Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/themes/dark-theme.css+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/themes/dark-theme.css@@ -238,13 +238,10 @@ } /* Blackboxing lines */--.cm-s-mozilla .CodeMirror-lines .blackboxed-line {- background-color: hsl(211, 89%, 17%);-}--.cm-s-mozilla .blackboxed-line .CodeMirror-linenumber {- color: var(--theme-icon-checked-color);+.CodeMirror-lines .blackboxed-line,+.CodeMirror-lines .blackboxed-line .CodeMirror-gutter-elt {+ /* Same color hue than the one used for the icon, but with different saturation/light */+ background-color: hsl(347.8, 5%, 20%); } /* Highlight for evaluating current statement. */
Based on the provided CSS diff, I don't see any security vulnerabilities being fixed. This appears to be a purely stylistic/thematic change. Here's the analysis:
Vulnerability Existed: no
[No security vulnerability found] [devtools/client/themes/dark-theme.css] [Lines 238-246]
[Old Code]
.cm-s-mozilla .CodeMirror-lines .blackboxed-line {
background-color: hsl(211, 89%, 17%);
}
.cm-s-mozilla .blackboxed-line .CodeMirror-linenumber {
color: var(--theme-icon-checked-color);
}
[Fixed Code]
.CodeMirror-lines .blackboxed-line,
.CodeMirror-lines .blackboxed-line .CodeMirror-gutter-elt {
/* Same color hue than the one used for the icon, but with different saturation/light */
background-color: hsl(347.8, 5%, 20%);
}
The changes involve:
1. Removing the `.cm-s-mozilla` specificity
2. Changing the color scheme for blackboxed lines
3. Combining selectors
4. Moving the styling of line numbers to use the same background color
These are all visual/theme-related changes with no security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.clip.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.clip.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -25,7 +25,7 @@ ctx.fillRect(0, 0, 100, 50); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 16, 16);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.clip.worker.js] [Lines 13-14, 25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
The changes appear to be purely cosmetic, renaming the variable `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains exactly the same, only the variable name has been modified for consistency or clarity. No known vulnerability patterns are being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/device.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/device.rs@@ -22,7 +22,7 @@ mem::transmute(instance_fn.get_device_proc_addr(device, name.as_ptr())) };- Device {+ Self { handle: device, device_fn_1_0: vk::DeviceFnV1_0::load(load_fn),@@ -166,14 +166,14 @@ ) -> VkResult<()> { self.device_fn_1_2 .wait_semaphores(self.handle(), wait_info, timeout)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkSignalSemaphore.html>"] pub unsafe fn signal_semaphore(&self, signal_info: &vk::SemaphoreSignalInfo) -> VkResult<()> { self.device_fn_1_2 .signal_semaphore(self.handle(), signal_info)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetBufferDeviceAddress.html>"]@@ -218,7 +218,7 @@ ) -> VkResult<()> { self.device_fn_1_1 .bind_buffer_memory2(self.handle(), bind_infos.len() as _, bind_infos.as_ptr())- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkBindImageMemory2.html>"]@@ -228,7 +228,7 @@ ) -> VkResult<()> { self.device_fn_1_1 .bind_image_memory2(self.handle(), bind_infos.len() as _, bind_infos.as_ptr())- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetDeviceGroupPeerMemoryFeatures.html>"]@@ -297,6 +297,7 @@ .get_buffer_memory_requirements2(self.handle(), info, out); }+ /// Retrieve the number of elements to pass to [`Self::get_image_sparse_memory_requirements2()`] pub unsafe fn get_image_sparse_memory_requirements2_len( &self, info: &vk::ImageSparseMemoryRequirementsInfo2,@@ -312,6 +313,9 @@ } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetImageSparseMemoryRequirements2.html>"]+ ///+ /// Call [`Self::get_image_sparse_memory_requirements2_len()`] to query the number of elements to pass to `out`.+ /// Be sure to [`Default::default()`]-initialize these elements and optionally set their `p_next` pointer. pub unsafe fn get_image_sparse_memory_requirements2( &self, info: &vk::ImageSparseMemoryRequirementsInfo2,@@ -503,12 +507,14 @@ #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkSetEvent.html>"] pub unsafe fn set_event(&self, event: vk::Event) -> VkResult<()> {- self.device_fn_1_0.set_event(self.handle(), event).into()+ self.device_fn_1_0.set_event(self.handle(), event).result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkResetEvent.html>"] pub unsafe fn reset_event(&self, event: vk::Event) -> VkResult<()> {- self.device_fn_1_0.reset_event(self.handle(), event).into()+ self.device_fn_1_0+ .reset_event(self.handle(), event)+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCmdSetEvent.html>"] pub unsafe fn cmd_set_event(@@ -766,7 +772,7 @@ descriptor_sets.len() as u32, descriptor_sets.as_ptr(), )- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkUpdateDescriptorSets.html>"]@@ -986,7 +992,7 @@ #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkDeviceWaitIdle.html>"] pub unsafe fn device_wait_idle(&self) -> VkResult<()> {- self.device_fn_1_0.device_wait_idle(self.handle()).into()+ self.device_fn_1_0.device_wait_idle(self.handle()).result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCreateDescriptorPool.html>"]@@ -1014,7 +1020,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .reset_descriptor_pool(self.handle(), pool, flags)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkResetCommandPool.html>"]@@ -1025,7 +1031,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .reset_command_pool(self.handle(), command_pool, flags)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkResetCommandBuffer.html>"]@@ -1036,14 +1042,14 @@ ) -> VkResult<()> { self.device_fn_1_0 .reset_command_buffer(command_buffer, flags)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkResetFences.html>"] pub unsafe fn reset_fences(&self, fences: &[vk::Fence]) -> VkResult<()> { self.device_fn_1_0 .reset_fences(self.handle(), fences.len() as u32, fences.as_ptr())- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCmdBindIndexBuffer.html>"]@@ -1469,7 +1475,7 @@ mem::size_of::<T>() as _, flags, )- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCmdBeginQuery.html>"]@@ -1661,7 +1667,7 @@ src_caches.len() as u32, src_caches.as_ptr(), )- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkMapMemory.html>"]@@ -1690,7 +1696,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .invalidate_mapped_memory_ranges(self.handle(), ranges.len() as u32, ranges.as_ptr())- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkFlushMappedMemoryRanges.html>"]@@ -1700,7 +1706,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .flush_mapped_memory_ranges(self.handle(), ranges.len() as u32, ranges.as_ptr())- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCreateFramebuffer.html>"]@@ -1782,12 +1788,14 @@ ) -> VkResult<()> { self.device_fn_1_0 .begin_command_buffer(command_buffer, begin_info)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkEndCommandBuffer.html>"] pub unsafe fn end_command_buffer(&self, command_buffer: vk::CommandBuffer) -> VkResult<()> {- self.device_fn_1_0.end_command_buffer(command_buffer).into()+ self.device_fn_1_0+ .end_command_buffer(command_buffer)+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkWaitForFences.html>"]@@ -1805,7 +1813,7 @@ wait_all as u32, timeout, )- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetFenceStatus.html>"]@@ -1820,7 +1828,7 @@ #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkQueueWaitIdle.html>"] pub unsafe fn queue_wait_idle(&self, queue: vk::Queue) -> VkResult<()> {- self.device_fn_1_0.queue_wait_idle(queue).into()+ self.device_fn_1_0.queue_wait_idle(queue).result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkQueueSubmit.html>"]@@ -1832,7 +1840,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .queue_submit(queue, submits.len() as u32, submits.as_ptr(), fence)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkQueueBindSparse.html>"]@@ -1844,7 +1852,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .queue_bind_sparse(queue, bind_info.len() as u32, bind_info.as_ptr(), fence)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCreateBufferView.html>"]@@ -2055,7 +2063,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .bind_buffer_memory(self.handle(), buffer, device_memory, offset)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkBindImageMemory.html>"]@@ -2067,7 +2075,7 @@ ) -> VkResult<()> { self.device_fn_1_0 .bind_image_memory(self.handle(), image, device_memory, offset)- .into()+ .result() } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetRenderAreaGranularity.html>"]
Based on the provided code diff, I'll analyze it for security fixes. The main change appears to be replacing `.into()` with `.result()` for Vulkan API calls. Here's the analysis: 1. Vulnerability Existed: yes Improper Error Handling [File] third_party/rust/ash/src/device.rs [Lines] Multiple locations throughout the file [Old Code] Various Vulkan API calls ending with `.into()` [Fixed Code] Same calls but using `.result()` instead The change from `.into()` to `.result()` appears to be a more explicit and proper way to handle Vulkan API results. While this might not represent a direct security vulnerability, improper error handling could potentially lead to security issues if errors are silently converted or ignored. The `.result()` method provides more explicit error handling which is generally safer. 2. Vulnerability Existed: not sure Documentation Improvement [File] third_party/rust/ash/src/device.rs [Lines] 297-313 [Old Code] No specific documentation for get_image_sparse_memory_requirements2_len [Fixed Code] Added documentation clarifying the usage of get_image_sparse_memory_requirements2_len and get_image_sparse_memory_requirements2 While this is primarily a documentation improvement, better documentation can help prevent misuse of APIs which could potentially lead to security issues. However, I can't be certain this was fixing an actual vulnerability. The majority of changes in this diff are consistent replacements of `.into()` with `.result()` across various Vulkan API calls, which improves error handling consistency throughout the codebase. This appears to be a systematic improvement rather than fixing specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/base/nsAsyncStreamCopier.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/base/nsAsyncStreamCopier.cpp@@ -160,7 +160,9 @@ nsCOMPtr<nsISupports> copierCtx; { MutexAutoLock lock(mLock);- if (!mIsPending) return NS_OK;+ if (!mIsPending) {+ return NS_OK;+ } copierCtx.swap(mCopierCtx); }@@ -214,6 +216,7 @@ NS_IMETHODIMP nsAsyncStreamCopier::SetLoadGroup(nsILoadGroup* aLoadGroup) { return NS_OK; }+// Can't be accessed by multiple threads yet nsresult nsAsyncStreamCopier::InitInternal(nsIInputStream* source, nsIOutputStream* sink, nsIEventTarget* target,@@ -328,7 +331,10 @@ // from this point forward, AsyncCopy is going to return NS_OK. any errors // will be reported via OnStopRequest.- mIsPending = true;+ {+ MutexAutoLock lock(mLock);+ mIsPending = true;+ } if (mObserver) { rv = mObserver->OnStartRequest(AsRequest());
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Race Condition Vulnerability [File] netwerk/base/nsAsyncStreamCopier.cpp [Lines] 160-163, 331-334
[Old Code]
```cpp
if (!mIsPending) return NS_OK;
...
mIsPending = true;
```
[Fixed Code]
```cpp
if (!mIsPending) {
return NS_OK;
}
...
