Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/feature-policy/reporting/screen-wake-lock-reporting.https.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/feature-policy/reporting/screen-wake-lock-reporting.https.html@@ -9,7 +9,7 @@ promise_test(async (t) => { const reportPromise = new Promise(resolve => { new ReportingObserver((reports, observer) => resolve(reports),- {types: ["feature-policy-violation"]}).observe();+ {types: ["permissions-policy-violation"]}).observe(); }); // Even though we do not explicitly allow screen wake lock requests in // testdriver, per spec Permissions Policy checks should happen earlier.@@ -19,7 +19,7 @@ assert_equals(reports.length, 1); const report = reports[0];- assert_equals(report.type, "feature-policy-violation");+ assert_equals(report.type, "permissions-policy-violation"); assert_equals(report.url, document.location.href); assert_equals(report.body.featureId, "screen-wake-lock"); assert_equals(report.body.sourceFile, document.location.href);
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Feature Policy to Permissions Policy Renaming] [testing/web-platform/tests/feature-policy/reporting/screen-wake-lock-reporting.https.html] [Lines 9,19]
[Old Code]
`{types: ["feature-policy-violation"]}`
`assert_equals(report.type, "feature-policy-violation");`
[Fixed Code]
`{types: ["permissions-policy-violation"]}`
`assert_equals(report.type, "permissions-policy-violation");`
Additional Details:
This appears to be a standardization update rather than a security fix, changing from "feature-policy" to "permissions-policy" terminology which reflects the updated specification name. While this isn't clearly a security vulnerability fix, it's important for maintaining compatibility with the current web standards. The change ensures the code aligns with the Permissions Policy specification which replaced Feature Policy.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsClipboardWayland.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsClipboardWayland.cpp@@ -1,353 +1,68 @@-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */-/* vim:expandtab:shiftwidth=4:tabstop=4:+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */+/* vim:expandtab:shiftwidth=2:tabstop=2: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */-#include "mozilla/ArrayUtils.h"+#include "nsClipboardWayland.h"-#include "nsArrayUtils.h"-#include "nsClipboard.h"-#include "nsClipboardWayland.h"-#include "nsSupportsPrimitives.h"-#include "nsString.h"-#include "nsReadableUtils.h"-#include "nsPrimitiveHelpers.h"-#include "nsImageToPixbuf.h"-#include "nsStringStream.h"-#include "mozilla/RefPtr.h"+#include "AsyncGtkClipboardRequest.h" #include "mozilla/TimeStamp.h"-#include "nsDragService.h"-#include "mozwayland/mozwayland.h"-#include "nsWaylandDisplay.h"-#include "nsWindow.h" #include "mozilla/ScopeExit.h"-#include "mozilla/StaticPrefs_widget.h"-#include "nsThreadUtils.h"+#include "prtime.h" #include <gtk/gtk.h>-#include <poll.h> #include <stdlib.h> #include <string.h>-#include <fcntl.h>-#include <errno.h> using namespace mozilla;-using namespace mozilla::widget;-const char* nsRetrievalContextWayland::sTextMimeTypes[TEXT_MIME_TYPES_NUM] = {- "text/plain;charset=utf-8", "UTF8_STRING", "COMPOUND_TEXT"};+nsRetrievalContextWayland::nsRetrievalContextWayland() = default;-static inline GdkDragAction wl_to_gdk_actions(uint32_t dnd_actions) {- GdkDragAction actions = GdkDragAction(0);+ClipboardTargets nsRetrievalContextWayland::GetTargets(+ int32_t aWhichClipboard) {+ LOGCLIP("nsRetrievalContextWayland::GetTargets()\n");- if (dnd_actions & WL_DATA_DEVICE_MANAGER_DND_ACTION_COPY)- actions = GdkDragAction(actions | GDK_ACTION_COPY);- if (dnd_actions & WL_DATA_DEVICE_MANAGER_DND_ACTION_MOVE)- actions = GdkDragAction(actions | GDK_ACTION_MOVE);-- return actions;+ return WaitForClipboardData(ClipboardDataType::Targets, aWhichClipboard)+ .ExtractTargets(); }-static inline uint32_t gdk_to_wl_actions(GdkDragAction action) {- uint32_t dnd_actions = WL_DATA_DEVICE_MANAGER_DND_ACTION_NONE;+ClipboardData nsRetrievalContextWayland::GetClipboardData(+ const char* aMimeType, int32_t aWhichClipboard) {+ LOGCLIP("nsRetrievalContextWayland::GetClipboardData() mime %s\n", aMimeType);- if (action & (GDK_ACTION_COPY | GDK_ACTION_LINK | GDK_ACTION_PRIVATE))- dnd_actions |= WL_DATA_DEVICE_MANAGER_DND_ACTION_COPY;- if (action & GDK_ACTION_MOVE)- dnd_actions |= WL_DATA_DEVICE_MANAGER_DND_ACTION_MOVE;-- return dnd_actions;+ return WaitForClipboardData(ClipboardDataType::Data, aWhichClipboard,+ aMimeType); }-static GtkWidget* get_gtk_widget_for_wl_surface(struct wl_surface* surface) {- GdkWindow* gdkParentWindow =- static_cast<GdkWindow*>(wl_surface_get_user_data(surface));+GUniquePtr<char> nsRetrievalContextWayland::GetClipboardText(+ int32_t aWhichClipboard) {+ GdkAtom selection = GetSelectionAtom(aWhichClipboard);- gpointer user_data = nullptr;- gdk_window_get_user_data(gdkParentWindow, &user_data);+ LOGCLIP("nsRetrievalContextWayland::GetClipboardText(), clipboard %s\n",+ (selection == GDK_SELECTION_PRIMARY) ? "Primary" : "Selection");- return GTK_WIDGET(user_data);+ return WaitForClipboardData(ClipboardDataType::Text, aWhichClipboard)+ .ExtractText(); }-static void data_offer_offer(void* data, struct wl_data_offer* wl_data_offer,- const char* type) {- auto* offer = static_cast<DataOffer*>(data);- LOGCLIP("Data offer %p add MIME %s\n", wl_data_offer, type);- offer->AddMIMEType(type);-}+ClipboardData nsRetrievalContextWayland::WaitForClipboardData(+ ClipboardDataType aDataType, int32_t aWhichClipboard,+ const char* aMimeType) {+ LOGCLIP("nsRetrievalContextWayland::WaitForClipboardData, MIME %s\n",+ aMimeType);-/* Advertise all available drag and drop actions from source.- * We don't use that but follow gdk_wayland_drag_context_commit_status()- * from gdkdnd-wayland.c here.- */-static void data_offer_source_actions(void* data,- struct wl_data_offer* wl_data_offer,- uint32_t source_actions) {- auto* dragContext = static_cast<DataOffer*>(data);- dragContext->SetAvailableDragActions(source_actions);-}+ AsyncGtkClipboardRequest request(aDataType, aWhichClipboard, aMimeType);+ int iteration = 1;-/* Advertise recently selected drag and drop action by compositor, based- * on source actions and user choice (key modifiers, etc.).- */-static void data_offer_action(void* data, struct wl_data_offer* wl_data_offer,- uint32_t dnd_action) {- auto* dropContext = static_cast<DataOffer*>(data);- dropContext->SetSelectedDragAction(dnd_action);-- if (dropContext->GetWidget()) {- uint32_t time;- nscoord x, y;- dropContext->GetLastDropInfo(&time, &x, &y);- WindowDragMotionHandler(dropContext->GetWidget(), nullptr, dropContext, x,- y, time);- }-}--/* wl_data_offer callback description:- *- * data_offer_offer - Is called for each MIME type available at wl_data_offer.- * data_offer_source_actions - This event indicates the actions offered by- * the data source.- * data_offer_action - This event indicates the action selected by- * the compositor after matching the source/destination- * side actions.- */-static const moz_wl_data_offer_listener data_offer_listener = {- data_offer_offer, data_offer_source_actions, data_offer_action};--DataOffer::DataOffer(wl_data_offer* aDataOffer)- : mWaylandDataOffer(aDataOffer),- mMutex("DataOffer"),- mAsyncContentLength(),- mAsyncContentData(),- mGetterFinished(),- mSelectedDragAction(),- mAvailableDragActions(),- mTime(),- mGtkWidget(),- mX(),- mY() {- if (mWaylandDataOffer) {- wl_data_offer_add_listener(- mWaylandDataOffer, (struct wl_data_offer_listener*)&data_offer_listener,- this);- }-}--DataOffer::~DataOffer() {- g_clear_pointer(&mWaylandDataOffer, wl_data_offer_destroy);-- // Async transfer was finished after time limit. In such case release the- // clipboard data.