee0662294208b6b48706658a6f44cf412575a","src/metrics/labeled.rs":"e77459b593b2b6b375a1dacb1c9192fb47dcb5a294935c2c30aeea8e6f5432cd","src/metrics/memory_distribution.rs":"c2d75dfe9f67a21087b36af64816e703e6b56551b970fac642552116af97f2b5","src/metrics/memory_unit.rs":"d7a678e5242febd021283b30c0099a9e62729944816a3f17d2d91e2808bc0570","src/metrics/mod.rs":"069b6790de4abcaeb8ec06797a1e85344baff6b86844508b2d75d67eb00dc5d5","src/metrics/ping.rs":"b9d344cbfdbe8aff99a83423bd0af465a7228b503f92fe912ddac24904f4eca9","src/metrics/quantity.rs":"2eb6e34f7b0a292df26cddb4295bca7b82557320eff157bf854822c4a7fccb7e","src/metrics/rate.rs":"ba297a593d340568ee1f8061a6ba4f8970220ab2a83c7af290393538c6dd9bc4","src/metrics/string.rs":"8b47de25d4354c9ccf71a5558b287241a4d80c5832ac82e280543bb800996f54","src/metrics/string_list.rs":"c956616cfd1d0fce3c2e61f0b054235f455db2295d128f08b3db2ddcdd11bdbe","src/metrics/time_unit.rs":"9bb3f6c03b1d385008b254f36ed35daf22f9a6fa2d18e007c9b70aac767cde50","src/metrics/timespan.rs":"1252babc991f8c79cbd5027f3a332c28eb63fb0a956d19a18c670ab4f2e60ba3","src/metrics/timing_distribution.rs":"b885514ef2e84c970403f85bcdb09a24abf9822dbd78129fba9d37de388520a8","src/metrics/url.rs":"b83b1de16d2397fa31e52855ccc024a050c0b429af8ffb3ff1519b68b923241d","src/metrics/uuid.rs":"ebe5560fcc76b230d304172f0ab69dc3f5e41924dad8aa30090bd38b103d0ade","src/ping/mod.rs":"0d164c2ec2822658d571356f3d00f24410f9c1e63f31101fc5d0fb20a014ee1b","src/scheduler.rs":"829846308ae9ed558fbaa62e8134ec90571803673d304c8ce370de7117e1cc76","src/storage/mod.rs":"265e0ff9f3b769f6167afd6e498760c0505fe8431f52fb84f377b20b2b15670e","src/system.rs":"2e2a7436075bd1a34c118202a4d18e58236947696ce3d824e97d9c06ddf0c171","src/traits/boolean.rs":"f17f16f379b777e435e38e810e25336a919f4aeeefb1b4e7cf7749c0ef173fd9","src/traits/counter.rs":"631208036059d498a4485c74c2a80c24a5f13bffeb1053bdf5cce06af0e9d361","src/traits/custom_distribution.rs":"1b3ffda6e857bfa8ad5be412e88f3d9706ededf5a86407364ae19a81f06ef798","src/traits/datetime.rs":"2f4b9e64161c15c912b6a915045dd9840f76229d144a4d1542c54eb4f3b3406b","src/traits/event.rs":"ce9a9395748734b241f35b31c4cddf0ce6a8eca6d700aaeea427b0ae29ce507d","src/traits/jwe.rs":"80cdc61e6d99d7c05139c9d05288290c731b1be61afcbd4a4c415973665ea194","src/traits/labeled.rs":"7f3281fc0a1a745238e7e260463f397dfa61717408fe9d260dc9767d9c659e52","src/traits/memory_distribution.rs":"0b72ffde68eb97f01a57afbc5c6109565ec9435561984d34696622bf5a57d559","src/traits/mod.rs":"88cec83fcff8dfab768953b901ee95fed186f7540afdc9606407aff71f1919df","src/traits/numerator.rs":"9690a1b4487521565bd488e9a938aa66f93045c63f0f0ee6e864e0341395659b","src/traits/ping.rs":"8831c106c03afeb458b0b028fa1ce61f056ebf8e82bc0a171a1bff255d920748","src/traits/quantity.rs":"087d7a4b58f0eb7c766a0202dcf38a52d172ce4edf626211ffe5d94ed02ae754","src/traits/rate.rs":"9d0da25895d4c43cdece43dd57e515ab2fb907e8c9a239807976e3d9197d2955","src/traits/string.rs":"48e5623c7db59b8e6454fbc7fb6e2395f808c9a0fa721d7c07b72abb171eb1ad","src/traits/string_list.rs":"5d5773d5a130323dd82ca95f4ecdccdd6b237afe2eadf8655363bd6b7e8508c1","src/traits/timespan.rs":"29251233847c5cdd200a61472132c62ded27fe2c13835b09424384bf144d82db","src/traits/timing_distribution.rs":"5e619d445e6ef3f19ca69bcdfe02d19b150c5a46855d195703b6d2f55e538636","src/traits/url.rs":"a01331623af4fa8af6e71becffff60060832bef5e48a15df6dc23b41225f689e","src/traits/uuid.rs":"bd78515