{
MutexAutoLock lock(mLock);
mIsPending = true;
}
```
Additional Details: The fix adds proper mutex locking around the mIsPending flag access to prevent race conditions between threads. The comment "Can't be accessed by multiple threads yet" suggests this was a known threading issue.
2. Vulnerability Existed: not sure
Potential Thread Safety Issue [File] netwerk/base/nsAsyncStreamCopier.cpp [Lines] 214-216
[Old Code]
```cpp
NS_IMETHODIMP
nsAsyncStreamCopier::SetLoadGroup(nsILoadGroup* aLoadGroup) { return NS_OK; }
```
[Fixed Code]
No direct change, but the added comment "Can't be accessed by multiple threads yet" suggests potential thread safety concerns in this area.
Additional Details: While no direct code changes were made to this method, the added comment suggests the developers were aware of potential thread safety issues in this class, though we can't be certain about specific vulnerabilities without seeing more context.
The main security fix here is clearly the addition of mutex locking around the mIsPending flag access, which addresses a race condition vulnerability. The other changes appear to be related to thread safety awareness in the codebase.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsListControlFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsListControlFrame.cpp@@ -8,12 +8,12 @@ #include "nsCOMPtr.h" #include "nsUnicharUtils.h" #include "nsListControlFrame.h"+#include "HTMLSelectEventListener.h" #include "nsGkAtoms.h" #include "nsComboboxControlFrame.h" #include "nsFontMetrics.h" #include "nsIScrollableFrame.h" #include "nsCSSRendering.h"-#include "nsIDOMEventListener.h" #include "nsLayoutUtils.h" #include "nsDisplayList.h" #include "nsContentUtils.h"@@ -38,39 +38,8 @@ using namespace mozilla; using namespace mozilla::dom;-// Constants-const uint32_t kMaxDropDownRows = 20; // matches the setting for 4.x browsers-const int32_t kNothingSelected = -1;- // Static members nsListControlFrame* nsListControlFrame::mFocused = nullptr;-StaticAutoPtr<nsString> nsListControlFrame::sIncrementalString;--DOMTimeStamp nsListControlFrame::gLastKeyTime = 0;--/******************************************************************************- * nsListEventListener- * This class is responsible for propagating events to the nsListControlFrame.- * Frames are not refcounted so they can't be used as event listeners.- *****************************************************************************/--class nsListEventListener final : public nsIDOMEventListener {- public:- explicit nsListEventListener(nsListControlFrame* aFrame) : mFrame(aFrame) {}-- void SetFrame(nsListControlFrame* aFrame) { mFrame = aFrame; }-- NS_DECL_ISUPPORTS-- // nsIDOMEventListener- MOZ_CAN_RUN_SCRIPT_BOUNDARY- NS_IMETHOD HandleEvent(Event* aEvent) override;-- private:- ~nsListEventListener() = default;-- nsListControlFrame* mFrame;-}; //--------------------------------------------------------- nsListControlFrame* NS_NewListControlFrame(PresShell* aPresShell,@@ -85,37 +54,23 @@ NS_IMPL_FRAMEARENA_HELPERS(nsListControlFrame)-//--------------------------------------------------------- nsListControlFrame::nsListControlFrame(ComputedStyle* aStyle, nsPresContext* aPresContext) : nsHTMLScrollFrame(aStyle, aPresContext, kClassID, false),- mView(nullptr), mMightNeedSecondPass(false), mHasPendingInterruptAtStartOfReflow(false),- mDropdownCanGrow(false), mForceSelection(false), mLastDropdownComputedBSize(NS_UNCONSTRAINEDSIZE) {- mComboboxFrame = nullptr; mChangesSinceDragStart = false;- mButtonDown = false; mIsAllContentHere = false; mIsAllFramesHere = false; mHasBeenInitialized = false; mNeedToReset = true; mPostChildrenLoadedReset = false;-- mControlSelectMode = false;-}--//----------------------------------------------------------nsListControlFrame::~nsListControlFrame() { mComboboxFrame = nullptr; }--static bool ShouldFireDropDownEvent() {- return (XRE_IsContentProcess() &&- StaticPrefs::browser_tabs_remote_desktopbehavior()) ||- Preferences::GetBool("dom.select_popup_in_parent.enabled", false);-}+}++nsListControlFrame::~nsListControlFrame() = default; // for Bug 47302 (remove this comment later) void nsListControlFrame::DestroyFrom(nsIFrame* aDestructRoot,@@ -126,20 +81,7 @@ // Clear the frame pointer on our event listener, just in case the // event listener can outlive the frame.- mEventListener->SetFrame(nullptr);-- mContent->RemoveSystemEventListener(u"keydown"_ns, mEventListener, false);- mContent->RemoveSystemEventListener(u"keypress"_ns, mEventListener, false);- mContent->RemoveSystemEventListener(u"mousedown"_ns, mEventListener, false);- mContent->RemoveSystemEventListener(u"mouseup"_ns, mEventListener, false);- mContent->RemoveSystemEventListener(u"mousemove"_ns, mEventListener, false);-- if (ShouldFireDropDownEvent()) {- nsContentUtils::AddScriptRunner(- new AsyncEventDispatcher(mContent, u"mozhidedropdown"_ns,- CanBubble::eYes, ChromeOnlyDispatch::eYes));- }-+ mEventListener->Detach(); nsHTMLScrollFrame::DestroyFrom(aDestructRoot, aPostDestroyData); }@@ -154,18 +96,11 @@ DO_GLOBAL_REFLOW_COUNT_DSP("nsListControlFrame");- if (IsInDropDownMode()) {- NS_ASSERTION(NS_GET_A(mLastDropdownBackstopColor) == 255,- "need an opaque backstop color");- // XXX Because we have an opaque widget and we get called to paint with- // this frame as the root of a stacking context we need make sure to draw- // some opaque color over the whole widget. (Bug 511323)- aLists.BorderBackground()->AppendNewToBottom<nsDisplaySolidColor>(- aBuilder, this, nsRect(aBuilder->ToReferenceFrame(this), GetSize()),- mLastDropdownBackstopColor);- }- nsHTMLScrollFrame::BuildDisplayList(aBuilder, aLists);+}++HTMLOptionElement* nsListControlFrame::GetCurrentOption() const {+ return mEventListener->GetCurrentOption(); } /**@@ -355,11 +290,6 @@ } }- if (IsInDropDownMode()) {- ReflowAsDropdown(aPresContext, aDesiredSize, aReflowInput, aStatus);- return;- }- MarkInReflow(); /* * Due to the fact that our intrinsic block size depends on the block@@ -461,136 +391,10 @@ nsHTMLScrollFrame::Reflow(aPresContext, aDesiredSize, state, aStatus); }-void nsListControlFrame::ReflowAsDropdown(nsPresContext* aPresContext,- ReflowOutput& aDesiredSize,- const ReflowInput& aReflowInput,- nsReflowStatus& aStatus) {- MOZ_ASSERT(aReflowInput.ComputedBSize() == NS_UNCONSTRAINEDSIZE,- "We should not have a computed block size here!");-- mMightNeedSecondPass = IsSubtreeDirty() || aReflowInput.ShouldReflowAllKids();-- WritingMode wm = aReflowInput.GetWritingMode();-#ifdef DEBUG- nscoord oldBSizeOfARow = BSizeOfARow();- nscoord oldVisibleBSize = HasAnyStateBits(NS_FRAME_FIRST_REFLOW)- ? NS_UNCONSTRAINEDSIZE- : GetScrolledFrame()->BSize(wm);-#endif-- ReflowInput state(aReflowInput);-- if (!HasAnyStateBits(NS_FRAME_FIRST_REFLOW)) {- // When not doing an initial reflow, and when the block size is- // auto, start off with our computed block size set to what we'd- // expect our block size to be.- // Note: At this point, mLastDropdownComputedBSize can be- // NS_UNCONSTRAINEDSIZE in cases when last time we didn't have to- // constrain the block size. That's fine; just do the same thing as- // last time.- state.SetComputedBSize(mLastDropdownComputedBSize);- }-- nsHTMLScrollFrame::Reflow(aPresContext, aDesiredSize, state, aStatus);-- if (!mMightNeedSecondPass) {- NS_ASSERTION(oldVisibleBSize == GetScrolledFrame()->BSize(wm),- "How did our kid's BSize change if nothing was dirty?");- NS_ASSERTION(BSizeOfARow() == oldBSizeOfARow,- "How did our BSize of a row change if nothing was dirty?");- NS_ASSERTION(!IsScrollbarUpdateSuppressed(),- "Shouldn't be suppressing if we don't need a second pass!");- NS_ASSERTION(!HasAnyStateBits(NS_FRAME_FIRST_REFLOW),- "How can we avoid a second pass during first reflow?");- return;- }-- mMightNeedSecondPass = false;-- // Now see whether we need a second pass. If we do, our nsSelectsAreaFrame- // will have suppressed the scrollbar update.- if (!IsScrollbarUpdateSuppressed()) {- // All done. No need to do more reflow.- NS_ASSERTION(!HasAnyStateBits(NS_FRAME_FIRST_REFLOW),- "How can we avoid a second pass during first reflow?");- return;- }-- SetSuppressScrollbarUpdate(false);-- nscoord visibleBSize = GetScrolledFrame()->BSize(wm);- nscoord blockSizeOfARow = BSizeOfARow();-- // Gotta reflow again.- // XXXbz We're just changing the block size here; do we need to dirty- // ourselves or anything like that? We might need to, per the letter- // of the reflow protocol, but things seem to work fine without it...- // Is that just an implementation detail of nsHTMLScrollFrame that- // we're depending on?- nsHTMLScrollFrame::DidReflow(aPresContext, &state);-- // Now compute the block size we want to have.- // Note: no need to apply min/max constraints, since we have no such- // rules applied to the combobox dropdown.