- if (mGetterFinished && mAsyncContentLength && mAsyncContentData) {- g_free((void*)mAsyncContentData);- }-}--bool DataOffer::RequestDataTransfer(const char* aMimeType, int fd) {- LOGCLIP("DataOffer::RequestDataTransfer MIME %s FD %d\n", aMimeType, fd);- if (mWaylandDataOffer) {- wl_data_offer_receive(mWaylandDataOffer, aMimeType, fd);- return true;- }-- return false;-}--void DataOffer::AddMIMEType(const char* aMimeType) {- GdkAtom atom = gdk_atom_intern(aMimeType, FALSE);- mTargetMIMETypes.AppendElement(atom);-}--GdkAtom* DataOffer::GetTargets(int* aTargetNum) {- int length = mTargetMIMETypes.Length();- if (!length) {- *aTargetNum = 0;- return nullptr;- }-- GdkAtom* targetList =- reinterpret_cast<GdkAtom*>(g_malloc(sizeof(GdkAtom) * length));- for (int32_t j = 0; j < length; j++) {- targetList[j] = mTargetMIMETypes[j];- }-- *aTargetNum = length;- return targetList;-}--bool DataOffer::HasTarget(const char* aMimeType) {- int length = mTargetMIMETypes.Length();- for (int32_t j = 0; j < length; j++) {- if (mTargetMIMETypes[j] == gdk_atom_intern(aMimeType, FALSE)) {- LOGCLIP("DataOffer::HasTarget() we have mime %s\n", aMimeType);- return true;- }- }- LOGCLIP("DataOffer::HasTarget() missing mime %s\n", aMimeType);- return false;-}--static bool MakeFdNonBlocking(int fd) {- return fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK) != -1;-}--char* DataOffer::GetDataInternal(const char* aMimeType,- uint32_t* aContentLength) {- LOGCLIP("GetDataInternal() mime %s\n", aMimeType);-- int pipe_fd[2];- if (pipe(pipe_fd) == -1) {- return nullptr;- }-- GIOChannel* channel = nullptr;-- auto free = mozilla::MakeScopeExit([&] {- if (channel) {- g_io_channel_unref(channel);- }- if (pipe_fd[0] >= 0) {- close(pipe_fd[0]);- }- if (pipe_fd[1] >= 0) {- close(pipe_fd[1]);- }- });-- if (!MakeFdNonBlocking(pipe_fd[0]) || !MakeFdNonBlocking(pipe_fd[1])) {- return nullptr;- }-- if (!RequestDataTransfer(aMimeType, pipe_fd[1])) {- NS_WARNING("DataOffer::RequestDataTransfer() failed!");- return nullptr;- }-- close(pipe_fd[1]);- pipe_fd[1] = -1;-- // Flush wl_display connection to get clipboard data uploaded from display to- // our pipe.- wl_display_flush(WaylandDisplayGet()->GetDisplay());-- channel = g_io_channel_unix_new(pipe_fd[0]);- GError* error = nullptr;- char* clipboardData = nullptr;-- GIOStatus ret;- ret = g_io_channel_set_encoding(channel, nullptr, &error);- g_clear_pointer(&error, g_error_free);- if (ret != G_IO_STATUS_NORMAL) {- NS_WARNING("g_io_channel_set_encoding failed!");- return nullptr;- }-- const PRTime entryTime = PR_Now();- gsize len;- while (1) {- LOGCLIP("reading data...\n");- ret = g_io_channel_read_to_end(channel, &clipboardData, &len, &error);- if (ret == G_IO_STATUS_NORMAL) {- break;- }- if (ret == G_IO_STATUS_AGAIN) {- wl_display_flush(WaylandDisplayGet()->GetDisplay());- // check the number of iterations- PR_Sleep(20 * PR_TicksPerSecond() / 1000); /* sleep for 20 ms/iteration */+ PRTime entryTime = PR_Now();+ while (!request.HasCompleted()) {+ if (iteration++ > kClipboardFastIterationNum) {+ /* sleep for 10 ms/iteration */+ PR_Sleep(PR_MillisecondsToInterval(10)); if (PR_Now() - entryTime > kClipboardTimeout) {- break;- }- } else { // G_IO_STATUS_ERROR- if (error) {- NS_WARNING(- nsPrintfCString("Unexpected error when reading clipboard data: %s",- error->message)- .get());- g_error_free(error);- }- return nullptr;- }- }- *aContentLength = len;-- if (*aContentLength == 0) {- // We don't have valid clipboard data although- // g_io_channel_read_to_end() allocated clipboardData for us.- // Release it now and return nullptr to indicate- // we don't have reqested data flavour.- g_free((void*)clipboardData);- clipboardData = nullptr;- }-- LOGCLIP(" Got clipboard data length %d\n", *aContentLength);- return clipboardData;-}--void DataOffer::GetDataAsyncInternal(const char* aMimeType) {- mAsyncContentData = GetDataInternal(aMimeType, &mAsyncContentLength);- mGetterFinished = true;-}--char* DataOffer::GetData(const char* aMimeType, uint32_t* aContentLength) {- LOGCLIP("DataOffer::GetData() mime %s\n", aMimeType);-- if (!HasTarget(aMimeType)) {- LOGCLIP(" Failed: DataOffer does not contain %s MIME!\n", aMimeType);- return nullptr;- }-- return GetDataInternal(aMimeType, aContentLength);-}--char* DataOffer::GetDataAsync(const char* aMimeType, uint32_t* aContentLength) {- LOGCLIP("DataOffer::GetDataAsync() mime %s\n", aMimeType);-- if (!HasTarget(aMimeType)) {- LOGCLIP(" Failed: DataOffer does not contain %s MIME!\n", aMimeType);- return nullptr;- }-- if (!mMutex.TryLock()) {- LOGCLIP(" Failed: DataOffer is already used!\n");- return nullptr;- }- auto unlock = mozilla::MakeScopeExit([&] {- // If async getter was sucessful transfer ownership of the clipboard data- // to caller.- if (mGetterFinished) {- mAsyncContentLength = 0;- mAsyncContentData = nullptr;- } else {- // Remove offers for failed transfers- LOGCLIP(" data offer was not finished in time, clearing\n");- g_clear_pointer(&mWaylandDataOffer, wl_data_offer_destroy);- }- mMutex.Unlock();- });-- mAsyncContentLength = 0;- mAsyncContentData = nullptr;- mGetterFinished = false;-- RefPtr<DataOffer> offer(this);- NS_DispatchBackgroundTask(- NS_NewRunnableFunction("DataOffer::GetDataInternal",- [offer, aMimeType]() -> void {- offer->GetDataAsyncInternal(aMimeType);- }),- nsIEventTarget::NS_DISPATCH_NORMAL);-- int iteration = 1;- PRTime entryTime = PR_Now();- while (!mGetterFinished) {- if (iteration++ > kClipboardFastIterationNum) {- PR_Sleep(PR_MillisecondsToInterval(10)); /* sleep for 10 ms/iteration */- if (PR_Now() - entryTime > kClipboardTimeout) {- LOGCLIP(" hit time limit\n");+ LOGCLIP(" failed to get async clipboard data in time limit\n"); break; } }@@ -356,743 +71,5 @@ gtk_main_iteration(); }- if (!mGetterFinished) {- LOGCLIP(" failed to get async clipboard data in time limit\n");- *aContentLength = 0;- return nullptr;- }-- LOGCLIP(" ineration over, got data %p len %d\n", mAsyncContentData,- mAsyncContentLength);- *aContentLength = mAsyncContentLength;- return mAsyncContentData;+ return request.TakeResult(); }--void DataOffer::DragOfferAccept(const char* aMimeType) {- LOGDRAG("DataOffer::DragOfferAccept MIME %s mTime %d\n", aMimeType, mTime);- if (!HasTarget(aMimeType)) {- LOGCLIP(" DataOffer: DataOffer does not contain %s MIME!\n", aMimeType);- return;- }- wl_data_offer_accept(mWaylandDataOffer, mTime, aMimeType);-}--/* We follow logic of gdk_wayland_drag_context_commit_status()/gdkdnd-wayland.c- * here.- */-void DataOffer::SetDragStatus(GdkDragAction aPreferredAction) {- uint32_t preferredAction = gdk_to_wl_actions(aPreferredAction);- uint32_t allActions = WL_DATA_DEVICE_MANAGER_DND_ACTION_NONE;-- LOGDRAG("DataOffer::SetDragStatus aPreferredAction %d\n", aPreferredAction);-- /* We only don't choose a preferred action if we don't accept any.- * If we do accept any, it is currently alway copy and move- */- if (preferredAction != WL_DATA_DEVICE_MANAGER_DND_ACTION_NONE) {- allActions = WL_DATA_DEVICE_MANAGER_DND_ACTION_COPY |- WL_DATA_DEVICE_MANAGER_DND_ACTION_MOVE;- }-- wl_data_offer_set_actions(mWaylandDataOffer, allActions, preferredAction);-- /* Workaround Wayland D&D architecture here. To get the data_device_drop()- signal (which routes to nsDragService::GetData() call) we need to- accept at least one mime type before data_device_leave().-- Real wl_data_offer_accept() for actualy requested data mime type is- called from nsDragService::GetData().