611ba406d8b1bda35a9fe30c317512a9afcea7c5dece8fced7d410a92","src/upload/directory.rs":"571cfee0347b40b239d0d946625de6265bbea4f433c8316da715ded8f590aca1","src/upload/mod.rs":"34bcb67a5980e2c8b5145553b83e130ed4db40dab6d5c53bc9978469e6b93223","src/upload/policy.rs":"c250957a37783e74af8002cd80ba06ef9780a389fb0f61b8b665b79688f0a360","src/upload/request.rs":"7939e77bde4b55263446c3660b6831bafa27308bc983a51e1679321e962f372f","src/upload/result.rs":"d73454e81f185e4e28c887f7b496bffad7baac74c8f1b719885f940f909a530d","src/util.rs":"a89e21f0f4fe14a5a1a5369a0f2c20d1184816ccfe2b5b1599d3779660772f27","tests/boolean.rs":"9f4830f3b5f5ab6768060917deb1f546324a4744b8ed893197e31a0aed092947","tests/common/mod.rs":"28c77637c5e75a6a57c0aeb4b082de1b5d8015d507b557ca365aa5adbf208af8","tests/counter.rs":"39a2cd40335c164b3e7407f5505bbf571d7e4a71f032d476a7939f7dd1af90d0","tests/custom_distribution.rs":"596575504ad4eab2765b5b88245dcc92dc68e83d04c93deb4b27692c142c0b94","tests/datetime.rs":"4b4ab629a0f0ae789416b67f0efdfe1142fdb18f9d3a0b5182d8d840e4a6655c","tests/event.rs":"cb78dfc0a2315253da8ef6663b81979dd5b0638bb6c31456f16ce4e9bb50c67a","tests/jwe.rs":"dc8a73d1e1925ac49061e8bb5c8de01230aa364942a22470e37aa88965b0eaba","tests/labeled.rs":"cedd548bd8089dfa316cfdfaa1985fb5cd1294e6ba5956b6012c3f01975e8de9","tests/memory_distribution.rs":"0c03d0a491150f508dc12ecac7e5db70043f3a7de2f90cc6b3509aba90549821","tests/metrics.rs":"0560e0645321628015610bbf1a90c0adbb12ad42e5a068399073572120377cbb","tests/ping.rs":"a15c619b2d3c70c3cb669d02b959109bcf231440bdcfe3cac7508a3e310cd181","tests/ping_maker.rs":"aa7921c9dcea278003c719136eeea9b711d0be12bf736cc9a79b70b69cf6109f","tests/quantity.rs":"2543f0f57085d27b0bc0c25c24c17a7e376ac673cf9265a3a9dec202920679c5","tests/storage.rs":"d8d50aba92e17a3053fd80788f5fbbcc8f82293c11c19b58e2de6c4ee45f71ff","tests/string.rs":"9c3e21bfa3ad0b75373f8f5addb8ac023ac5336ac9f969e92b89ea6fda675fdd","tests/string_list.rs":"2b83710b949bea4bd0f6b2029069887f3ea87312b00091e5aa3c7bda0fb9073c","tests/timespan.rs":"bb61e4cfb843b3f387378409ee1a88ef4b8f32b2181af686baacee262b8bca2b","tests/timing_distribution.rs":"23f48e26cc4a9646c77a395fe724fa1c337caa69ea5c358056057cb1bbf4c7e6","tests/uuid.rs":"cf0df9e330344c6e00cd51faaf21dc74c5e47f892b525e0f83623c92a6378be8"},"package":"349ebbb162d58911547b48e5fbf90d45854e3e1ba03332f41b80a6611867c013"}+{"files":{"Cargo.lock":"5b2421440f4986bd35405b0c3a154f285f27f4c338cdb3401c42f32f4a90ef75","Cargo.toml":"bc4f752cc239c32137408eafb8b34ee054f1ef10db9ea27707c4f0817d9473bc","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","README.md":"026495898699b54608eb4ec16074ffafc57920d80ccb59961c501a1ea28c9985","examples/sample.rs":"05469332ffa58c661628eb2f260dfd59085c371b0ef0f8b6e9cb77c230b9bb04","src/common_metric_data.rs":"0ce52740ab6d880df5127336ced68be30da568cd2a94301dc16d4e3f527134c9","src/coverage.rs":"49613fd310bd24d779472720975fbe6c97ec370a95eb55f10afa43f67539c942","src/database/mod.rs":"458e3c8af2af5345e02dea32b36f7521d4428c2ea65c225337008af56d00c6f6","src/debug.rs":"90158cc5d488ba67b60d06647e54e59a1d7bdeb906087e4fe4cfab4373c1cc6c","src/error.rs":"97172a791efdf8b791a04ae7961085fbef4391b313ff3ffb24e9381f2901fccc","src/error_recording.rs":"42af60683cb30eba821b955fe156ce43a114c0f6f3f3b5b84566659398137671","src/event_database/mod.rs":"95d665a039236ede25dd479b19f0ddc32c0dd79cef2fbcc2ef3bab1540680276","src/histogram/exponential