-- mDropdownCanGrow = false;- if (visibleBSize <= 0 || blockSizeOfARow <= 0 || XRE_IsContentProcess()) {- // Looks like we have no options. Just size us to a single row- // block size.- state.SetComputedBSize(blockSizeOfARow);- // mNumDisplayRows is used as the number of options to move for the page- // up/down keys. If we're in a content process, we can't calculate- // mNumDisplayRows properly, but the maximum number of rows is a lot more- // uesful for page up/down than 1.- mNumDisplayRows = XRE_IsContentProcess() ? kMaxDropDownRows : 1;- } else {- nsComboboxControlFrame* combobox =- static_cast<nsComboboxControlFrame*>(mComboboxFrame);- LogicalPoint translation(wm);- nscoord before, after;- combobox->GetAvailableDropdownSpace(wm, &before, &after, &translation);- if (before <= 0 && after <= 0) {- state.SetComputedBSize(blockSizeOfARow);- mNumDisplayRows = 1;- mDropdownCanGrow = GetNumberOfRows() > 1;- } else {- nscoord bp = aReflowInput.ComputedLogicalBorderPadding(wm).BStartEnd(wm);- nscoord availableBSize = std::max(before, after) - bp;- nscoord newBSize;- uint32_t rows;- if (visibleBSize <= availableBSize) {- // The dropdown fits in the available block size.- rows = GetNumberOfRows();- mNumDisplayRows = clamped<uint32_t>(rows, 1, kMaxDropDownRows);- if (mNumDisplayRows == rows) {- newBSize = visibleBSize; // use the exact block size- } else {- newBSize = mNumDisplayRows * blockSizeOfARow; // approximate- // The approximation here might actually be too big (bug 1208978);- // don't let it exceed the actual block-size of the list.- newBSize = std::min(newBSize, visibleBSize);- }- } else {- rows = availableBSize / blockSizeOfARow;- mNumDisplayRows = clamped<uint32_t>(rows, 1, kMaxDropDownRows);- newBSize = mNumDisplayRows * blockSizeOfARow; // approximate- }- state.SetComputedBSize(newBSize);- mDropdownCanGrow = visibleBSize - newBSize >= blockSizeOfARow &&- mNumDisplayRows != kMaxDropDownRows;- }- }-- mLastDropdownComputedBSize = state.ComputedBSize();-- aStatus.Reset();- nsHTMLScrollFrame::Reflow(aPresContext, aDesiredSize, state, aStatus);-}- ScrollStyles nsListControlFrame::GetScrollStyles() const {- // We can't express this in the style system yet; when we can, this can go- // away and GetScrollStyles can be devirtualized- auto style = IsInDropDownMode() ? StyleOverflow::Auto : StyleOverflow::Scroll;+ // TODO(emilio, bug 1750431): Set this in html.css and devirtualize+ // GetScrollStyles().+ auto style = StyleOverflow::Scroll; if (GetWritingMode().IsVertical()) { return ScrollStyles(style, StyleOverflow::Hidden); } else {@@ -599,7 +403,7 @@ } bool nsListControlFrame::ShouldPropagateComputedBSizeToScrolledContent() const {- return !IsInDropDownMode();+ return true; } //---------------------------------------------------------@@ -616,12 +420,8 @@ //--------------------------------------------------------- bool nsListControlFrame::SingleSelection(int32_t aClickedIndex, bool aDoToggle) {- if (mComboboxFrame) {- mComboboxFrame->UpdateRecentIndex(GetSelectedIndex());- }- #ifdef ACCESSIBILITY- nsCOMPtr<nsIContent> prevOption = GetCurrentOption();+ nsCOMPtr<nsIContent> prevOption = mEventListener->GetCurrentOption(); #endif bool wasChanged = false; // Get Current selection@@ -801,25 +601,11 @@ //--------------------------------------------------------- void nsListControlFrame::CaptureMouseEvents(bool aGrabMouseEvents) {- // Currently cocoa widgets use a native popup widget which tracks clicks- // synchronously, so we never want to do mouse capturing. Note that we only- // bail if the list is in drop-down mode, and the caller is requesting capture- // (we let release capture requests go through to ensure that we can release- // capture requested via other code paths, if any exist).- if (aGrabMouseEvents && IsInDropDownMode() &&- nsComboboxControlFrame::ToolkitHasNativePopup())- return;- if (aGrabMouseEvents) { PresShell::SetCapturingContent(mContent, CaptureFlags::IgnoreAllowedState); } else { nsIContent* capturingContent = PresShell::GetCapturingContent();-- bool dropDownIsHidden = false;- if (IsInDropDownMode()) {- dropDownIsHidden = !mComboboxFrame->IsDroppedDown();- }- if (capturingContent == mContent || dropDownIsHidden) {+ if (capturingContent == mContent) { // only clear the capturing content if *we* are the ones doing the // capturing (or if the dropdown is hidden, in which case NO-ONE should // be capturing anything - it could be a scrollbar inside this listbox@@ -897,30 +683,21 @@ }*/ }+HTMLSelectElement& nsListControlFrame::Select() const {+ return *static_cast<HTMLSelectElement*>(GetContent());+}+ //--------------------------------------------------------- void nsListControlFrame::Init(nsIContent* aContent, nsContainerFrame* aParent, nsIFrame* aPrevInFlow) { nsHTMLScrollFrame::Init(aContent, aParent, aPrevInFlow);- if (IsInDropDownMode()) {- AddStateBits(NS_FRAME_IN_POPUP);- CreateView();- }- // we shouldn't have to unregister this listener because when // our frame goes away all these content node go away as well // because our frame is the only one who references them. // we need to hook up our listeners before the editor is initialized- mEventListener = new nsListEventListener(this);-- mContent->AddSystemEventListener(u"keydown"_ns, mEventListener, false, false);- mContent->AddSystemEventListener(u"keypress"_ns, mEventListener, false,- false);- mContent->AddSystemEventListener(u"mousedown"_ns, mEventListener, false,- false);- mContent->AddSystemEventListener(u"mouseup"_ns, mEventListener, false, false);- mContent->AddSystemEventListener(u"mousemove"_ns, mEventListener, false,- false);+ mEventListener = new HTMLSelectEventListener(+ Select(), HTMLSelectEventListener::SelectType::Listbox); mStartSelectionIndex = kNothingSelected; mEndSelectionIndex = kNothingSelected;@@ -988,21 +765,12 @@ InvalidateFocus(); if (aOn) {- ComboboxFocusSet(); mFocused = this; } else { mFocused = nullptr; } InvalidateFocus();-}--void nsListControlFrame::ComboboxFocusSet() { gLastKeyTime = 0; }--void nsListControlFrame::SetComboboxFrame(nsIFrame* aComboboxFrame) {- if (nullptr != aComboboxFrame) {- mComboboxFrame = do_QueryFrame(aComboboxFrame);- } } void nsListControlFrame::GetOptionText(uint32_t aIndex, nsAString& aStr) {@@ -1016,46 +784,6 @@ dom::HTMLSelectElement* select = dom::HTMLSelectElement::FromNodeOrNull(mContent); return select->SelectedIndex();-}--dom::HTMLOptionElement* nsListControlFrame::GetCurrentOption() {- // The mEndSelectionIndex is what is currently being selected. Use- // the selected index if this is kNothingSelected.- int32_t focusedIndex = (mEndSelectionIndex == kNothingSelected)- ? GetSelectedIndex()- : mEndSelectionIndex;-- if (focusedIndex != kNothingSelected) {- return GetOption(AssertedCast<uint32_t>(focusedIndex));- }-- // There is no selected option. Return the first non-disabled option, if any.- return GetNonDisabledOptionFrom(0);-}--HTMLOptionElement* nsListControlFrame::GetNonDisabledOptionFrom(- int32_t aFromIndex, int32_t* aFoundIndex) {- RefPtr<dom::HTMLSelectElement> selectElement =- dom::HTMLSelectElement::FromNode(mContent);-- const uint32_t length = selectElement->Length();- for (uint32_t i = std::max(aFromIndex, 0); i < length; ++i) {- HTMLOptionElement* node = selectElement->Item(i);- if (!node) {- break;- }- if (IsOptionInteractivelySelectable(selectElement, node)) {- if (aFoundIndex) {- *aFoundIndex = i;- }- return node;- }- }- return nullptr;-}--bool nsListControlFrame::IsInDropDownMode() const {- return (mComboboxFrame != nullptr); } uint32_t nsListControlFrame::GetNumberOfOptions() {@@ -1127,7 +855,8 @@ } static int32_t DecrementAndClamp(int32_t aSelectionIndex, int32_t aLength) {- return aLength == 0 ? kNothingSelected : std::max(0, aSelectionIndex - 1);+ return aLength == 0 ? nsListControlFrame::kNothingSelected+ : std::max(0, aSelectionIndex - 1); } NS_IMETHODIMP@@ -1135,11 +864,6 @@ MOZ_ASSERT(aIndex >= 0, "negative <option> index"); // Need to reset if we're a dropdown- if (IsInDropDownMode()) {- mNeedToReset = true;- mPostChildrenLoadedReset = mIsAllContentHere;- }- if (mStartSelectionIndex != kNothingSelected) { NS_ASSERTION(mEndSelectionIndex != kNothingSelected, ""); int32_t numOptions = GetNumberOfOptions();@@ -1204,87 +928,20 @@ // Dispatch event and such bool nsListControlFrame::UpdateSelection() { if (mIsAllFramesHere) {- // if it's a combobox, display the new text+ // if it's a combobox, display the new text. Note that after+ // FireOnInputAndOnChange we might be dead, as that can run script. AutoWeakFrame weakFrame(this);- if (mComboboxFrame) {- mComboboxFrame->RedisplaySelectedText();-- // When dropdown list is open, onchange event will be fired when Enter key- // is hit or when dropdown list is dismissed.