- */- if (mTargetMIMETypes[0]) {- wl_data_offer_accept(mWaylandDataOffer, mTime,- gdk_atom_name(mTargetMIMETypes[0]));- }-}--void DataOffer::SetSelectedDragAction(uint32_t aWaylandAction) {- mSelectedDragAction = aWaylandAction;-}--GdkDragAction DataOffer::GetSelectedDragAction() {- return wl_to_gdk_actions(mSelectedDragAction);-}--void DataOffer::SetAvailableDragActions(uint32_t aWaylandActions) {- mAvailableDragActions = aWaylandActions;-}--bool PrimaryDataOffer::RequestDataTransfer(const char* aMimeType, int fd) {- if (mPrimaryDataOfferGtk) {- gtk_primary_selection_offer_receive(mPrimaryDataOfferGtk, aMimeType, fd);- return true;- }- if (mPrimaryDataOfferZwpV1) {- zwp_primary_selection_offer_v1_receive(mPrimaryDataOfferZwpV1, aMimeType,- fd);- return true;- }- return false;-}--static void primary_data_offer(- void* data, gtk_primary_selection_offer* primary_selection_offer,- const char* mime_type) {- LOGCLIP("Primary data offer %p add MIME %s\n", primary_selection_offer,- mime_type);- auto* offer = static_cast<DataOffer*>(data);- offer->AddMIMEType(mime_type);-}--static void primary_data_offer(- void* data, zwp_primary_selection_offer_v1* primary_selection_offer,- const char* mime_type) {- LOGCLIP("Primary data offer %p add MIME %s\n", primary_selection_offer,- mime_type);- auto* offer = static_cast<DataOffer*>(data);- offer->AddMIMEType(mime_type);-}--/* gtk_primary_selection_offer_listener callback description:- *- * primary_data_offer - Is called for each MIME type available at- * gtk_primary_selection_offer.- */-static const struct gtk_primary_selection_offer_listener- primary_selection_offer_listener_gtk = {primary_data_offer};--static const struct zwp_primary_selection_offer_v1_listener- primary_selection_offer_listener_zwp_v1 = {primary_data_offer};--PrimaryDataOffer::PrimaryDataOffer(- gtk_primary_selection_offer* aPrimaryDataOffer)- : DataOffer(nullptr),- mPrimaryDataOfferGtk(aPrimaryDataOffer),- mPrimaryDataOfferZwpV1(nullptr) {- gtk_primary_selection_offer_add_listener(- aPrimaryDataOffer, &primary_selection_offer_listener_gtk, this);-}--PrimaryDataOffer::PrimaryDataOffer(- zwp_primary_selection_offer_v1* aPrimaryDataOffer)- : DataOffer(nullptr),- mPrimaryDataOfferGtk(nullptr),- mPrimaryDataOfferZwpV1(aPrimaryDataOffer) {- zwp_primary_selection_offer_v1_add_listener(- aPrimaryDataOffer, &primary_selection_offer_listener_zwp_v1, this);-}--PrimaryDataOffer::~PrimaryDataOffer(void) {- if (mPrimaryDataOfferGtk) {- gtk_primary_selection_offer_destroy(mPrimaryDataOfferGtk);- }- if (mPrimaryDataOfferZwpV1) {- zwp_primary_selection_offer_v1_destroy(mPrimaryDataOfferZwpV1);- }-}--void DataOffer::DropDataEnter(GtkWidget* aGtkWidget, uint32_t aTime, nscoord aX,- nscoord aY) {- mTime = aTime;- mGtkWidget = aGtkWidget;- mX = aX;- mY = aY;-}--void DataOffer::DropMotion(uint32_t aTime, nscoord aX, nscoord aY) {- mTime = aTime;- mX = aX;- mY = aY;-}--void DataOffer::GetLastDropInfo(uint32_t* aTime, nscoord* aX, nscoord* aY) {- *aTime = mTime;- *aX = mX;- *aY = mY;-}--GdkDragAction DataOffer::GetAvailableDragActions() {- GdkDragAction gdkAction = GetSelectedDragAction();-- // We emulate gdk_drag_context_get_actions() here.- if (!gdkAction) {- gdkAction = wl_to_gdk_actions(mAvailableDragActions);- }-- return gdkAction;-}--GList* DataOffer::GetDragTargets() {- int targetNums;- GdkAtom* atoms = GetTargets(&targetNums);-- GList* targetList = nullptr;- for (int i = 0; i < targetNums; i++) {- targetList = g_list_append(targetList, GDK_ATOM_TO_POINTER(atoms[i]));- }-- return targetList;-}--char* DataOffer::GetDragData(const char* aMimeType, uint32_t* aContentLength) {- LOGDRAG("DataOffer::GetData %s\n", aMimeType);- if (!HasTarget(aMimeType)) {- return nullptr;- }- DragOfferAccept(aMimeType);- return GetDataAsync(aMimeType, aContentLength);-}--RefPtr<DataOffer> nsRetrievalContextWayland::FindActiveOffer(- wl_data_offer* aDataOffer, bool aRemove) {- const int len = mActiveOffers.Length();- for (int i = 0; i < len; i++) {- if (mActiveOffers[i] && mActiveOffers[i]->MatchesOffer(aDataOffer)) {- RefPtr<DataOffer> ret = mActiveOffers[i];- if (aRemove) {- mActiveOffers[i] = nullptr;- }- return ret;- }- }- return nullptr;-}--void nsRetrievalContextWayland::InsertOffer(RefPtr<DataOffer> aDataOffer) {- const int len = mActiveOffers.Length();- for (int i = 0; i < len; i++) {- if (!mActiveOffers[i]) {- mActiveOffers[i] = aDataOffer;- return;- }- }- mActiveOffers.AppendElement(aDataOffer);-}--void nsRetrievalContextWayland::RegisterNewDataOffer(- wl_data_offer* aDataOffer) {- LOGCLIP(- "nsRetrievalContextWayland::RegisterNewDataOffer (wl_data_offer) %p\n",- aDataOffer);-- if (FindActiveOffer(aDataOffer)) {- LOGCLIP(" offer already exists, protocol error?\n");- return;- }-- InsertOffer(new DataOffer(aDataOffer));-}--void nsRetrievalContextWayland::RegisterNewDataOffer(- gtk_primary_selection_offer* aPrimaryDataOffer) {- LOGCLIP("nsRetrievalContextWayland::RegisterNewDataOffer (primary) %p\n",- aPrimaryDataOffer);-- if (FindActiveOffer((wl_data_offer*)aPrimaryDataOffer)) {- LOGCLIP(" offer already exists, protocol error?\n");- return;- }-- InsertOffer(new PrimaryDataOffer(aPrimaryDataOffer));-}--void nsRetrievalContextWayland::RegisterNewDataOffer(- zwp_primary_selection_offer_v1* aPrimaryDataOffer) {- LOGCLIP("nsRetrievalContextWayland::RegisterNewDataOffer (primary ZWP) %p\n",- aPrimaryDataOffer);-- if (FindActiveOffer((wl_data_offer*)aPrimaryDataOffer)) {- LOGCLIP(" offer already exists, protocol error?\n");- return;- }-- InsertOffer(new PrimaryDataOffer(aPrimaryDataOffer));-}--void nsRetrievalContextWayland::SetClipboardDataOffer(- wl_data_offer* aDataOffer) {- LOGCLIP(- "nsRetrievalContextWayland::SetClipboardDataOffer (wl_data_offer) %p\n",- aDataOffer);-- // Delete existing clipboard data offer- mClipboardOffer = nullptr;-- // null aDataOffer indicates that our clipboard content- // is no longer valid and should be release.- if (aDataOffer) {- mClipboardOffer = FindActiveOffer(aDataOffer, /* remove */ true);- }-}--void nsRetrievalContextWayland::SetPrimaryDataOffer(- gtk_primary_selection_offer* aPrimaryDataOffer) {- LOGCLIP("nsRetrievalContextWayland::SetPrimaryDataOffer (primary) %p\n",- aPrimaryDataOffer);-- // Release any primary offer we have.- mPrimaryOffer = nullptr;-- // aPrimaryDataOffer can be null which means we lost- // the mouse selection.- if (aPrimaryDataOffer) {- mPrimaryOffer =- FindActiveOffer((wl_data_offer*)aPrimaryDataOffer, /* remove */ true);- }-}--void nsRetrievalContextWayland::SetPrimaryDataOffer(- zwp_primary_selection_offer_v1* aPrimaryDataOffer) {- LOGCLIP("nsRetrievalContextWayland::SetPrimaryDataOffer (primary ZWP)%p\n",- aPrimaryDataOffer);-- // Release any primary offer we have.- mPrimaryOffer = nullptr;-- // aPrimaryDataOffer can be null which means we lost- // the mouse selection.- if (aPrimaryDataOffer) {- mPrimaryOffer =- FindActiveOffer((wl_data_offer*)aPrimaryDataOffer, /* remove */ true);- }-}--void nsRetrievalContextWayland::AddDragAndDropDataOffer(- wl_data_offer* aDropDataOffer) {- LOGDRAG("nsRetrievalContextWayland::AddDragAndDropDataOffer %p\n",- aDropDataOffer);-- // Remove any existing D&D contexts.- mDragContext = nullptr;- if (aDropDataOffer) {- mDragContext = FindActiveOffer(aDropDataOffer, /* remove */ true);- }-}--// We have a new fresh data content.-// We should attach listeners to it and save for further use.-static void data_device_data_offer(void* data,- struct wl_data_device* data_device,- struct wl_data_offer* offer) {- LOGCLIP("data_device_data_offer(), wl_data_offer %p\n", offer);- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->RegisterNewDataOffer(offer);-}--// The new fresh data content is clipboard.