.rs":"389d48bab03f7229445ee4d4c8a4c49f6b43303f658dc954da75142f3c040dc6","src/histogram/functional.rs":"1a63a305b48bcef7bc38136b40d916df4bb8f098dc602514ada54a9b091f6951","src/histogram/linear.rs":"5642c8983c3c1ce9b69c6ac99133c8ed5e67abe2398c5dbcf67e69d66880f4ca","src/histogram/mod.rs":"11e5d3b6440a33a3e5544d0e03ffd69fa2fdcabe603ad75e0327f3ed548e8ce3","src/internal_metrics.rs":"b4e2bb7917fc6b031b604300c1fee17f6ee3c1658052289201d8e0f95f220e49","src/internal_pings.rs":"5ed4669b6f09d660401f44c8279e0a5fea0262e48de40e85595bd25dc70b05f3","src/lib.rs":"62711d00fea14e89daa03d0f67e54915f570f2160b8ae430929bd8c347b3fb6b","src/lib_unit_tests.rs":"d74c558b2296a34e786e3af2f46eb9ecfea6da94ea496aa0341d308a58ade4bb","src/macros.rs":"3f3fc8c36dd05b7528b66b27e95b6494505a7a1f48abd013218de23ada6b5a43","src/metrics/boolean.rs":"49e2f5be78055f61543db1d4d57cc06064a812a8f45c9d0e753df8325edc9041","src/metrics/counter.rs":"e3e2a195b597ea1559991b992f44a8a5f291b592a5c6946e93e01066f276efbb","src/metrics/custom_distribution.rs":"7ea1c54802e15bb490fdc8b396998ec474bfca2f135902a4028a9530fbb5dd98","src/metrics/datetime.rs":"1a89be75bb6c9092893fcb4e7272865b0abefd1b5d1ebe8a9bd685043804cff4","src/metrics/denominator.rs":"511e4123779a6d9159bb0911069f7dcb979899a0fae0d200da854685b59d3348","src/metrics/event.rs":"d6e4a52dbde7fbd44c21df567508c35acf046e08c6ea593bbb65fa25223a2b40","src/metrics/experiment.rs":"3f3ede015bb63fd5f71fc6a90421b25d8002faf71c0766b27bf59b5ae8b8d0da","src/metrics/jwe.rs":"8e1c2e204c285a428cf58f0e7d7ee0662294208b6b48706658a6f44cf412575a","src/metrics/labeled.rs":"e77459b593b2b6b375a1dacb1c9192fb47dcb5a294935c2c30aeea8e6f5432cd","src/metrics/memory_distribution.rs":"c2d75dfe9f67a21087b36af64816e703e6b56551b970fac642552116af97f2b5","src/metrics/memory_unit.rs":"d7a678e5242febd021283b30c0099a9e62729944816a3f17d2d91e2808bc0570","src/metrics/mod.rs":"069b6790de4abcaeb8ec06797a1e85344baff6b86844508b2d75d67eb00dc5d5","src/metrics/ping.rs":"b9d344cbfdbe8aff99a83423bd0af465a7228b503f92fe912ddac24904f4eca9","src/metrics/quantity.rs":"2eb6e34f7b0a292df26cddb4295bca7b82557320eff157bf854822c4a7fccb7e","src/metrics/rate.rs":"ba297a593d340568ee1f8061a6ba4f8970220ab2a83c7af290393538c6dd9bc4","src/metrics/string.rs":"8b47de25d4354c9ccf71a5558b287241a4d80c5832ac82e280543bb800996f54","src/metrics/string_list.rs":"c956616cfd1d0fce3c2e61f0b054235f455db2295d128f08b3db2ddcdd11bdbe","src/metrics/time_unit.rs":"9bb3f6c03b1d385008b254f36ed35daf22f9a6fa2d18e007c9b70aac767cde50","src/metrics/timespan.rs":"1252babc991f8c79cbd5027f3a332c28eb63fb0a956d19a18c670ab4f2e60ba3","src/metrics/timing_distribution.rs":"b885514ef2e84c970403f85bcdb09a24abf9822dbd78129fba9d37de388520a8","src/metrics/url.rs":"b83b1de16d2397fa31e52855ccc024a050c0b429af8ffb3ff1519b68b923241d","src/metrics/uuid.rs":"ebe5560fcc76b230d304172f0ab69dc3f5e41924dad8aa30090bd38b103d0ade","src/ping/mod.rs":"33f0270af5f6946bae6367162ed8df5966da8735054da31bd26e738fcb29c91b","src/scheduler.rs":"e4b5355366c5cdd9aedd6bd1114fe0bd0d7b9dcbe5366293374b3006ffc1c01b","src/storage/mod.rs":"265e0ff9f3b769f6167afd6e498760c0505fe8431f52fb84f377b20b2b15670e","src/system.rs":"2e2a7436075bd1a34c118202a4d18e58236947696ce3d824e97d9c06ddf0c171","src/traits/boolean.rs":"f17f16f379b777e435e38e810e25336a919f4aeeefb1b4e7cf7749c0ef173fd9","src/traits/counter.rs":"631208036059d498a4485c74c2a80c24a5f13bffeb1053bdf5cce06af0e9d361","src/traits/custom_distribution.rs":"1b3ffda6e857bfa8ad5be412e88f3d9706ededf5a86407364ae19a81f06ef798","src/traits/datetime.rs":"2f4b9e64161c15c912b6a915045dd9840f76229d144a4d1542c54eb4f3b3406b","src/traits/event.rs":"ce9a9395748734b241f35b31c4cddf0ce6a8eca6d700aaeea427b0ae29ce507d","src/traits/jwe.rs":"80cdc61e6d99d7c05139c9d05288290c731b1be61afcbd4a4c415973665ea194","src/traits/labeled.rs":"7f3281fc0a1a745238e7e260463f397dfa61717408fe9d260dc9767d9c659e52","src/traits/memory_distribution.rs":"0b72ffde68eb97f01a57afbc5c6109565ec9435561984d34696622bf5a57d559","src/traits/mod.rs":"88cec83fcff8dfab768953b901ee95fed186f7540afdc9606407aff71f1919df","src/traits/numerator.rs":"9690a1b4487521565bd488e9a938aa66f93045c63f0f0ee6e864e0341395659b","src/traits/ping.rs":"8831c106c03afeb458b0b028fa1ce61f056ebf8e82bc0a171a1bff255d920748","src/traits/quantity.rs":"087d7a4b58f0eb7c766a0202dcf38a52d172ce4edf626211ffe5d94ed02ae754","src/traits/rate.rs":"9d0da25895d4c43cdece43dd57e515ab2fb907e8c9a239807976e3d9197d2955","src/traits/string.rs":"48e5623c7db59b8e6454fbc7fb6e2395f808c9a0fa721d7c07b72abb171eb1ad","src/traits/string_list.rs":"5d5773d5a130323dd82ca95f4ecdccdd6b237afe2eadf8655363bd6b7e8508c1","src/traits/timespan.rs":"29251233847c5cdd200a61472132c62ded27fe2c13835b09424384bf144d82db","src/traits/timing_distribution.rs":"5e619d445e6ef3f19ca69bcdfe02d19b150c5a46855d195703b6d2f55e538636","src/traits/url.rs":"a01331623af4fa8af6e71becffff60060832bef5e48a15df6dc23b41225f689e","src/traits/uuid.rs":"bd78515611ba406d8b1bda35a9fe30c317512a9afcea7c5dece8fced7d410a92","src/upload/directory.rs":"8e40804f60f72c33b2727722eeab1a752c6d0f7a43b0340f8a45b2d65cd34601","src/upload/mod.rs":"34bcb67a5980e2c8b5145553b83e130ed4db40dab6d5c53bc9978469e6b93223","src/upload/policy.rs":"c250957a37783e74af8002cd80ba06ef9780a389fb0f61b8b665b79688f0a360","src/upload/request.rs":"7939e77bde4b55263446c3660b6831bafa27308bc983a51e1679321e962f372f","src/upload/result.rs":"d73454e81f185e4e28c887f7b496bffad7baac74c8f1b719885f940f909a530d","src/util.rs":"c1ecfc1037406d5b10aa185dac4ae28c6a8de603958a5b4969bb1bf130759985","tests/boolean.rs":"9f4830f3b5f5ab6768060917deb1f546324a4744b8ed893197e31a0aed092947","tests/common/mod.rs":"28c77637c5e75a6a57c0aeb4b082de1b5d8015d507b557ca365aa5adbf208af8","tests/counter.rs":"39a2cd40335c164b3e7407f5505bbf571d7e4a71f032d476a7939f7dd1af90d0","tests/custom_distribution.rs":"596575504ad4eab2765b5b88245dcc92dc68e83d04c93deb4b27692c142c0b94","tests/datetime.rs":"4b4ab629a0f0ae789416b67f0efdfe1142fdb18f9d3a0b5182d8d840e4a6655c","tests/event.rs":"cb78dfc0a2315253da8ef6663b81979dd5b0638bb6c31456f16ce4e9bb50c67a","tests/jwe.rs":"dc8a73d1e1925ac49061e8bb5c8de01230aa364942a22470e37aa88965b0eaba","tests/labeled.rs":"cedd548bd8089dfa316cfdfaa1985fb5cd1294e6ba5956b6012c3f01975e8de9","tests/memory_distribution.rs":"0c03d0a491150f508dc12ecac7e5db70043f3a7de2f90cc6b3509aba90549821","tests/metrics.rs":"0560e0645321628015610bbf1a90c0adbb12ad42e5a068399073572120377cbb","tests/ping.rs":"a15c619b2d3c70c3cb669d02b959109bcf231440bdcfe3cac7508a3e310cd181","tests/ping_maker.rs":"aa7921c9dcea278003c719136eeea9b711d0be12bf736cc9a79b70b69cf6109f","tests/quantity.rs":"2543f0f57085d27b0bc0c25c24c17a7e376ac673cf9265a3a9dec202920679c5","tests/storage.rs":"d8d50aba92e17a3053fd80788f5fbbcc8f82293c11c19b58e2de6c4ee45f71ff","tests/string.rs":"9c3e21bfa3ad0b75373f8f5addb8ac023ac5336