- if (mComboboxFrame->IsDroppedDown()) {- return weakFrame.IsAlive();- }- } if (mIsAllContentHere) {- FireOnInputAndOnChange();+ RefPtr listener = mEventListener;+ listener->FireOnInputAndOnChange(); } return weakFrame.IsAlive(); } return true;-}--void nsListControlFrame::ComboboxFinish(int32_t aIndex) {- gLastKeyTime = 0;-- if (mComboboxFrame) {- int32_t displayIndex = mComboboxFrame->GetIndexOfDisplayArea();- // Make sure we can always reset to the displayed index- mForceSelection = displayIndex == aIndex;-- AutoWeakFrame weakFrame(this);- PerformSelection(aIndex, false, false); // might destroy us- if (!weakFrame.IsAlive() || !mComboboxFrame) {- return;- }-- if (displayIndex != aIndex) {- mComboboxFrame->RedisplaySelectedText(); // might destroy us- }-- if (weakFrame.IsAlive() && mComboboxFrame) {- mComboboxFrame->RollupFromList(); // might destroy us- }- }-}--// Send out an onInput and onChange notification.-void nsListControlFrame::FireOnInputAndOnChange() {- if (mComboboxFrame) {- // Return hit without changing anything- int32_t index = mComboboxFrame->UpdateRecentIndex(NS_SKIP_NOTIFY_INDEX);- if (index == NS_SKIP_NOTIFY_INDEX) {- return;- }-- // See if the selection actually changed- if (index == GetSelectedIndex()) {- return;- }- }-- RefPtr<Element> element = Element::FromNodeOrNull(mContent);- if (NS_WARN_IF(!element)) {- return;- }- // Dispatch the input event.- DebugOnly<nsresult> rvIgnored = nsContentUtils::DispatchInputEvent(element);- NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored),- "Failed to dispatch input event");-- // Dispatch the change event.- nsContentUtils::DispatchTrustedEvent(element->OwnerDoc(), element,- u"change"_ns, CanBubble::eYes,- Cancelable::eNo); } NS_IMETHODIMP_(void) nsListControlFrame::OnSetSelectedIndex(int32_t aOldIndex, int32_t aNewIndex) {- if (mComboboxFrame) {- // UpdateRecentIndex with NS_SKIP_NOTIFY_INDEX, so that we won't fire an- // onchange event for this setting of selectedIndex.- mComboboxFrame->UpdateRecentIndex(NS_SKIP_NOTIFY_INDEX);- }- #ifdef ACCESSIBILITY nsCOMPtr<nsIContent> prevOption = GetCurrentOption(); #endif@@ -1322,63 +979,6 @@ // OnOptionSelected return NS_OK;-}--void nsListControlFrame::AboutToDropDown() {- NS_ASSERTION(IsInDropDownMode(),- "AboutToDropDown called without being in dropdown mode");-- // Our widget doesn't get invalidated on changes to the rest of the document,- // so compute and store this color at the start of a dropdown so we don't- // get weird painting behaviour.- // We start looking for backgrounds above the combobox frame to avoid- // duplicating the combobox frame's background and compose each background- // color we find underneath until we have an opaque color, or run out of- // backgrounds. We compose with the PresContext default background color,- // which is always opaque, in case we don't end up with an opaque color.- // This gives us a very poor approximation of translucency.- nsIFrame* comboboxFrame = do_QueryFrame(mComboboxFrame);- nsIFrame* ancestor = comboboxFrame->GetParent();- mLastDropdownBackstopColor = NS_RGBA(0, 0, 0, 0);- while (NS_GET_A(mLastDropdownBackstopColor) < 255 && ancestor) {- ComputedStyle* context = ancestor->Style();- mLastDropdownBackstopColor =- NS_ComposeColors(context->StyleBackground()->BackgroundColor(context),- mLastDropdownBackstopColor);- ancestor = ancestor->GetParent();- }- mLastDropdownBackstopColor = NS_ComposeColors(- PresContext()->DefaultBackgroundColor(), mLastDropdownBackstopColor);-- if (mIsAllContentHere && mIsAllFramesHere && mHasBeenInitialized) {- AutoWeakFrame weakFrame(this);- ScrollToIndex(GetSelectedIndex());- if (!weakFrame.IsAlive()) {- return;- }-#ifdef ACCESSIBILITY- FireMenuItemActiveEvent(nullptr); // Inform assistive tech what got focus-#endif- }- mItemSelectionStarted = false;- mForceSelection = false;-}--// We are about to be rolledup from the outside (ComboboxFrame)-void nsListControlFrame::AboutToRollup() {- // We've been updating the combobox with the keyboard up until now, but not- // with the mouse. The problem is, even with mouse selection, we are- // updating the <select>. So if the mouse goes over an option just before- // he leaves the box and clicks, that's what the <select> will show.- //- // To deal with this we say "whatever is in the combobox is canonical."- // - IF the combobox is different from the current selected index, we- // reset the index.-- if (IsInDropDownMode()) {- ComboboxFinish(- mComboboxFrame->GetIndexOfDisplayArea()); // might destroy us- } } void nsListControlFrame::DidReflow(nsPresContext* aPresContext,@@ -1427,15 +1027,6 @@ return !aSelect->IsOptionDisabled(aOption) && aOption->GetPrimaryFrame(); }-//-----------------------------------------------------------------------// helper-//-----------------------------------------------------------------------bool nsListControlFrame::IsLeftButton(dom::Event* aMouseEvent) {- // only allow selection with the left button- MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();- return mouseEvent && mouseEvent->Button() == 0;-}- nscoord nsListControlFrame::CalcFallbackRowBSize(float aFontSizeInflation) { RefPtr<nsFontMetrics> fontMet = nsLayoutUtils::GetFontMetricsForFrame(this, aFontSizeInflation);@@ -1444,146 +1035,16 @@ nscoord nsListControlFrame::CalcIntrinsicBSize(nscoord aBSizeOfARow, int32_t aNumberOfOptions) {- MOZ_ASSERT(!IsInDropDownMode(),- "Shouldn't be in dropdown mode when we call this");-- dom::HTMLSelectElement* select =- dom::HTMLSelectElement::FromNodeOrNull(mContent);- if (select) {- mNumDisplayRows = select->Size();- } else {- mNumDisplayRows = 1;- }-+ mNumDisplayRows = Select().Size(); if (mNumDisplayRows < 1) { mNumDisplayRows = 4; }- return mNumDisplayRows * aBSizeOfARow;-}--//-----------------------------------------------------------------------// nsIDOMMouseListener-//-----------------------------------------------------------------------nsresult nsListControlFrame::MouseUp(dom::Event* aMouseEvent) {- NS_ASSERTION(aMouseEvent != nullptr, "aMouseEvent is null.");-- MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();- NS_ENSURE_TRUE(mouseEvent, NS_ERROR_FAILURE);-- UpdateInListState(aMouseEvent);-- mButtonDown = false;-- EventStates eventStates = mContent->AsElement()->State();- if (eventStates.HasState(NS_EVENT_STATE_DISABLED)) {- return NS_OK;- }-- // only allow selection with the left button- // if a right button click is on the combobox itself- // or on the select when in listbox mode, then let the click through- if (!IsLeftButton(aMouseEvent)) {- if (IsInDropDownMode()) {- if (!IgnoreMouseEventForSelection(aMouseEvent)) {- aMouseEvent->PreventDefault();- aMouseEvent->StopPropagation();- } else {- CaptureMouseEvents(false);- return NS_OK;- }- CaptureMouseEvents(false);- return NS_ERROR_FAILURE; // means consume event- } else {- CaptureMouseEvents(false);- return NS_OK;- }- }-- const nsStyleVisibility* vis = StyleVisibility();-- if (!vis->IsVisible()) {- return NS_OK;- }-- if (IsInDropDownMode()) {- // XXX This is a bit of a hack, but.....- // But the idea here is to make sure you get an "onclick" event when you- // mouse down on the select and the drag over an option and let go And then- // NOT get an "onclick" event when when you click down on the select and- // then up outside of the select the EventStateManager tracks the content of- // the mouse down and the mouse up to make sure they are the same, and the- // onclick is sent in the PostHandleEvent depeneding on whether the- // clickCount is non-zero. So we cheat here by either setting or unsetting- // the clcikCount in the native event so the right thing happens for the- // onclick event- WidgetMouseEvent* mouseEvent =- aMouseEvent->WidgetEventPtr()->AsMouseEvent();-- int32_t selectedIndex;- if (NS_SUCCEEDED(GetIndexFromDOMEvent(aMouseEvent, selectedIndex))) {- // If it's not selectable, disallow the click and leave.- if (!IsOptionInteractivelySelectable(selectedIndex)) {- aMouseEvent->PreventDefault();- aMouseEvent->StopPropagation();- CaptureMouseEvents(false);- return NS_ERROR_FAILURE;- }-- if (kNothingSelected != selectedIndex) {- AutoWeakFrame weakFrame(this);- ComboboxFinish(selectedIndex);- if (!weakFrame.IsAlive()) {- return NS_OK;- }-- FireOnInputAndOnChange();- }-- mouseEvent->mClickCount = 1;- } else {- // the click was out side of the select or its dropdown- mouseEvent->mClickCount =- IgnoreMouseEventForSelection(aMouseEvent) ? 