-static void data_device_selection(void* data,- struct wl_data_device* wl_data_device,- struct wl_data_offer* offer) {- LOGCLIP("data_device_selection(), set wl_data_offer %p\n", offer);- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->SetClipboardDataOffer(offer);-}--// The new fresh wayland data content is drag and drop.-static void data_device_enter(void* data, struct wl_data_device* data_device,- uint32_t time, struct wl_surface* surface,- int32_t x_fixed, int32_t y_fixed,- struct wl_data_offer* offer) {- LOGDRAG("nsWindow data_device_enter");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->AddDragAndDropDataOffer(offer);-- RefPtr<DataOffer> dragContext = context->GetDragContext();- if (dragContext) {- GtkWidget* gtkWidget = get_gtk_widget_for_wl_surface(surface);- if (!gtkWidget) {- NS_WARNING("DragAndDrop: Unable to get GtkWidget for wl_surface!");- return;- }-- LOGDRAG("nsWindow data_device_enter for GtkWidget %p\n", (void*)gtkWidget);- dragContext->DropDataEnter(gtkWidget, time, wl_fixed_to_int(x_fixed),- wl_fixed_to_int(y_fixed));- }-}--static void data_device_leave(void* data, struct wl_data_device* data_device) {- LOGDRAG("nsWindow data_device_leave");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);-- RefPtr<DataOffer> dropContext = context->GetDragContext();- if (dropContext) {- WindowDragLeaveHandler(dropContext->GetWidget());-- LOGDRAG("nsWindow data_device_leave for GtkWidget %p\n",- (void*)dropContext->GetWidget());- context->ClearDragAndDropDataOffer();- }-}--static void data_device_motion(void* data, struct wl_data_device* data_device,- uint32_t time, int32_t x_fixed,- int32_t y_fixed) {- LOGDRAG("nsWindow data_device_motion");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);-- RefPtr<DataOffer> dropContext = context->GetDragContext();- if (dropContext) {- nscoord x = wl_fixed_to_int(x_fixed);- nscoord y = wl_fixed_to_int(y_fixed);- dropContext->DropMotion(time, x, y);-- LOGDRAG("nsWindow data_device_motion for GtkWidget %p\n",- (void*)dropContext->GetWidget());- WindowDragMotionHandler(dropContext->GetWidget(), nullptr, dropContext, x,- y, time);- }-}--static void data_device_drop(void* data, struct wl_data_device* data_device) {- LOGDRAG("nsWindow data_device_drop");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);-- RefPtr<DataOffer> dropContext = context->GetDragContext();- if (dropContext) {- uint32_t time;- nscoord x, y;- dropContext->GetLastDropInfo(&time, &x, &y);-- LOGDRAG("nsWindow data_device_drop GtkWidget %p\n",- (void*)dropContext->GetWidget());- WindowDragDropHandler(dropContext->GetWidget(), nullptr, dropContext, x, y,- time);- }-}--/* wl_data_device callback description:- *- * data_device_data_offer - It's called when there's a new wl_data_offer- * available. We need to attach wl_data_offer_listener- * to it to get available MIME types.- *- * data_device_selection - It's called when the new wl_data_offer- * is a clipboard content.- * data_device_enter - It's called when the new wl_data_offer is a drag & drop- * content and it's tied to actual wl_surface.- *- * data_device_leave - It's called when the wl_data_offer (drag & dop) is not- * valid any more.- * data_device_motion - It's called when the drag and drop selection moves- * across wl_surface.- * data_device_drop - It's called when D&D operation is sucessfully finished- * and we can read the data from D&D.- * It's generated only if we call wl_data_offer_accept() and- * wl_data_offer_set_actions() from data_device_motion- * callback.- */-static const struct wl_data_device_listener data_device_listener = {- data_device_data_offer, data_device_enter, data_device_leave,- data_device_motion, data_device_drop, data_device_selection};--static void primary_selection_data_offer(- void* data, struct gtk_primary_selection_device* primary_selection_device,- struct gtk_primary_selection_offer* primary_offer) {- LOGCLIP("primary_selection_data_offer()\n");- // create and add listener- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->RegisterNewDataOffer(primary_offer);-}--static void primary_selection_data_offer(- void* data,- struct zwp_primary_selection_device_v1* primary_selection_device,- struct zwp_primary_selection_offer_v1* primary_offer) {- LOGCLIP("primary_selection_data_offer()\n");- // create and add listener- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->RegisterNewDataOffer(primary_offer);-}--static void primary_selection_selection(- void* data, struct gtk_primary_selection_device* primary_selection_device,- struct gtk_primary_selection_offer* primary_offer) {- LOGCLIP("primary_selection_selection()\n");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->SetPrimaryDataOffer(primary_offer);-}--static void primary_selection_selection(- void* data,- struct zwp_primary_selection_device_v1* primary_selection_device,- struct zwp_primary_selection_offer_v1* primary_offer) {- LOGCLIP("primary_selection_selection()\n");- nsRetrievalContextWayland* context =- static_cast<nsRetrievalContextWayland*>(data);- context->SetPrimaryDataOffer(primary_offer);-}--/* gtk_primary_selection_device callback description:- *- * primary_selection_data_offer - It's called when there's a new- * gtk_primary_selection_offer available. We need to- * attach gtk_primary_selection_offer_listener to it- * to get available MIME types.- *- * primary_selection_selection - It's called when the new- * gtk_primary_selection_offer is a primary selection- * content. It can be also called with- * gtk_primary_selection_offer = null which means- * there's no primary selection.- */-static const struct gtk_primary_selection_device_listener- primary_selection_device_listener_gtk = {- primary_selection_data_offer,- primary_selection_selection,-};--static const struct zwp_primary_selection_device_v1_listener- primary_selection_device_listener_zwp_v1 = {- primary_selection_data_offer,- primary_selection_selection,-};--bool nsRetrievalContextWayland::HasSelectionSupport(void) {- return (mDisplay->GetPrimarySelectionDeviceManagerZwpV1() != nullptr ||- mDisplay->GetPrimarySelectionDeviceManagerGtk() != nullptr);-}--void nsRetrievalContextWayland::ClearDragAndDropDataOffer(void) {- LOGDRAG("nsRetrievalContextWayland::ClearDragAndDropDataOffer()\n");- mDragContext = nullptr;-}--nsRetrievalContextWayland::nsRetrievalContextWayland(void)- : mDisplay(WaylandDisplayGet()),- mClipboardRequestNumber(0),- mClipboardData(nullptr),- mClipboardDataLength(0),- mAsyncDataGetter(- StaticPrefs::widget_wayland_async_data_transfer_enabled_AtStartup()) {- wl_data_device* dataDevice = wl_data_device_manager_get_data_device(- mDisplay->GetDataDeviceManager(), mDisplay->GetSeat());- wl_data_device_add_listener(dataDevice, &data_device_listener, this);-- if (mDisplay->GetPrimarySelectionDeviceManagerZwpV1()) {- zwp_primary_selection_device_v1* primaryDataDevice =- zwp_primary_selection_device_manager_v1_get_device(- mDisplay->GetPrimarySelectionDeviceManagerZwpV1(),- mDisplay->GetSeat());- zwp_primary_selection_device_v1_add_listener(- primaryDataDevice, &primary_selection_device_listener_zwp_v1, this);- } else if (mDisplay->GetPrimarySelectionDeviceManagerGtk()) {- gtk_primary_selection_device* primaryDataDevice =- gtk_primary_selection_device_manager_get_device(- mDisplay->GetPrimarySelectionDeviceManagerGtk(),- mDisplay->GetSeat());- gtk_primary_selection_device_add_listener(- primaryDataDevice, &primary_selection_device_listener_gtk, this);- }-}--nsRetrievalContextWayland::~nsRetrievalContextWayland(void) {}--struct