ac9f969e92b89ea6fda675fdd","tests/string_list.rs":"2b83710b949bea4bd0f6b2029069887f3ea87312b00091e5aa3c7bda0fb9073c","tests/timespan.rs":"bb61e4cfb843b3f387378409ee1a88ef4b8f32b2181af686baacee262b8bca2b","tests/timing_distribution.rs":"78305508227d2be94e056f1716f545a9505ede8e763da5f1a2297b546a9d7307","tests/uuid.rs":"cf0df9e330344c6e00cd51faaf21dc74c5e47f892b525e0f83623c92a6378be8"},"package":"6078d68e763d57610d362f34223f856fff64d8d3b1c8974833c9fa02a971f59c"}=========toolkit/mozapps/downloads/tests/browser/browser_unknownContentType_blob.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/downloads/tests/browser/browser_unknownContentType_blob.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/downloads/tests/browser/browser_unknownContentType_blob.js@@ -97,7 +97,7 @@ // Check that the same download is displayed correctly in about:downloads. await BrowserTestUtils.withNewTab("about:downloads", async dlBrowser => { let doc = dlBrowser.contentDocument;- let listNode = doc.getElementById("downloadsRichListBox");+ let listNode = doc.getElementById("downloadsListBox"); await BrowserTestUtils.waitForMutationCondition( listNode, { childList: true, subtree: true, attributeFilter: ["value"] },
Based on the provided diff, I'll analyze it for security fixes:
1. First diff (rust/glean-core/.cargo-checksum.json):
Vulnerability Existed: no
This appears to be a standard dependency version update with checksum changes. No security vulnerabilities are evident from the checksum file changes.
2. Second diff (browser_unknownContentType_blob.js):
Vulnerability Existed: not sure
Potential DOM XSS Vulnerability [toolkit/mozapps/downloads/tests/browser/browser_unknownContentType_blob.js] [Lines 97-100]
[Old Code]
let listNode = doc.getElementById("downloadsRichListBox");
[Fixed Code]
let listNode = doc.getElementById("downloadsListBox");
Additional Details:
The change from "downloadsRichListBox" to "downloadsListBox" might indicate a security hardening measure against potential DOM-based XSS, but without more context about how these elements are used, I can't be certain. The change could also be purely functional. The test file modification suggests the UI structure changed, which might have security implications if the old element had vulnerabilities.
Note: The rust/glean-core changes show many file checksum updates, but without seeing the actual code changes in those files, I can't determine if any security fixes were included in those updates. The checksum file itself doesn't indicate security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/newtab/test/browser/browser_aboutwelcome_attribution.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/newtab/test/browser/browser_aboutwelcome_attribution.js@@ -23,6 +23,7 @@ name: "Test Add-on", sourceURI: { scheme: "https", spec: "https://test.xpi" }, icons: { 32: "test.png", 64: "test.png" },+ type: "extension", }, ];@@ -133,9 +134,8 @@ // Expected selectors: [ "div.onboardingContainer",- "div.brand-logo", "h2[data-l10n-id='return-to-amo-addon-title']",- "img[data-l10n-name='icon']",+ "div.rtamo-icon", "button.primary", "button.secondary", ],
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential XSS via DOM manipulation] [browser/components/newtab/test/browser/browser_aboutwelcome_attribution.js] [Lines 23-27, 133-138]
[Old Code]
icons: { 32: "test.png", 64: "test.png" },
...