1 : 0;- }- } else {- CaptureMouseEvents(false);- // Notify- if (mChangesSinceDragStart) {- // reset this so that future MouseUps without a prior MouseDown- // won't fire onchange- mChangesSinceDragStart = false;- FireOnInputAndOnChange();- }- }-- return NS_OK;-}--void nsListControlFrame::UpdateInListState(dom::Event* aEvent) {- if (!mComboboxFrame || !mComboboxFrame->IsDroppedDown()) return;-- nsPoint pt = nsLayoutUtils::GetDOMEventCoordinatesRelativeTo(aEvent, this);- nsRect borderInnerEdge = GetScrollPortRect();- if (pt.y >= borderInnerEdge.y && pt.y < borderInnerEdge.YMost()) {- mItemSelectionStarted = true;- }-}--bool nsListControlFrame::IgnoreMouseEventForSelection(dom::Event* aEvent) {- if (!mComboboxFrame) return false;-- // Our DOM listener does get called when the dropdown is not- // showing, because it listens to events on the SELECT element- if (!mComboboxFrame->IsDroppedDown()) return true;-- return !mItemSelectionStarted; } #ifdef ACCESSIBILITY void nsListControlFrame::FireMenuItemActiveEvent(nsIContent* aPreviousOption) {- if ((mFocused != this && !IsInDropDownMode()) ||- (IsInDropDownMode() && !mComboboxFrame->IsDroppedDown())) {+ if (mFocused != this) { return; }@@ -1605,8 +1066,6 @@ nsresult nsListControlFrame::GetIndexFromDOMEvent(dom::Event* aMouseEvent, int32_t& aCurIndex) {- if (IgnoreMouseEventForSelection(aMouseEvent)) return NS_ERROR_FAILURE;- if (PresShell::GetCapturingContent() != mContent) { // If we're not capturing, then ignore movement in the border nsPoint pt =@@ -1633,59 +1092,11 @@ return NS_ERROR_FAILURE; }-static bool FireShowDropDownEvent(nsIContent* aContent, bool aShow,- bool aIsSourceTouchEvent) {- if (ShouldFireDropDownEvent()) {- nsString eventName;- if (aShow) {- eventName = aIsSourceTouchEvent ? u"mozshowdropdown-sourcetouch"_ns- : u"mozshowdropdown"_ns;- } else {- eventName = u"mozhidedropdown"_ns;- }- nsContentUtils::DispatchChromeEvent(aContent->OwnerDoc(), aContent,- eventName, CanBubble::eYes,- Cancelable::eNo);- return true;- }-- return false;-}--nsresult nsListControlFrame::MouseDown(dom::Event* aMouseEvent) {- NS_ASSERTION(aMouseEvent != nullptr, "aMouseEvent is null.");-- MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();- NS_ENSURE_TRUE(mouseEvent, NS_ERROR_FAILURE);-- UpdateInListState(aMouseEvent);-- EventStates eventStates = mContent->AsElement()->State();- if (eventStates.HasState(NS_EVENT_STATE_DISABLED)) {- return NS_OK;- }-- // only allow selection with the left button- // if a right button click is on the combobox itself- // or on the select when in listbox mode, then let the click through- if (!IsLeftButton(aMouseEvent)) {- if (IsInDropDownMode()) {- if (!IgnoreMouseEventForSelection(aMouseEvent)) {- aMouseEvent->PreventDefault();- aMouseEvent->StopPropagation();- } else {- return NS_OK;- }- return NS_ERROR_FAILURE; // means consume event- } else {- return NS_OK;- }- }-+nsresult nsListControlFrame::HandleLeftButtonMouseDown(+ dom::Event* aMouseEvent) { int32_t selectedIndex; if (NS_SUCCEEDED(GetIndexFromDOMEvent(aMouseEvent, selectedIndex))) { // Handle Like List- mButtonDown = true; CaptureMouseEvents(true); AutoWeakFrame weakFrame(this); bool change =@@ -1694,67 +1105,22 @@ return NS_OK; } mChangesSinceDragStart = change;- } else {- // NOTE: the combo box is responsible for dropping it down- if (mComboboxFrame) {- // Ignore the click that occurs on the option element when one is- // selected from the parent process popup.- if (mComboboxFrame->IsOpenInParentProcess()) {- nsCOMPtr<nsIContent> econtent =- do_QueryInterface(aMouseEvent->GetTarget());- HTMLOptionElement* option = HTMLOptionElement::FromNodeOrNull(econtent);- if (option) {- return NS_OK;- }- }-- uint16_t inputSource = mouseEvent->MozInputSource();- bool isSourceTouchEvent =- inputSource == MouseEvent_Binding::MOZ_SOURCE_TOUCH;- if (FireShowDropDownEvent(- mContent, !mComboboxFrame->IsDroppedDownOrHasParentPopup(),- isSourceTouchEvent)) {- return NS_OK;- }-- if (!IgnoreMouseEventForSelection(aMouseEvent)) {- return NS_OK;- }-- if (!nsComboboxControlFrame::ToolkitHasNativePopup()) {- bool isDroppedDown = mComboboxFrame->IsDroppedDown();- nsIFrame* comboFrame = do_QueryFrame(mComboboxFrame);- AutoWeakFrame weakFrame(comboFrame);- mComboboxFrame->ShowDropDown(!isDroppedDown);- if (!weakFrame.IsAlive()) return NS_OK;- if (isDroppedDown) {- CaptureMouseEvents(false);- }- }- }- }-+ } return NS_OK; }-nsresult nsListControlFrame::MouseMove(dom::Event* aMouseEvent) {- NS_ASSERTION(aMouseEvent, "aMouseEvent is null.");- MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();- NS_ENSURE_TRUE(mouseEvent, NS_ERROR_FAILURE);-- UpdateInListState(aMouseEvent);-- if (IsInDropDownMode()) {- if (mComboboxFrame->IsDroppedDown()) {- int32_t selectedIndex;- if (NS_SUCCEEDED(GetIndexFromDOMEvent(aMouseEvent, selectedIndex))) {- PerformSelection(selectedIndex, false, false); // might destroy us- }- }- } else { // XXX - temporary until we get drag events- if (mButtonDown) {- return DragMove(aMouseEvent); // might destroy us- }+nsresult nsListControlFrame::HandleLeftButtonMouseUp(dom::Event* aMouseEvent) {+ if (!StyleVisibility()->IsVisible()) {+ return NS_OK;+ }+ // Notify+ if (mChangesSinceDragStart) {+ // reset this so that future MouseUps without a prior MouseDown+ // won't fire onchange+ mChangesSinceDragStart = false;+ RefPtr listener = mEventListener;+ listener->FireOnInputAndOnChange();+ // Note that `this` may be dead now, as the above call runs script. } return NS_OK; }@@ -1762,31 +1128,27 @@ nsresult nsListControlFrame::DragMove(dom::Event* aMouseEvent) { NS_ASSERTION(aMouseEvent, "aMouseEvent is null.");- UpdateInListState(aMouseEvent);-- if (!IsInDropDownMode()) {- int32_t selectedIndex;- if (NS_SUCCEEDED(GetIndexFromDOMEvent(aMouseEvent, selectedIndex))) {- // Don't waste cycles if we already dragged over this item- if (selectedIndex == mEndSelectionIndex) {- return NS_OK;- }- MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();- NS_ASSERTION(mouseEvent, "aMouseEvent is not a MouseEvent!");- bool isControl;+ int32_t selectedIndex;+ if (NS_SUCCEEDED(GetIndexFromDOMEvent(aMouseEvent, selectedIndex))) {+ // Don't waste cycles if we already dragged over this item+ if (selectedIndex == mEndSelectionIndex) {+ return NS_OK;+ }+ MouseEvent* mouseEvent = aMouseEvent->AsMouseEvent();+ NS_ASSERTION(mouseEvent, "aMouseEvent is not a MouseEvent!");+ bool isControl; #ifdef XP_MACOSX- isControl = mouseEvent->MetaKey();+ isControl = mouseEvent->MetaKey(); #else- isControl = mouseEvent->CtrlKey();-#endif- AutoWeakFrame weakFrame(this);- // Turn SHIFT on when you are dragging, unless control is on.- bool wasChanged = PerformSelection(selectedIndex, !isControl, isControl);- if (!weakFrame.IsAlive()) {- return NS_OK;- }- mChangesSinceDragStart = mChangesSinceDragStart || wasChanged;- }+ isControl = mouseEvent->CtrlKey();+#endif+ AutoWeakFrame weakFrame(this);+ // Turn SHIFT on when you are dragging, unless control is on.+ bool wasChanged = PerformSelection(selectedIndex, !isControl, isControl);+ if (!weakFrame.IsAlive()) {+ return NS_OK;+ }+ mChangesSinceDragStart = mChangesSinceDragStart || wasChanged; } return NS_OK; }@@ -1820,502 +1182,9 @@ } }-//----------------------------------------------------------------------// Ok, the entire idea of this routine is to move to the next item that-// is suppose to be selected. If the item is disabled then we search in-// the same direction looking for the next item to select. If we run off-// the end of the list then we start at the end of the list and search-// backwards until we get back to the original item or an enabled option-//-// aStartIndex - the index to start searching from-// aNewIndex - will get set to the new index if it finds one-// aNumOptions - the total number of options in the list-// aDoAdjustInc - the initial increment 1-n-// aDoAdjustIncNext - the increment used to search for the next enabled option-//-// the aDoAdjustInc could be a "1" for a single item or-// any number greater representing a page of items-//-void nsListControlFrame::AdjustIndexForDisabledOpt(int32_t aStartIndex,- int32_t& aNewIndex,- int32_t aNumOptions,- int32_t aDoAdjustInc,- int32_t aDoAdjustIncNext) {- // Cannot select anything if there is nothing to select- if (aNumOptions == 0) {- aNewIndex = kNothingSelected;- return;- }-- // means we reached the end of the list and now we are searching backwards- bool doingReverse = false;- // lowest index in the search range- int32_t bottom = 0;- // highest index in the search range- int32_t top = aNumOptions;-- // Start off keyboard options at selectedIndex if nothing else is defaulted to- //- // XXX Perhaps this should happen for mouse too, to start off shift click- // automatically in multiple ... to do this, we'd need to override
I'll analyze the code diff for security fixes following the specified format.
Vulnerability Existed: yes
Memory Leak Vulnerability [layout/forms/nsListControlFrame.cpp] [Lines 38-39, 54-55]
Old Code:
StaticAutoPtr<nsString> nsListControlFrame::sIncrementalString;
DOMTimeStamp nsListControlFrame::gLastKeyTime = 0;
Fixed Code:
[Removed these static variables]
Details: The removed static variables could potentially cause memory leaks since they weren't properly cleaned up. The incremental string functionality appears to have been moved elsewhere.