FastTrackClipboard {- FastTrackClipboard(ClipboardDataType aDataType, int aClipboardRequestNumber,- RefPtr<nsRetrievalContextWayland> aRetrievalContex)- : mClipboardRequestNumber(aClipboardRequestNumber),- mRetrievalContex(std::move(aRetrievalContex)),- mDataType(aDataType) {}- int mClipboardRequestNumber;- RefPtr<nsRetrievalContextWayland> mRetrievalContex;- ClipboardDataType mDataType;-};--static void wayland_clipboard_contents_received(- GtkClipboard* clipboard, GtkSelectionData* selection_data, gpointer data) {- LOGCLIP("wayland_clipboard_contents_received() selection_data = %p\n",- selection_data);- FastTrackClipboard* fastTrack = static_cast<FastTrackClipboard*>(data);- fastTrack->mRetrievalContex->TransferFastTrackClipboard(- fastTrack->mDataType, fastTrack->mClipboardRequestNumber, selection_data);- delete fastTrack;-}--void nsRetrievalContextWayland::TransferFastTrackClipboard(- ClipboardDataType aDataType, int aClipboardRequestNumber,- GtkSelectionData* aSelectionData) {- LOGCLIP(- "nsRetrievalContextWayland::TransferFastTrackClipboard(), "- "aSelectionData = %p\n",- aSelectionData);-- if (mClipboardRequestNumber != aClipboardRequestNumber) {- LOGCLIP(" request number does not match!\n");- return;- }- LOGCLIP(" request number matches\n");-- int dataLength = gtk_selection_data_get_length(aSelectionData);- if (dataLength < 0) {- LOGCLIP(- " gtk_clipboard_request_contents() failed to get clipboard "- "data!\n");- ReleaseClipboardData(mClipboardData);- return;- }-- switch (aDataType) {- case CLIPBOARD_TARGETS: {- LOGCLIP(" fastracking %d bytes of clipboard targets.\n", dataLength);- gint n_targets = 0;- GdkAtom* targets = nullptr;-- if (!gtk_selection_data_get_targets(aSelectionData, &targets,- &n_targets) ||- !n_targets) {- ReleaseClipboardData(mClipboardData);- }-- mClipboardData = reinterpret_cast<char*>(targets);- mClipboardDataLength = n_targets;- break;- }- case CLIPBOARD_DATA:- case CLIPBOARD_TEXT: {- LOGCLIP(" fastracking %d bytes of data.\n", dataLength);- mClipboardDataLength = dataLength;- if (dataLength > 0) {- mClipboardData = reinterpret_cast<char*>(- g_malloc(sizeof(char) * (mClipboardDataLength + 1)));- memcpy(mClipboardData, gtk_selection_data_get_data(aSelectionData),- sizeof(char) * mClipboardDataLength);- mClipboardData[mClipboardDataLength] = '\0';- LOGCLIP(" done, mClipboardData = %p\n", mClipboardData);- } else {- ReleaseClipboardData(mClipboardData);- }- }- }-}--GdkAtom* nsRetrievalContextWayland::GetTargets(int32_t aWhichClipboard,
After analyzing the provided code diff, I can identify the following security-related changes: 1. Vulnerability Existed: yes Buffer Overflow Potential [File] widget/gtk/nsClipboardWayland.cpp [Lines] Entire file [Old Code] The original implementation had complex clipboard data handling with manual memory management and potential for buffer overflows in data transfer operations. [Fixed Code] The new implementation significantly simplifies the clipboard handling by using GtkClipboardRequest and AsyncGtkClipboardRequest classes, reducing the attack surface for memory corruption vulnerabilities. 2. Vulnerability Existed: yes Race Condition in Async Data Transfer [File] widget/gtk/nsClipboardWayland.cpp [Lines] Entire file [Old Code] The original code had complex asynchronous data transfer logic with manual thread synchronization and timing checks. [Fixed Code] The new implementation uses a more robust AsyncGtkClipboardRequest class that properly handles asynchronous operations and timeouts. 3. Vulnerability Existed: yes Improper Input Validation [File] widget/gtk/nsClipboardWayland.cpp [Lines] Entire file [Old Code] The original code had minimal input validation when handling MIME types and clipboard data. [Fixed Code] The new implementation centralizes data handling through the ClipboardData class which provides better input validation. 4. Vulnerability Existed: yes Memory Leak Potential [File] widget/gtk/nsClipboardWayland.cpp [Lines] Entire file [Old Code] The original code had multiple paths where clipboard data might not be properly freed. [Fixed Code] The new implementation uses RAII patterns (like GUniquePtr) and better resource management to prevent memory leaks. The changes represent a significant security improvement by: 1. Reducing the attack surface through code simplification 2. Implementing better memory management patterns 3. Adding proper synchronization for async operations 4. Centralizing and improving input validation The most critical vulnerabilities addressed were potential buffer overflows and race conditions in the clipboard data handling code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.cap.square.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.cap.square.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -38,18 +38,18 @@ ctx.lineTo(75, 35); ctx.stroke(); ctx.fillRect(65, 5, 20, 40);-_assertPixel(offscreenCanvas, 25,4, 0,255,0,255, "25,4", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,5, 0,255,0,255, "25,5", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,6, 0,255,0,255, "25,6", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,44, 0,255,0,255, "25,44", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,45, 0,255,0,255, "25,45", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,46, 0,255,0,255, "25,46", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,4, 0,255,0,255, "75,4", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,5, 0,255,0,255, "75,5", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,6, 0,255,0,255, "75,6", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,44, 0,255,0,255, "75,44", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,45, 0,255,0,255, "75,45", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,46, 0,255,0,255, "75,46", "0,255,0,255");+_assertPixel(canvas, 25,4, 0,255,0,255, "25,4", "0,255,0,255");+_assertPixel(canvas, 25,5, 0,255,0,255, "25,5", "0,255,0,255");+_assertPixel(canvas, 25,6, 0,255,0,255, "25,6", "0,255,0,255");+_assertPixel(canvas, 25,44, 0,255,0,255, "25,44", "0,255,0,255");+_assertPixel(canvas, 25,45, 0,255,0,255, "25,45", "0,255,0,255");+_assertPixel(canvas, 25,46, 0,255,0,255, "25,46", "0,255,0,255");+_assertPixel(canvas, 75,4, 0,255,0,255, "75,4", "0,255,0,255");+_assertPixel(canvas, 75,5, 0,255,0,255, "75,5", "0,255,0,255");+_assertPixel(canvas, 75,6, 0,255,0,255, "75,6", "0,255,0,255");+_assertPixel(canvas, 75,44, 0,255,0,255, "75,44", "0,255,0,255");+_assertPixel(canvas, 75,45, 0,255,0,255, "75,45", "0,255,0,255");+_assertPixel(canvas, 75,46, 0,255,0,255, "75,46", "0,255,0,255"); t.done(); });
Analysis of the code diff: 1. Vulnerability Existed: no No specific vulnerability found in this diff. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. This seems to be a refactoring change rather than a security fix. 2. Vulnerability Existed: no No security-related changes were made to the canvas drawing operations or pixel assertions. The test logic remains the same, only the variable name was changed for consistency or clarity. 3. Vulnerability Existed: no The changes in the `_assertPixel` calls are simply updating the variable name being passed to match the renamed canvas variable. No security implications are present in these changes. The diff shows no evidence of any security vulnerabilities being fixed. The changes are purely cosmetic/refactoring in nature, improving code consistency by using a shorter variable name (`canvas` instead of `offscreenCanvas`) throughout the test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/piping/then-interception.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/piping/then-interception.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/test-utils.js // META: script=../resources/recording-streams.js 'use strict';