"div.brand-logo",
"img[data-l10n-name='icon']",
[Fixed Code]
type: "extension",
icons: { 32: "test.png", 64: "test.png" },
...
"div.rtamo-icon",
Additional Details:
- The changes involve modifying DOM selectors and adding an extension type, but there's no clear evidence of a security vulnerability being fixed.
- The removal of direct image references and brand-logo div could potentially relate to security hardening against XSS or content injection, but this is speculative.
- The addition of explicit 'type: "extension"' might improve security by being more explicit about the add-on type, but this is more of a code improvement than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/update/tests/unit_background_update/test_backgroundupdate_glean.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/update/tests/unit_background_update/test_backgroundupdate_glean.js@@ -8,6 +8,10 @@ const { BackgroundUpdate } = ChromeUtils.import( "resource://gre/modules/BackgroundUpdate.jsm"+);++const { maybeSubmitBackgroundUpdatePing } = ChromeUtils.import(+ "resource://gre/modules/backgroundtasks/BackgroundTask_backgroundupdate.jsm" ); XPCOMUtils.defineLazyServiceGetter(@@ -28,41 +32,57 @@ add_task(async function test_record_update_environment() { await BackgroundUpdate.recordUpdateEnvironment();- Assert.equal(- Services.prefs.getBoolPref("app.update.service.enabled", false),- Glean.update.serviceEnabled.testGetValue()+ let pingSubmitted = false;+ let appUpdateAutoEnabled = await UpdateUtils.getAppUpdateAutoEnabled();+ let backgroundUpdateEnabled = await UpdateUtils.readUpdateConfigSetting(+ "app.update.background.enabled" );+ GleanPings.backgroundUpdate.testBeforeNextSubmit(reason => {+ pingSubmitted = true;+ Assert.equal(+ Services.prefs.getBoolPref("app.update.service.enabled", false),+ Glean.update.serviceEnabled.testGetValue()+ );- Assert.equal(- await UpdateUtils.getAppUpdateAutoEnabled(),- Glean.update.autoDownload.testGetValue()- );+ Assert.equal(+ appUpdateAutoEnabled,+ Glean.update.autoDownload.testGetValue()+ );- Assert.equal(- await UpdateUtils.readUpdateConfigSetting("app.update.background.enabled"),- Glean.update.backgroundUpdate.testGetValue()- );+ Assert.equal(+ backgroundUpdateEnabled,+ Glean.update.backgroundUpdate.testGetValue()+ );- Assert.equal(UpdateUtils.UpdateChannel, Glean.update.channel.testGetValue());- Assert.equal(- !Services.policies || Services.policies.isAllowed("appUpdate"),- Glean.update.enabled.testGetValue()- );+ Assert.equal(+ UpdateUtils.UpdateChannel,+ Glean.update.channel.testGetValue()+ );+ Assert.equal(+ !Services.policies || Services.policies.isAllowed("appUpdate"),+ Glean.update.enabled.testGetValue()+ );- Assert.equal(- UpdateService.canUsuallyApplyUpdates,- Glean.update.canUsuallyApplyUpdates.testGetValue()- );- Assert.equal(- UpdateService.canUsuallyCheckForUpdates,- Glean.update.canUsuallyCheckForUpdates.testGetValue()- );- Assert.equal(- UpdateService.canUsuallyStageUpdates,- Glean.update.canUsuallyStageUpdates.testGetValue()- );- Assert.equal(- UpdateService.canUsuallyUseBits,- Glean.update.canUsuallyUseBits.testGetValue()- );+ Assert.equal(+ UpdateService.canUsuallyApplyUpdates,+ Glean.update.canUsuallyApplyUpdates.testGetValue()+ );+ Assert.equal(+ UpdateService.canUsuallyCheckForUpdates,+ Glean.update.canUsuallyCheckForUpdates.testGetValue()+ );+ Assert.equal(+ UpdateService.canUsuallyStageUpdates,+ Glean.update.canUsuallyStageUpdates.testGetValue()+ );+ Assert.equal(+ UpdateService.canUsuallyUseBits,+ Glean.update.canUsuallyUseBits.testGetValue()+ );+ });++ // There's nothing async in this function atm, but it's annotated async, so..+ await maybeSubmitBackgroundUpdatePing();++ ok(pingSubmitted, "'background-update' ping was submitted"); });
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be related to test functionality and Glean telemetry collection improvements rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no No security vulnerability [File] toolkit/mozapps/update/tests/unit_background_update/test_backgroundupdate_glean.js [Lines] 8-10, 28-83 [Old Code] The original test code that directly asserted values against Glean metrics [Fixed Code] The updated code that wraps assertions in a Glean ping submission test and adds async handling The main changes are: 1. Adding an import for `maybeSubmitBackgroundUpdatePing` 2. Restructuring the test to verify ping submission 3. Moving assertions into a ping submission callback 4. Adding async/await handling These changes appear to be test improvements rather than security fixes. The modifications focus on better testing of telemetry collection functionality without any apparent security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hsl-6.