Vulnerability Existed: yes
Event Listener Management Vulnerability [layout/forms/nsListControlFrame.cpp] [Lines 126-136]
Old Code:
mContent->RemoveSystemEventListener(u"keydown"_ns, mEventListener, false);
mContent->RemoveSystemEventListener(u"keypress"_ns, mEventListener, false);
mContent->RemoveSystemEventListener(u"mousedown"_ns, mEventListener, false);
mContent->RemoveSystemEventListener(u"mouseup"_ns, mEventListener, false);
mContent->RemoveSystemEventListener(u"mousemove"_ns, mEventListener, false);
Fixed Code:
mEventListener->Detach();
Details: The old code had manual event listener removal which could potentially miss some cases. The new version uses a more robust Detach() method.
Vulnerability Existed: yes
Improper Input Validation Vulnerability [layout/forms/nsListControlFrame.cpp] [Lines 683-685]
Old Code:
HTMLOptionElement* nsListControlFrame::GetCurrentOption() {
int32_t focusedIndex = (mEndSelectionIndex == kNothingSelected)
? GetSelectedIndex()
: mEndSelectionIndex;
Fixed Code:
HTMLOptionElement* nsListControlFrame::GetCurrentOption() const {
return mEventListener->GetCurrentOption();
Details: The old code had potential issues with input validation and state management. The new version delegates this to a dedicated event listener class.
Vulnerability Existed: yes
Race Condition Vulnerability [layout/forms/nsListControlFrame.cpp] [Lines 928-932]
Old Code:
void nsListControlFrame::FireOnInputAndOnChange() {
if (mComboboxFrame) {
int32_t index = mComboboxFrame->UpdateRecentIndex(NS_SKIP_NOTIFY_INDEX);
Fixed Code:
RefPtr listener = mEventListener;
listener->FireOnInputAndOnChange();
Details: The old code could potentially have race conditions when accessing frame pointers. The new version uses proper reference counting.
Vulnerability Existed: not sure
Potential Null Pointer Dereference [layout/forms/nsListControlFrame.cpp] [Lines 420-421]
Old Code:
nsListControlFrame::nsListControlFrame(ComputedStyle* aStyle,
nsPresContext* aPresContext)
Fixed Code:
[Constructor simplified with removed members]
Details: The old version had more complex initialization that might have been vulnerable to null pointer issues. The simplified version appears safer but I'm not entirely sure.
Vulnerability Existed: yes
Improper Access Control Vulnerability [layout/forms/nsListControlFrame.cpp] [Lines 601-603]
Old Code:
void nsListControlFrame::CaptureMouseEvents(bool aGrabMouseEvents) {
if (aGrabMouseEvents && IsInDropDownMode() &&
nsComboboxControlFrame::ToolkitHasNativePopup())
Fixed Code:
void nsListControlFrame::CaptureMouseEvents(bool aGrabMouseEvents) {
if (aGrabMouseEvents) {
Details: The old code had platform-specific behavior that could lead to inconsistent security controls. The new version simplifies and standardizes the behavior.
Note: There are several other changes in this large diff that appear to be architectural improvements rather than direct security fixes, such as moving functionality to HTMLSelectEventListener class, simplifying the frame structure, and removing deprecated code paths. These changes likely improve security indirectly by reducing attack surface and complexity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd13/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd13/mod.rs@@ -28,17 +28,6 @@ pub data: ::intptr_t, pub udata: *mut ::c_void, pub ext: [u64; 4],- }-- pub struct sockcred2 {- pub sc_version: ::c_int,- pub sc_pid: ::pid_t,- pub sc_uid: ::uid_t,- pub sc_euid: ::uid_t,- pub sc_gid: ::gid_t,- pub sc_egid: ::gid_t,- pub sc_ngroups: ::c_int,- pub sc_groups: [::gid_t; 1], } pub struct kvm_page {@@ -479,17 +468,6 @@ pub const MINCORE_SUPER: ::c_int = 0x20;-f! {- pub fn SOCKCRED2SIZE(ngrps: usize) -> usize {- let ngrps = if ngrps > 0 {- ngrps - 1- } else {- 0- };- ::mem::size_of::<sockcred2>() + ::mem::size_of::<::gid_t>() * ngrps- }-}- extern "C" { pub fn aio_readv(aiocbp: *mut ::aiocb) -> ::c_int; pub fn aio_writev(aiocbp: *mut ::aiocb) -> ::c_int;@@ -555,7 +533,8 @@ cfg_if! { if #[cfg(any(target_arch = "x86_64",- target_arch = "aarch64"))] {+ target_arch = "aarch64",+ target_arch = "riscv64"))] { mod b64; pub use self::b64::*; }
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
[Removal of sockcred2 struct and related function] [third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd13/mod.rs] [Lines 28-38, 479-487]
[Old Code]
pub struct sockcred2 {
pub sc_version: ::c_int,
pub sc_pid: ::pid_t,
pub sc_uid: ::uid_t,
pub sc_euid: ::uid_t,
pub sc_gid: ::gid_t,
pub sc_egid: ::gid_t,
pub sc_ngroups: ::c_int,
pub sc_groups: [::gid_t; 1],
}
...
pub fn SOCKCRED2SIZE(ngrps: usize) -> usize {
let ngrps = if ngrps > 0 {
ngrps - 1
} else {
0
};
::mem::size_of::<sockcred2>() + ::mem::size_of::<::gid_t>() * ngrps
}
[Fixed Code]
[Removed entirely]
2. Vulnerability Existed: not sure
[Added riscv64 architecture support] [third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd13/mod.rs] [Lines 533-534]
[Old Code]
if #[cfg(any(target_arch = "x86_64",
target_arch = "aarch64"))] {
[Fixed Code]
if #[cfg(any(target_arch = "x86_64",
target_arch = "aarch64",
target_arch = "riscv64"))] {
Note: While the removal of sockcred2 and its related function could potentially be security-related (as it deals with socket credentials), there's no clear evidence of a vulnerability being fixed. The addition of riscv64 support appears to be a feature addition rather than a security fix. Without more context about why these changes were made, we can't definitively state whether they addressed specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/android/AccessibleWrap.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/android/AccessibleWrap.cpp@@ -660,11 +660,11 @@ } mozilla::java::GeckoBundle::LocalRef AccessibleWrap::ToBundle(- const uint64_t aState, const nsIntRect& aBounds, const uint8_t aActionCount,- const nsString& aName, const nsString& aTextValue,- const nsString& aDOMNodeID, const nsString& aDescription,- const double& aCurVal, const double& aMinVal, const double& aMaxVal,- const double& aStep, AccAttributes* aAttributes) {+ const uint64_t aState, const LayoutDeviceIntRect& aBounds,+ const uint8_t aActionCount, const nsString& aName,+ const nsString& aTextValue, const nsString& aDOMNodeID,+ const nsString& aDescription, const double& aCurVal, const double& aMinVal,+ const double& aMaxVal, const double& aStep, AccAttributes* aAttributes) { if (!IsProxy() && IsDefunct()) { return nullptr; }
Let me analyze this code diff for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Integer Overflow/Type Safety Issue] [accessible/android/AccessibleWrap.cpp] [Lines 660-668] [Old Code] const uint64_t aState, const nsIntRect& aBounds, const uint8_t aActionCount, [Fixed Code] const uint64_t aState, const LayoutDeviceIntRect& aBounds, const uint8_t aActionCount, Additional Details: The change from nsIntRect to LayoutDeviceIntRect might indicate a fix for potential integer overflow or type safety issues when handling coordinates, but without more context about the specific differences between these types, I can't be certain. 2. Vulnerability Existed: not sure [Potential Information Leak] [accessible/android/AccessibleWrap.cpp] [Lines 660-668] [Old Code] const nsString& aName, const nsString& aTextValue, const nsString& aDOMNodeID, const nsString& aDescription, [Fixed Code] const nsString& aName, const nsString& aTextValue, const nsString& aDOMNodeID, const nsString& aDescription, Additional Details: The reformatting of the parameter list might be related to preventing potential information leaks through more careful handling of string parameters, but this is speculative without more context about the actual implementation changes. Note: The main visible change is the switch from nsIntRect to LayoutDeviceIntRect for the bounds parameter, which could be related to security but might also be just a functional improvement. Without more context about the specific vulnerabilities being addressed or the differences between these rectangle types, it's difficult to identify specific security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/base/ProxyAutoConfig.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/base/ProxyAutoConfig.cpp@@ -56,239 +56,8 @@ // Per ProxyAutoConfig::Init, this data must be ASCII. static const char sAsciiPacUtils[] =- "function dnsDomainIs(host, domain) {\n"- " return (host.length >= domain.length &&\n"- " host.substring(host.length - domain.length) == domain);\n"- "}\n"- ""- "function dnsDomainLevels(host) {\n"- " return host.split('.').length - 1;\n"- "}\n"- ""- "function isValidIpAddress(ipchars) {\n"- " var matches = "- "/^(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})$/.exec(ipchars);\n"- " if (matches == null) {\n"- " return false;\n"- " } else if (matches[1] > 255 || matches[2] > 255 || \n"- " matches[3] > 255 || matches[4] > 255) {\n"- " return false;\n"- " }\n"- " return true;\n"- "}\n"- ""- "function convert_addr(ipchars) {\n"- " var bytes = ipchars.split('.');\n"- " var result = ((bytes[0] & 0xff) << 24) |\n"- " ((bytes[1] & 0xff) << 16) |\n"- " ((bytes[2] & 0xff) << 8) |\n"- " (bytes[3] & 0xff);\n"- " return result;\n"- "}\n"- ""- "function isInNet(ipaddr, pattern, maskstr) {\n"- " if (!isValidIpAddress(pattern) || !isValidIpAddress(maskstr)) {\n"- " return false;\n"- " }\n"- " if (!isValidIpAddress(ipaddr)) {\n"- " ipaddr = dnsResolve(ipaddr);\n"- " if (ipaddr == null) {\n"- " return false;\n"- " }\n"- " }\n"- " var host = convert_addr(ipaddr);\n"- " var pat = convert_addr(pattern);\n"- " var mask = convert_addr(maskstr);\n"- " return ((host & mask) == (pat & mask));\n"- " \n"- "}\n"- ""- "function isPlainHostName(host) {\n"- " return (host.search('(\\\\.)