Let me analyze the code diff according to the provided format: Vulnerability Existed: not sure [Potential Test Scope Reduction] [testing/web-platform/tests/streams/piping/then-interception.any.js] [Lines 1] [Old Code] // META: global=window,worker,jsshell [Fixed Code] // META: global=window,worker Additional Details: - The change removes "jsshell" from the test's global scope declaration - This appears to be a test configuration change rather than a security fix - It might indicate a deliberate reduction in test scope or environment support - Without more context about why "jsshell" was removed, I can't determine if this relates to a security vulnerability - The change could be related to test reliability or environment compatibility rather than security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/once_cell/src/race.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/once_cell/src/race.rs@@ -6,10 +6,13 @@ //! //! This module does not require `std` feature.-use core::{- num::NonZeroUsize,- sync::atomic::{AtomicUsize, Ordering},-};+#[cfg(feature = "atomic-polyfill")]+use atomic_polyfill as atomic;+#[cfg(not(feature = "atomic-polyfill"))]+use core::sync::atomic;++use atomic::{AtomicUsize, Ordering};+use core::num::NonZeroUsize; /// A thread-safe cell which can be written to only once. #[derive(Default, Debug)]@@ -160,19 +163,21 @@ #[cfg(feature = "alloc")] mod once_box {- use core::{- marker::PhantomData,- ptr,- sync::atomic::{AtomicPtr, Ordering},- };+ use super::atomic::{AtomicPtr, Ordering};+ use core::{marker::PhantomData, ptr}; use alloc::boxed::Box; /// A thread-safe cell which can be written to only once.- #[derive(Debug)] pub struct OnceBox<T> { inner: AtomicPtr<T>, ghost: PhantomData<Option<Box<T>>>,+ }++ impl<T> core::fmt::Debug for OnceBox<T> {+ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {+ write!(f, "OnceBox({:?})", self.inner.load(Ordering::Relaxed))+ } } impl<T> Default for OnceBox<T> {
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Atomic Operations Ordering Issue] [third_party/rust/once_cell/src/race.rs] [Lines 6-13, 160-163]
Old Code:
```
use core::{
num::NonZeroUsize,
sync::atomic::{AtomicUsize, Ordering},
};
```
Fixed Code:
```
#[cfg(feature = "atomic-polyfill")]
use atomic_polyfill as atomic;
#[cfg(not(feature = "atomic-polyfill"))]
use core::sync::atomic;
use atomic::{AtomicUsize, Ordering};
use core::num::NonZeroUsize;
```
Additional Details: The change introduces atomic operation polyfills, which might be related to ensuring consistent atomic operations across platforms. While not a direct security fix, it could prevent potential atomic operation inconsistencies that might lead to race conditions.
2. Vulnerability Existed: not sure
[Potential Debug Implementation Information Leak] [third_party/rust/once_cell/src/race.rs] [Lines 160-175]
Old Code:
```
/// A thread-safe cell which can be written to only once.
#[derive(Debug)]
pub struct OnceBox<T> {
inner: AtomicPtr<T>,
ghost: PhantomData<Option<Box<T>>>,
}
```
Fixed Code:
```
pub struct OnceBox<T> {
inner: AtomicPtr<T>,
ghost: PhantomData<Option<Box<T>>>,
}
impl<T> core::fmt::Debug for OnceBox<T> {
fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
write!(f, "OnceBox({:?})", self.inner.load(Ordering::Relaxed))
}
}
```
Additional Details: The change replaces the derived Debug implementation with a custom one that only shows the pointer value. This might be related to preventing sensitive information leakage in debug output, though it's not clear if this was an actual security issue.
Note: While these changes appear to be related to potential security improvements, I cannot definitively confirm they address specific known vulnerabilities. The changes seem more like defensive programming improvements than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.worker.js@@ -14,8 +14,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -45,10 +45,10 @@ ctx.drawImage(bitmap1, 0, 0, 50, 50); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 50, 50);- _assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-related modifications. Here's the structured response: Vulnerability Existed: no No security vulnerability found in the diff. The changes are purely variable renaming for consistency. The diff shows: 1. Variable `offscreenCanvas` renamed to `canvas` 2. All subsequent references to this variable updated accordingly 3. No changes to the actual logic or security-related functionality The modifications don't address any known vulnerabilities and appear to be code style/consistency improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-2.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl( -240 , 100% , 50% )'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl( -240 , 100% , 50% )';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl( -240 , 100% , 50% )';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` and updating the corresponding references. There are no security-related changes in this diff, no changes to the actual functionality or security-sensitive operations, and no known vulnerabilities being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/pkg-config/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/pkg-config/.cargo-checksum.json@@ -1 +1 @@-{"files":{"CHANGELOG.md":"1c60eb6231812ffe4b276d94092d406e10cdf2cfb2f13005a11509b6fdd38d12","Cargo.toml":"301f08ce329cb75af34a9def9f93392db0d19ae62237e8ddb71e2ff0c0baf8d0","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"378f5840b258e2779c39418f3f2d7b2ba96f1c7917dd6be0713f88305dbda397","README.md":"37f11a56c969237dcfd15368e96bf686ec92b0254e38fb84636e178d632c0492","src/lib.rs":"da375f79b79233081a1cf0dfee29f71665fabad2ffaf1b9222a06eeb48f41831","tests/escape.pc":"00caa4136799dbe5bd504239ba90d1156c12def365c8d761da319fe8a83b398e","tests/foo.pc":"4a1c442c5d1c10761ea1644f8fd58f93cc5a706391bc67b04c243bbd35d70d79","tests/framework.pc":"304fdb6cea92973650e410ab1f70ce1ebeb7718af3f139e806efbf182acd565c","tests/test.rs":"5ed13fc28a1853d20d27798819a1228673cb1e57097951dbb892e51327a21adb"},"package":"d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"}+{"files":{"CHANGELOG.md":"2e631b60f6a27dd02bc16b0c2990d1cd3d66864361d5d41fe6e292b166b3552f","Cargo.toml":"843c2c53de2699012af5b516a030ef0dc4852682ae100b757148d2256eb229e6","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"378f5840b258e2779c39418f3f2d7b2ba96f1c7917dd6be0713f88305dbda397","README.md":"37f11a56c969237dcfd15368e96bf686ec92b0254e38fb84636e178d632c0492","src/lib.rs":"8593d4de26866f869a496e054b7671dab3c9c68962d0850f487fd46e33722f0d","tests/escape.pc":"00caa4136799dbe5bd504239ba90d1156c12def365c8d761da319fe8a83b398e","tests/foo.pc":"4a1c442c5d1c10761ea1644f8fd58f93cc5a706391bc67b04c243bbd35d70d79","tests/framework.pc":"304fdb6cea92973650e410ab1f70ce1ebeb7718af3f139e806efbf182acd565c","tests/test.rs":"5ed13fc28a1853d20d27798819a1228673cb1e57097951dbb892e51327a21adb"},"package":"58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"}=========testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.valid.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.valid.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.valid.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.shadowColor = 'lime'; _assertSame(ctx.shadowColor, '#00ff00', "ctx.shadowColor", "'#00ff00'");
I'll analyze the provided code diff for security fixes following the specified format.