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hsl-6.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0, 100%, 50%,)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'hsl(0, 100%, 50%,)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'hsl(0, 100%, 50%,)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't indicate any security fixes. The code functionality remains the same, just with different variable names. There are no apparent security vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-size-023.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-size-023.html@@ -9,7 +9,6 @@ <link rel="match" href="reference/contain-size-023-ref.html"> <meta content="This test checks that when laying out an inline-block element with 'contain: size', the inline-block element must be treated as if it would have no contents. In this test, the inline-block element has text and no in-flow block descendant." name="assert">- <meta name="flags" content=""> <!--
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-contain/contain-size-023.html] [Lines 9] [Old Code: <meta name="flags" content="">] [Fixed Code: (line removed)] Additional Details: - This appears to be a simple test file modification where an empty meta tag for "flags" was removed - The change doesn't appear to be security-related - No actual security vulnerability is being fixed here, just test file cleanup - The modification is part of normal test maintenance rather than a security patch The change is too minor to constitute a security fix, and I don't see any vulnerability being addressed in this diff. It's simply removing an unused or unnecessary meta tag from a test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.destination-atop.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.destination-atop.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -24,8 +24,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable name refactoring without any security implications. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming Refactor [File] [Lines 13-14, 24-25]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
Variable Renaming Refactor [File] [Lines 26-27]
Old Code:
```javascript
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
```
Fixed Code:
```javascript
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
```
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't appear to address any security issues. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-http3/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-http3/src/lib.rs@@ -16,8 +16,8 @@ mod control_stream_local; mod control_stream_remote; pub mod features;+pub mod frames; mod headers_checks;-pub mod hframe; mod priority; mod push_controller; mod qlog;@@ -29,7 +29,7 @@ pub mod server; mod server_connection_events; mod server_events;-mod settings;+pub mod settings; mod stream_type_reader; use neqo_qpack::Error as QpackError;@@ -43,7 +43,8 @@ pub use conn_params::Http3Parameters; pub use connection::Http3State; pub use connection_client::Http3Client;-pub use hframe::{HFrame, HFrameReader};+use features::extended_connect::WebTransportSession;+pub use frames::HFrame; pub use neqo_common::{Header, MessageType}; pub use priority::Priority; pub use server::Http3Server;@@ -51,6 +52,9 @@ Http3OrWebTransportStream, Http3ServerEvent, WebTransportRequest, WebTransportServerEvent, }; pub use settings::HttpZeroRttChecker;+use std::any::Any;+use std::cell::RefCell;+use std::rc::Rc; pub use stream_type_reader::NewStreamType; type Res<T> = Result<T, Error>;@@ -81,6 +85,7 @@ HttpRequestIncomplete, HttpConnect, HttpVersionFallback,+ HttpMessageError, QpackError(neqo_qpack::Error), // Internal errors from here.@@ -125,6 +130,7 @@ Self::HttpRequestRejected => 0x10b, Self::HttpRequestCancelled => 0x10c, Self::HttpRequestIncomplete => 0x10d,+ Self::HttpMessageError => 0x10e, Self::HttpConnect => 0x10f, Self::HttpVersionFallback => 0x110, Self::QpackError(e) => e.code(),@@ -191,15 +197,15 @@ /// # Panics /// On unexpected errors, in debug mode. #[must_use]- pub fn map_stream_recv_errors(err: &TransportError) -> Self {+ pub fn map_stream_recv_errors(err: &Error) -> Self { match err {- TransportError::NoMoreData => {+ Self::TransportError(TransportError::NoMoreData) => { debug_assert!( false, "Do not call stream_recv if FIN has been previously read" ); }- TransportError::InvalidStreamId => {}+ Self::TransportError(TransportError::InvalidStreamId) => {} _ => { debug_assert!