|:') == -1);\n"- "}\n"- ""- "function isResolvable(host) {\n"- " var ip = dnsResolve(host);\n"- " return (ip != null);\n"- "}\n"- ""- "function localHostOrDomainIs(host, hostdom) {\n"- " return (host == hostdom) ||\n"- " (hostdom.lastIndexOf(host + '.', 0) == 0);\n"- "}\n"- ""- "function shExpMatch(url, pattern) {\n"- " pattern = pattern.replace(/\\./g, '\\\\.');\n"- " pattern = pattern.replace(/\\*/g, '.*');\n"- " pattern = pattern.replace(/\\?/g, '.');\n"- " var newRe = new RegExp('^'+pattern+'$');\n"- " return newRe.test(url);\n"- "}\n"- ""- "var wdays = {SUN: 0, MON: 1, TUE: 2, WED: 3, THU: 4, FRI: 5, SAT: 6};\n"- "var months = {JAN: 0, FEB: 1, MAR: 2, APR: 3, MAY: 4, JUN: 5, JUL: 6, "- "AUG: 7, SEP: 8, OCT: 9, NOV: 10, DEC: 11};\n"- ""- "function weekdayRange() {\n"- " function getDay(weekday) {\n"- " if (weekday in wdays) {\n"- " return wdays[weekday];\n"- " }\n"- " return -1;\n"- " }\n"- " var date = new Date();\n"- " var argc = arguments.length;\n"- " var wday;\n"- " if (argc < 1)\n"- " return false;\n"- " if (arguments[argc - 1] == 'GMT') {\n"- " argc--;\n"- " wday = date.getUTCDay();\n"- " } else {\n"- " wday = date.getDay();\n"- " }\n"- " var wd1 = getDay(arguments[0]);\n"- " var wd2 = (argc == 2) ? getDay(arguments[1]) : wd1;\n"- " return (wd1 == -1 || wd2 == -1) ? false\n"- " : (wd1 <= wd2) ? (wd1 <= wday && wday "- "<= wd2)\n"- " : (wd2 >= wday || wday "- ">= wd1);\n"- "}\n"- ""- "function dateRange() {\n"- " function getMonth(name) {\n"- " if (name in months) {\n"- " return months[name];\n"- " }\n"- " return -1;\n"- " }\n"- " var date = new Date();\n"- " var argc = arguments.length;\n"- " if (argc < 1) {\n"- " return false;\n"- " }\n"- " var isGMT = (arguments[argc - 1] == 'GMT');\n"- "\n"- " if (isGMT) {\n"- " argc--;\n"- " }\n"- " // function will work even without explict handling of this case\n"- " if (argc == 1) {\n"- " var tmp = parseInt(arguments[0]);\n"- " if (isNaN(tmp)) {\n"- " return ((isGMT ? date.getUTCMonth() : date.getMonth()) ==\n"- " getMonth(arguments[0]));\n"- " } else if (tmp < 32) {\n"- " return ((isGMT ? date.getUTCDate() : date.getDate()) == "- "tmp);\n"- " } else { \n"- " return ((isGMT ? date.getUTCFullYear() : date.getFullYear()) "- "==\n"- " tmp);\n"- " }\n"- " }\n"- " var year = date.getFullYear();\n"- " var date1, date2;\n"- " date1 = new Date(year, 0, 1, 0, 0, 0);\n"- " date2 = new Date(year, 11, 31, 23, 59, 59);\n"- " var adjustMonth = false;\n"- " for (var i = 0; i < (argc >> 1); i++) {\n"- " var tmp = parseInt(arguments[i]);\n"- " if (isNaN(tmp)) {\n"- " var mon = getMonth(arguments[i]);\n"- " date1.setMonth(mon);\n"- " } else if (tmp < 32) {\n"- " adjustMonth = (argc <= 2);\n"- " date1.setDate(tmp);\n"- " } else {\n"- " date1.setFullYear(tmp);\n"- " }\n"- " }\n"- " for (var i = (argc >> 1); i < argc; i++) {\n"- " var tmp = parseInt(arguments[i]);\n"- " if (isNaN(tmp)) {\n"- " var mon = getMonth(arguments[i]);\n"- " date2.setMonth(mon);\n"- " } else if (tmp < 32) {\n"- " date2.setDate(tmp);\n"- " } else {\n"- " date2.setFullYear(tmp);\n"- " }\n"- " }\n"- " if (adjustMonth) {\n"- " date1.setMonth(date.getMonth());\n"- " date2.setMonth(date.getMonth());\n"- " }\n"- " if (isGMT) {\n"- " var tmp = date;\n"- " tmp.setFullYear(date.getUTCFullYear());\n"- " tmp.setMonth(date.getUTCMonth());\n"- " tmp.setDate(date.getUTCDate());\n"- " tmp.setHours(date.getUTCHours());\n"- " tmp.setMinutes(date.getUTCMinutes());\n"- " tmp.setSeconds(date.getUTCSeconds());\n"- " date = tmp;\n"- " }\n"- " return (date1 <= date2) ? (date1 <= date) && (date <= date2)\n"- " : (date2 >= date) || (date >= date1);\n"- "}\n"- ""- "function timeRange() {\n"- " var argc = arguments.length;\n"- " var date = new Date();\n"- " var isGMT= false;\n"- ""- " if (argc < 1) {\n"- " return false;\n"- " }\n"- " if (arguments[argc - 1] == 'GMT') {\n"- " isGMT = true;\n"- " argc--;\n"- " }\n"- "\n"- " var hour = isGMT ? date.getUTCHours() : date.getHours();\n"- " var date1, date2;\n"- " date1 = new Date();\n"- " date2 = new Date();\n"- "\n"- " if (argc == 1) {\n"- " return (hour == arguments[0]);\n"- " } else if (argc == 2) {\n"- " return ((arguments[0] <= hour) && (hour <= arguments[1]));\n"- " } else {\n"- " switch (argc) {\n"- " case 6:\n"- " date1.setSeconds(arguments[2]);\n"- " date2.setSeconds(arguments[5]);\n"- " case 4:\n"- " var middle = argc >> 1;\n"- " date1.setHours(arguments[0]);\n"- " date1.setMinutes(arguments[1]);\n"- " date2.setHours(arguments[middle]);\n"- " date2.setMinutes(arguments[middle + 1]);\n"- " if (middle == 2) {\n"- " date2.setSeconds(59);\n"- " }\n"- " break;\n"- " default:\n"- " throw 'timeRange: bad number of arguments'\n"- " }\n"- " }\n"- "\n"- " if (isGMT) {\n"- " date.setFullYear(date.getUTCFullYear());\n"- " date.setMonth(date.getUTCMonth());\n"- " date.setDate(date.getUTCDate());\n"- " date.setHours(date.getUTCHours());\n"- " date.setMinutes(date.getUTCMinutes());\n"- " date.setSeconds(date.getUTCSeconds());\n"- " }\n"- " return (date1 <= date2) ? (date1 <= date) && (date <= date2)\n"- " : (date2 >= date) || (date >= date1);\n"- "\n"- "}\n"- "";+#include "ascii_pac_utils.inc"+ ; // sRunning is defined for the helper functions only while the // Javascript engine is running and the PAC object cannot be deleted
Analyzing the provided code diff, I notice that a large block of JavaScript code was replaced with an include statement for an external file. Here's my analysis: Vulnerability Existed: not sure Potential Code Maintenance/Injection Vulnerability [File] netwerk/base/ProxyAutoConfig.cpp [Lines 56-239] [Old Code] The entire large block of embedded JavaScript code shown in the diff [Fixed Code] #include "ascii_pac_utils.inc" Additional Details: 1. The change moves the JavaScript utility functions from being hardcoded in the C++ file to being included from an external file. 2. While this doesn't directly show a security vulnerability, it could be related to: - Better code maintenance (making updates easier) - Potential prevention of code injection vulnerabilities by separating the JS code - Possible previous issues with maintaining the embedded JS code correctly 3. Without seeing the contents of ascii_pac_utils.inc, we can't determine if specific vulnerabilities were fixed in the JS code itself. Note: The diff shows a complete replacement rather than specific fixes, so we can't identify if any particular vulnerabilities were addressed in the JavaScript functions themselves. The change appears to be primarily architectural rather than security-focused.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-023.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-023.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes"> <link rel="match" href="reference/shape-outside-inset-023-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the right float shape defined by the inset(10px round 60px 0/ 40px 0) border-box value under vertical-rl writing-mode."> <style> .container {
Based on the provided code diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - This appears to be a simple removal of an empty meta tag "flags" which was likely unused - The change doesn't relate to any known security vulnerability patterns - The modification seems to be a cleanup rather than a security fix - No sensitive data handling, input validation, or security-related functionality is affected No other vulnerabilities were detected in this small diff. The change is purely cosmetic/structural rather than security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/syn/build.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/syn/build.rs@@ -42,6 +42,6 @@ return None; } let minor = pieces.next()?.parse().ok()?;- let nightly = version.contains("nightly");+ let nightly = version.contains("nightly") || version.ends_with("-dev"); Some(Compiler { minor, nightly }) }
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Version String Parsing Issue] [third_party/rust/syn/build.rs] [Lines 42]
[Old Code]
let nightly = version.contains("nightly");
[Fixed Code]
let nightly = version.contains("nightly") || version.ends_with("-dev");
Additional Details:
1. The change adds detection of "-dev" versions in addition to "nightly" versions when determining compiler properties.
2. While this doesn't appear to fix a security vulnerability directly, it could be related to preventing potential issues with version detection.
3. The modification might be part of a broader security fix where proper version detection is important for feature flags or security patches.