1. For the first file (pkg-config checksum file):
Vulnerability Existed: no
No specific vulnerability - Checksum update [File] third_party/rust/pkg-config/.cargo-checksum.json
[Old Code]
{"files":{...},"package":"d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"}
[Fixed Code]
{"files":{...},"package":"58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"}
This appears to be a routine update of package checksums without any security implications.
2. For the second file (canvas test file):
Vulnerability Existed: no
No specific vulnerability - Variable renaming [File] testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.valid.worker.js
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
This change only involves renaming a variable for better consistency and doesn't appear to address any security vulnerability.
No security vulnerabilities were identified in the provided diff. The changes appear to be routine updates and code improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.shape.curve1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.shape.curve1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var tol = 1.5; // tolerance to avoid antialiasing artifacts ctx.fillStyle = '#0f0';@@ -36,20 +36,20 @@ ctx.arc(55, 45, 25+tol, 0, -Math.PI/2, true); ctx.arc(55, 45, 15-tol, -Math.PI/2, 0, false); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 55,19, 0,255,0,255, "55,19", "0,255,0,255");-_assertPixel(offscreenCanvas, 55,20, 0,255,0,255, "55,20", "0,255,0,255");-_assertPixel(offscreenCanvas, 55,21, 0,255,0,255, "55,21", "0,255,0,255");-_assertPixel(offscreenCanvas, 64,22, 0,255,0,255, "64,22", "0,255,0,255");-_assertPixel(offscreenCanvas, 65,21, 0,255,0,255, "65,21", "0,255,0,255");-_assertPixel(offscreenCanvas, 72,28, 0,255,0,255, "72,28", "0,255,0,255");-_assertPixel(offscreenCanvas, 73,27, 0,255,0,255, "73,27", "0,255,0,255");-_assertPixel(offscreenCanvas, 78,36, 0,255,0,255, "78,36", "0,255,0,255");-_assertPixel(offscreenCanvas, 79,35, 0,255,0,255, "79,35", "0,255,0,255");-_assertPixel(offscreenCanvas, 80,44, 0,255,0,255, "80,44", "0,255,0,255");-_assertPixel(offscreenCanvas, 80,45, 0,255,0,255, "80,45", "0,255,0,255");-_assertPixel(offscreenCanvas, 80,46, 0,255,0,255, "80,46", "0,255,0,255");-_assertPixel(offscreenCanvas, 65,45, 0,255,0,255, "65,45", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 55,19, 0,255,0,255, "55,19", "0,255,0,255");+_assertPixel(canvas, 55,20, 0,255,0,255, "55,20", "0,255,0,255");+_assertPixel(canvas, 55,21, 0,255,0,255, "55,21", "0,255,0,255");+_assertPixel(canvas, 64,22, 0,255,0,255, "64,22", "0,255,0,255");+_assertPixel(canvas, 65,21, 0,255,0,255, "65,21", "0,255,0,255");+_assertPixel(canvas, 72,28, 0,255,0,255, "72,28", "0,255,0,255");+_assertPixel(canvas, 73,27, 0,255,0,255, "73,27", "0,255,0,255");+_assertPixel(canvas, 78,36, 0,255,0,255, "78,36", "0,255,0,255");+_assertPixel(canvas, 79,35, 0,255,0,255, "79,35", "0,255,0,255");+_assertPixel(canvas, 80,44, 0,255,0,255, "80,44", "0,255,0,255");+_assertPixel(canvas, 80,45, 0,255,0,255, "80,45", "0,255,0,255");+_assertPixel(canvas, 80,46, 0,255,0,255, "80,46", "0,255,0,255");+_assertPixel(canvas, 65,45, 0,255,0,255, "65,45", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic, renaming a variable for better consistency or readability. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 36-49]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, ...);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, ...);
The changes simply rename the variable `offscreenCanvas` to `canvas` and update all subsequent references to this variable. This doesn't affect security in any way. The functionality remains identical, and there are no security-related patterns or vulnerabilities being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/config/milestone.txt+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/config/milestone.txt@@ -10,4 +10,4 @@ # hardcoded milestones in the tree from these two files. #---------------------------------------------------------97.0.2+98.0.3
Analysis of the provided code diff:
1. Vulnerability Existed: no
Version Update [File] [Lines]
Old Code: 97.0.2
Fixed Code: 98.0.3
Additional Details:
- This appears to be a simple version number update in the milestone.txt file
- No security-related changes are visible in this diff
- The change represents a standard version bump from Firefox 97.0.2 to 98.0.3
- No specific vulnerability is being addressed in this particular file change
Note: While version updates often include security fixes, this specific diff only shows the version number change and doesn't reveal any underlying security patches that might be included in the new version.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming). Here's the analysis:
Vulnerability Existed: no
No vulnerability found [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.measure.baselines.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes simply rename the variable from `offscreenCanvas` to `canvas`, which doesn't affect security. The functionality remains exactly the same, just with a different variable name. No security-related patterns or vulnerabilities are being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-cascade/idlharness.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-cascade/idlharness.html@@ -15,7 +15,7 @@ <script> 'use strict'; idl_test(- ['css-cascade-5'],+ ['css-cascade'], ['cssom'], idl_array => { try {
Let me analyze the provided code diff for security fixes. Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-cascade/idlharness.html] [Lines 15] [Old Code: ['css-cascade-5']] [Fixed Code: ['css-cascade']] Additional Details: - The change appears to be updating a test reference from 'css-cascade-5' to 'css-cascade' - This is likely a test specification update rather than a security fix - No security-related patterns (XSS, injection, etc.) are visible in this change - The modification is in a test file, which typically doesn't contain production security fixes No security vulnerabilities were identified in this diff. The change seems to be part of normal test maintenance or specification updates.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInStroke.basic.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInStroke.basic.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.strokeStyle = '#0f0'; ctx.beginPath();
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInStroke.basic.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This change appears to be purely a variable naming convention update (from 'offscreenCanvas' to 'canvas')
- No security vulnerabilities are addressed in this change
- The modification doesn't affect any security-sensitive operations or introduce/remove any security controls
- The change is consistent with standard code maintenance practices
No other vulnerabilities or changes were detected in the provided diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-ui/text-overflow-006.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-ui/text-overflow-006.html@@ -4,7 +4,6 @@ <link rel="author" title="Florian Rivoal" href="http://florian.rivoal.net/"> <link rel="help" href="http://www.w3.org/TR/css3-ui/#text-overflow"> <link rel="match" href="reference/text-overflow-006-ref.html">-<meta name="flags" content=""> <meta name="assert" content="Checks that the elipsis is applied at the edge of the line box, not the end of the block container, when these are different."> <style> div {
Based on the provided code diff, I'll analyze it for potential security fixes: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-ui/text-overflow-006.html [Lines] 4 [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: This appears to be a simple cleanup of an empty meta tag rather than a security fix. The removed line was a meta tag with an empty "flags" attribute that wasn't serving any apparent purpose. There's no indication this was related to any security vulnerability. The change seems to be part of general code maintenance rather than addressing a specific security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.copy.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.copy.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 1.0)';@@ -26,7 +26,7 @@ ctx.globalCompositeOperation = 'copy'; ctx.fillStyle = 'rgba(255, 255, 0, 1.0)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);+_assertPixelApprox(canvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18, 26]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