(false, "Unexpected error"); }@@ -340,6 +346,10 @@ fn http_stream(&mut self) -> Option<&mut dyn HttpRecvStream> { None }++ fn webtransport(&self) -> Option<Rc<RefCell<WebTransportSession>>> {+ None+ } } pub trait HttpRecvStream: RecvStream {@@ -350,12 +360,16 @@ /// An error may happen while reading a stream, e.g. early close, protocol error, etc. fn header_unblocked(&mut self, conn: &mut Connection) -> Res<(ReceiveOutput, bool)>;- fn priority_handler_mut(&mut self) -> &mut PriorityHandler;+ fn maybe_update_priority(&mut self, priority: Priority) -> bool;+ fn priority_update_frame(&mut self) -> Option<HFrame>;+ fn priority_update_sent(&mut self); fn set_new_listener(&mut self, _conn_events: Box<dyn HttpRecvStreamEvents>) {} fn extended_connect_wait_for_response(&self) -> bool { false }++ fn any(&self) -> &dyn Any; } #[derive(Debug, PartialEq, Eq, Copy, Clone)]@@ -394,7 +408,7 @@ } pub trait RecvStreamEvents: Debug {- fn data_readable(&self, stream_info: Http3StreamInfo);+ fn data_readable(&self, _stream_info: Http3StreamInfo) {} fn recv_closed(&self, _stream_info: Http3StreamInfo, _close_type: CloseType) {} }@@ -419,15 +433,32 @@ /// # Errors /// Error my occure during sending data, e.g. protocol error, etc. fn send_data(&mut self, _conn: &mut Connection, _buf: &[u8]) -> Res<usize>;+ /// # Errors /// It may happen that the transport stream is already close. This is unlikely. fn close(&mut self, conn: &mut Connection) -> Res<()>;+ /// # Errors+ /// It may happen that the transport stream is already close. This is unlikely.+ fn close_with_message(+ &mut self,+ _conn: &mut Connection,+ _error: u32,+ _message: &str,+ ) -> Res<()> {+ Err(Error::InvalidStreamId)+ } /// This function is called when sending side is closed abruptly by the peer or /// the application. fn handle_stop_sending(&mut self, close_type: CloseType); fn http_stream(&mut self) -> Option<&mut dyn HttpSendStream> { None }++ /// # Errors+ /// It may happen that the transport stream is already close. This is unlikely.+ fn send_data_atomic(&mut self, _conn: &mut Connection, _buf: &[u8]) -> Res<()> {+ Err(Error::InvalidStreamId)+ } } pub trait HttpSendStream: SendStream {@@ -438,6 +469,7 @@ /// This can also return an error if the underlying stream is closed. fn send_headers(&mut self, headers: &[Header], conn: &mut Connection) -> Res<()>; fn set_new_listener(&mut self, _conn_events: Box<dyn SendStreamEvents>) {}+ fn any(&self) -> &dyn Any; } pub trait SendStreamEvents: Debug {
I'll analyze the code diff for security fixes following the specified format. Here are the potential vulnerabilities I've identified:
1. Vulnerability Existed: not sure
[Potential Error Handling Improvement] [third_party/rust/neqo-http3/src/lib.rs] [Lines 81-85, 130]
[Old Code]
HttpVersionFallback,
QpackError(neqo_qpack::Error),
[Fixed Code]
HttpVersionFallback,
HttpMessageError,
QpackError(neqo_qpack::Error),
Additional Details: The addition of `HttpMessageError` suggests improved error handling for HTTP message parsing, which could prevent potential parsing vulnerabilities.
2. Vulnerability Existed: not sure
[Error Mapping Improvement] [third_party/rust/neqo-http3/src/lib.rs] [Lines 191-203]
[Old Code]
pub fn map_stream_recv_errors(err: &TransportError) -> Self {
[Fixed Code]
pub fn map_stream_recv_errors(err: &Error) -> Self {
Additional Details: The change from `TransportError` to more general `Error` type in error mapping could indicate broader error handling coverage, potentially preventing unhandled error cases.
3. Vulnerability Existed: not sure
[WebTransport Session Handling] [third_party/rust/neqo-http3/src/lib.rs] [Lines 346-349]
[Old Code]
(No equivalent code)
[Fixed Code]
fn webtransport(&self) -> Option<Rc<RefCell<WebTransportSession>>> {
None
}
Additional Details: The addition of WebTransport session handling suggests improved security around WebTransport protocol implementation.
4. Vulnerability Existed: not sure
[Extended Error Handling] [third_party/rust/neqo-http3/src/lib.rs] [Lines 433-458]
[Old Code]
fn close(&mut self, conn: &mut Connection) -> Res<()>;
[Fixed Code]
fn close_with_message(
&mut self,
_conn: &mut Connection,
_error: u32,
_message: &str,
) -> Res<()> {
Err(Error::InvalidStreamId)
}
Additional Details: The addition of `close_with_message` provides more detailed error reporting, which could help in debugging and preventing security issues.
Note: While these changes appear to be security-related improvements, without more context about the specific vulnerabilities they address, I can't definitively state whether they fix known vulnerabilities or are proactive improvements. The changes generally appear to improve error handling and protocol implementation robustness.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.