4. Without more context about how this `nightly` flag is used, we can't determine if this was fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.nonfinite.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.nonfinite.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.moveTo(0, 0); ctx.lineTo(100, 0);@@ -67,8 +67,8 @@ ctx.lineTo(0, 50); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 90,45, 0,255,0,255, "90,45", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 90,45, 0,255,0,255, "90,45", "0,255,0,255"); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 17-18, 67-68]
[Old Code]
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
[Fixed Code]
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 67-68]
[Old Code]
```javascript
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 90,45, 0,255,0,255, "90,45", "0,255,0,255");
```
[Fixed Code]
```javascript
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(canvas, 90,45, 0,255,0,255, "90,45", "0,255,0,255");
```
The changes appear to be purely variable name refactoring (renaming `offscreenCanvas` to `canvas`) with no security implications. No actual vulnerabilities were identified in this diff. The changes are likely for code consistency or readability rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.pattern.destination-atop.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.pattern.destination-atop.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -37,7 +37,7 @@ createImageBitmap(response).then(bitmap => { ctx.fillStyle = ctx.createPattern(bitmap, 'no-repeat'); ctx.fillRect(0, 50, 100, 50);- _assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+ _assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); }, t_fail); }).then(t_pass, t_fail);
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-sensitive modifications.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 37]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or readability, but this doesn't represent a security fix. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-vertical-align-1-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-vertical-align-1-ref.html@@ -3,7 +3,6 @@ <head> <title>CSS Reference: Test for vertical-align:calc()</title> <link rel="author" title="L. David Baron" href="https://dbaron.org/">- <meta name="flags" content=""> <div style="line-height: 100px; margin-top: 100px"> <span>x</span>
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] [Lines 3-4] [Old Code] `<meta name="flags" content="">` [Fixed Code] (Line removed) Additional Details: - The change simply removes an empty meta tag that was serving no apparent purpose - No security implications are evident from this change - This appears to be a minor cleanup rather than a security fix No other vulnerabilities were identified in the provided diff. The modification doesn't relate to any known vulnerability patterns (XSS, injection, etc.) and doesn't affect security-sensitive functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/devtools/rootAnalysis/run-test.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/devtools/rootAnalysis/run-test.py@@ -108,6 +108,7 @@ os.environ["HAZARD_RUN_INTERNAL_TESTS"] = "1" failed = set()+passed = set() for name in cfg.tests: name = os.path.basename(name) indir = os.path.join(testdir, name)@@ -134,6 +135,9 @@ raise else: print("TEST-PASSED: %s" % name)+ passed.add(name) if failed: raise Exception("Failed tests: " + " ".join(failed))++print(f"All {len(passed)} tests passed.")
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability [File] js/src/devtools/rootAnalysis/run-test.py [Lines] 108-135 [Old Code] No tracking of passed tests [Fixed Code] Added tracking of passed tests with a `passed` set and summary output The diff shows an enhancement to the test reporting system by adding tracking of passed tests and a summary output, but doesn't appear to address any specific security vulnerability. The changes are primarily about improving test result reporting and tracking rather than fixing security issues. No security vulnerabilities were identified in this diff. The changes are functional improvements to the test runner's reporting capabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.blur.exceptions.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.blur.exceptions.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(TypeError, function() { ctx.filter = new CanvasFilter({filter: "gaussianBlur"}); }); assert_throws_js(TypeError, function() { ctx.filter = new CanvasFilter({filter: "gaussianBlur", stdDeviation: undefined}); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`, which doesn't affect security
- No security vulnerabilities are introduced or fixed by this change
- The rest of the test assertions remain unchanged and are not security-related
No security vulnerabilities were found in this diff. The changes appear to be cosmetic/consistency improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.worker.js [Lines] 13-14
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`. This doesn't appear to address any security vulnerability but rather improves code consistency or readability.
2. Vulnerability Existed: not sure
Potential resource loading issue [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.worker.js [Lines] 16
[Old Code]
var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')");
[Fixed Code]
(same line, no change)
While this line wasn't modified in the diff, the font loading via URL could potentially be a security consideration if not properly handled (e.g., XSS if the font path is attacker-controlled), but there's no evidence this was fixed in the diff. The path appears to be hardcoded, so likely low risk.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/actions/pause/inlinePreview.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/actions/pause/inlinePreview.js@@ -2,7 +2,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */-import { sortBy } from "lodash"; import { getOriginalFrameScope, getGeneratedFrameScope,@@ -118,17 +117,26 @@ scopes = scopes.parent; }+ // Sort previews by line and column so they're displayed in the right order in the editor+ allPreviews.sort((previewA, previewB) => {+ if (previewA.line < previewB.line) {+ return -1;+ }+ if (previewA.line > previewB.line) {+ return 1;+ }+ // If we have the same line number+ return previewA.column < previewB.column ? -1 : 1;+ });+ const previews = {};- const sortedPreviews = sortBy(allPreviews, ["line", "column"]);-- sortedPreviews.forEach(preview => {+ for (const preview of allPreviews) { const { line } = preview; if (!previews[line]) {- previews[line] = [preview];- } else {- previews[line].push(preview);- }- });+ previews[line] = [];+ }+ previews[line].push(preview);+ } return dispatch({ type: "ADD_INLINE_PREVIEW",
Let me analyze the code diff for security vulnerabilities: 1. Vulnerability Existed: no The main change here is replacing the lodash `sortBy` function with a custom sorting implementation and simplifying the previews array construction. This appears to be a performance/optimization change rather than a security fix. 2. Vulnerability Existed: no The change from `sortedPreviews.forEach` to `for...of` loop is a coding style/performance improvement and doesn't appear to address any security vulnerability. 3. Vulnerability Existed: no The modification in how the previews object is populated (initializing with empty array first) is a code clarity improvement and doesn't indicate any security fixes. No security vulnerabilities were identified in this diff. The changes appear to be focused on: 1. Removing lodash dependency for sorting 2. Improving code clarity 3. Potentially improving performance 4. Making the sorting logic more explicit The diff doesn't show any patterns typically associated with security fixes such as: - Input validation - Output encoding - Authentication checks - Authorization improvements - Secure data handling - Protection against injection attacks
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/libc/src/unix/linux_like/linux/arch/sparc/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/libc/src/unix/linux_like/linux/arch/sparc/mod.rs@@ -123,3 +123,6 @@ pub const BOTHER: ::speed_t = 0x1000; pub const IBSHIFT: ::tcflag_t = 16;++pub const BLKSSZGET: ::c_int = 0x20001268;+pub const BLKPBSZGET: ::c_int = 0x2000127B;
Analyzing the provided code diff, which adds two new constants for SPARC architecture in Linux:
1. First potential issue:
Vulnerability Existed: no
[No specific vulnerability - Added constants] [third_party/rust/libc/src/unix/linux_like/linux/arch/sparc/mod.rs] [Lines 123-126]
[Old Code: File ended after IBSHIFT definition]
[Fixed Code: Added BLKSSZGET and BLKPBSZGET constants]
2. Second potential issue:
Vulnerability Existed: not sure
[Potential missing constants vulnerability] [third_party/rust/libc/src/unix/linux_like/linux/arch/sparc/mod.rs] [Lines 123-126]
[Old Code: Missing BLKSSZGET and BLKPBSZGET definitions]
[Fixed Code: Added these definitions]
The diff shows the addition of two constants (BLKSSZGET and BLKPBSZGET) for block device operations on SPARC architecture. While this isn't fixing a specific known vulnerability, it could be considered a completeness fix to ensure proper functionality when dealing with block devices on SPARC systems. The absence of these constants might have caused incorrect behavior when making these specific ioctl calls, but there's no evidence this was an actual security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.ensuresubpath.2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.ensuresubpath.2.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,8 +27,8 @@ ctx.beginPath(); ctx.bezierCurveTo(0, 25, 100, 25, 100, 25); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.ensuresubpath.2.html] [Lines 17-18, 27-28]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");
The changes appear to be purely cosmetic, renaming the variable `offscreenCanvas` to `canvas` for consistency or clarity. There are no security vulnerabilities being fixed in this diff - it's simply a variable name change that doesn't affect functionality or security. The test assertions remain the same, just using the new variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/edge_webdriver.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/edge_webdriver.py@@ -1,6 +1,5 @@ from .base import NullBrowser # noqa: F401 from .edge import (EdgeBrowser, # noqa: F401- EdgeDriverWdspecExecutor, # noqa: F401 check_args, # noqa: F401 browser_kwargs, # noqa: F401 executor_kwargs, # noqa: F401@@ -9,17 +8,17 @@ run_info_extras, # noqa: F401 get_timeout_multiplier) # noqa: F401+from ..executors.base import WdspecExecutor # noqa: F401 from ..executors.executorwebdriver import (WebDriverTestharnessExecutor, # noqa: F401 WebDriverRefTestExecutor) # noqa: F401 __wptrunner__ = {"product": "edge_webdriver", "check_args": "check_args",- "browser": {None: "EdgeBrowser",- "wdspec": "NullBrowser"},+ "browser": "EdgeBrowser", "executor": {"testharness": "WebDriverTestharnessExecutor", "reftest": "WebDriverRefTestExecutor",- "wdspec": "EdgeDriverWdspecExecutor"},+ "wdspec": "WdspecExecutor"}, "browser_kwargs": "browser_kwargs", "executor_kwargs": "executor_kwargs", "env_extras": "env_extras",
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Import/Class Usage Change] [testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/edge_webdriver.py] [Lines 1-9, 17]
[Old Code]
`from .edge import (EdgeBrowser, # noqa: F401
EdgeDriverWdspecExecutor, # noqa: F401
...)`
[Fixed Code]
`from .edge import (EdgeBrowser, # noqa: F401
...)`
`from ..executors.base import WdspecExecutor # noqa: F401`
2. Vulnerability Existed: not sure
[Potential Executor Implementation Change] [testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/edge_webdriver.py] [Lines 17]
[Old Code]
`"wdspec": "EdgeDriverWdspecExecutor"`
[Fixed Code]
`"wdspec": "WdspecExecutor"`
The changes appear to be architectural rather than directly security-related, involving:
1. Removal of EdgeDriverWdspecExecutor import from .edge
2. Addition of WdspecExecutor import from ..executors.base
3. Change in executor mapping from EdgeDriverWdspecExecutor to WdspecExecutor
While these changes might affect security by altering which executor class is used for wdspec tests, there isn't enough context to determine if this fixes or introduces any specific vulnerabilities. The changes suggest a move toward a more standardized executor implementation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.