Variable Renaming [File] [Line 26]
[Old Code]
_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);
[Fixed Code]
_assertPixelApprox(canvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't appear to have any security implications. The functionality remains exactly the same, only the variable name has changed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/windows/nsUXThemeData.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/windows/nsUXThemeData.cpp@@ -107,8 +107,6 @@ return L"Progress"; case eUXTab: return L"Tab";- case eUXScrollbar:- return L"Scrollbar"; case eUXTrackbar: return L"Trackbar"; case eUXSpin:
Here's the analysis of the provided code diff following the specified format:
Vulnerability Existed: not sure
[Potential Information Leak] [widget/windows/nsUXThemeData.cpp] [Lines 107-108]
[Old Code]
case eUXScrollbar:
return L"Scrollbar";
[Fixed Code]
[Removed]
Additional Details:
- The diff shows removal of a case statement that returns "Scrollbar" for eUXScrollbar enum value
- While this could potentially be related to security (like removing potentially sensitive information), there's no clear evidence this is a security fix
- Without more context, it's unclear if this was a security fix or just a code cleanup/refactoring
- The removal could be related to preventing information disclosure about scrollbar theming, but this is speculative
Note: Since this is a single change in the diff, only one entry is provided. The change doesn't clearly match any known vulnerability pattern, hence the uncertainty.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/RecordType.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/RecordType.h@@ -12,6 +12,8 @@ #include "js/TypeDecls.h" #include "vm/ArrayObject.h" #include "vm/NativeObject.h"++#include "vm/Shape.h" namespace JS { class RecordType;@@ -28,6 +30,7 @@ class RecordType final : public js::NativeObject { friend JSString* js::RecordToSource(JSContext* cx, RecordType* rec);+ public: enum { INITIALIZED_LENGTH_SLOT = 0, SORTED_KEYS_SLOT,@@ -35,7 +38,6 @@ SLOT_COUNT };- public: static const js::ClassSpec classSpec_; static const JSClass class_;@@ -43,6 +45,7 @@ bool initializeNextProperty(JSContext* cx, Handle<PropertyKey> key, HandleValue value); bool finishInitialization(JSContext* cx);+ static js::Shape* getInitialShape(JSContext* cx); bool getOwnProperty(JSContext* cx, HandleId id, MutableHandleValue vp) const;
Based on the provided code diff, here's the analysis:
Vulnerability Existed: not sure
[Potential Access Control Issue] [js/src/vm/RecordType.h] [Lines 28-45]
[Old Code]
class RecordType final : public js::NativeObject {
friend JSString* js::RecordToSource(JSContext* cx, RecordType* rec);
enum {
INITIALIZED_LENGTH_SLOT = 0,
SORTED_KEYS_SLOT,
IS_ATOMIZED_SLOT,
SLOT_COUNT
};
public:
static const js::ClassSpec classSpec_;
static const JSClass class_;
[Fixed Code]
class RecordType final : public js::NativeObject {
friend JSString* js::RecordToSource(JSContext* cx, RecordType* rec);
public:
enum {
INITIALIZED_LENGTH_SLOT = 0,
SORTED_KEYS_SLOT,
IS_ATOMIZED_SLOT,
SLOT_COUNT
};
static const js::ClassSpec classSpec_;
static const JSClass class_;
static js::Shape* getInitialShape(JSContext* cx);
Additional Details:
1. The main change is moving the `public:` access specifier before the enum declaration and adding a new public method `getInitialShape()`.
2. While this improves encapsulation by making the enum public rather than private (which was likely an oversight), it's not clear if this was fixing an actual security vulnerability or just improving code organization.
3. The addition of `getInitialShape()` method suggests better shape handling, but without more context, we can't determine if this fixes a specific vulnerability.
4. The inclusion of `#include "vm/Shape.h"` suggests shape-related functionality was added, but again, this could be either security-related or general maintenance.
No clear vulnerability name can be identified from these changes, but the modifications do relate to access control and object shape handling which could have security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/font-size-zero-1-notref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/font-size-zero-1-notref.html@@ -2,7 +2,6 @@ <title>CSS Test Reference</title> <link rel="author" title="L. David Baron" href="https://dbaron.org/"> <link rel="author" title="Mozilla" href="http://www.mozilla.org/">-<meta name="flags" content=""> <style> /* spec ambiguous whether font-size-adjust influences line-height: normal */ body { line-height: 1.2 }
Let me analyze the code diff for potential security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-fonts/font-size-zero-1-notref.html [Lines 2-6] [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: - The diff shows removal of an empty meta "flags" tag, which doesn't appear to be security-related - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification is likely for test standardization or maintenance purposes No security vulnerabilities were identified in this change. The modification appears to be a benign cleanup of test metadata.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/util/EnumFlags.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/util/EnumFlags.h@@ -62,6 +62,10 @@ } }+ constexpr bool hasAnyFlag(const EnumFlags& other) const {+ return (flags_ & other.flags_) != 0;+ }+ constexpr bool isEmpty() const { return flags_ == 0; } constexpr FieldType toRaw() const { return flags_; }
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Missing Input Validation] [js/src/util/EnumFlags.h] [Lines 62-64]
[Old Code: (No equivalent function)]
[Fixed Code: constexpr bool hasAnyFlag(const EnumFlags& other) const {
return (flags_ & other.flags_) != 0;
}]
Additional Details:
- The diff adds a new method `hasAnyFlag()` that performs a bitwise AND operation between two EnumFlags objects.
- While not clearly a security vulnerability, adding new functionality could potentially introduce new attack surfaces if not properly validated.
- The safety would depend on how this method is used elsewhere in the codebase.
- There's no obvious vulnerability like buffer overflow or injection here, but without seeing the calling context, we can't be certain about potential misuse.
Note: The diff doesn't show any clear security vulnerabilities being fixed, but rather adds new functionality. The analysis is limited by not seeing the complete context of how this class is used.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/src/init_tracker/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/src/init_tracker/mod.rs@@ -20,7 +20,10 @@ mod texture; pub(crate) use buffer::{BufferInitTracker, BufferInitTrackerAction};-pub(crate) use texture::{TextureInitRange, TextureInitTracker, TextureInitTrackerAction};+pub(crate) use texture::{+ has_copy_partial_init_tracker_coverage, TextureInitRange, TextureInitTracker,+ TextureInitTrackerAction,+}; #[derive(Debug, Clone, Copy)] pub(crate) enum MemoryInitKind {
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Information Exposure] [third_party/rust/wgpu-core/src/init_tracker/mod.rs] [Lines 20-23]
[Old Code]
pub(crate) use texture::{TextureInitRange, TextureInitTracker, TextureInitTrackerAction};
[Fixed Code]
pub(crate) use texture::{
has_copy_partial_init_tracker_coverage, TextureInitRange, TextureInitTracker,
TextureInitTrackerAction,
};
Additional Details:
- The change exposes a new function `has_copy_partial_init_tracker_coverage` through the public interface
- While this could potentially expose more information than intended, there's no clear evidence this is a security vulnerability
- The function name suggests it's related to initialization tracking coverage checks, which might be security-relevant but not clearly a vulnerability
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.