Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/canvas/nsICanvasRenderingContextInternal.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/canvas/nsICanvasRenderingContextInternal.h@@ -16,6 +16,7 @@ #include "mozilla/dom/OffscreenCanvas.h" #include "mozilla/Maybe.h" #include "mozilla/RefPtr.h"+#include "mozilla/StateWatching.h" #include "mozilla/UniquePtr.h" #include "mozilla/NotNull.h" #include "mozilla/WeakPtr.h"@@ -29,6 +30,7 @@ } class nsIDocShell;+class nsIPrincipal; class nsRefreshDriver; namespace mozilla {@@ -51,6 +53,8 @@ } // namespace gfx } // namespace mozilla+enum class FrameCaptureState : uint8_t { CLEAN, DIRTY };+ class nsICanvasRenderingContextInternal : public nsISupports, public mozilla::SupportsWeakPtr, public nsAPostRefreshObserver {@@ -78,6 +82,8 @@ nsIGlobalObject* GetParentObject() const;+ nsIPrincipal* PrincipalOrNull() const;+ void SetOffscreenCanvas(mozilla::dom::OffscreenCanvas* aOffscreenCanvas) { mOffscreenCanvas = aOffscreenCanvas; }@@ -89,6 +95,9 @@ // Sets the dimensions of the canvas, in pixels. Called // whenever the size of the element changes. NS_IMETHOD SetDimensions(int32_t width, int32_t height) = 0;++ // Initializes the canvas after the object is constructed.+ virtual void Initialize() {} // Initializes with an nsIDocShell and DrawTarget. The size is taken from the // DrawTarget.@@ -157,9 +166,10 @@ // Called when a frame is captured. virtual void MarkContextCleanForFrameCapture() = 0;- // Whether the context is clean or has been invalidated since the last frame- // was captured.- virtual bool IsContextCleanForFrameCapture() = 0;+ // Whether the context is clean or has been invalidated (dirty) since the last+ // frame was captured. The Watchable allows the caller to get notified of+ // state changes.+ virtual mozilla::Watchable<FrameCaptureState>* GetFrameCaptureState() = 0; // Redraw the dirty rectangle of this canvas. NS_IMETHOD Redraw(const gfxRect& dirty) = 0;
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Principal Check Missing] [dom/canvas/nsICanvasRenderingContextInternal.h] [Lines around 82]
[Old Code]
(No equivalent function existed)
[Fixed Code]
nsIPrincipal* PrincipalOrNull() const;
Note: The addition of PrincipalOrNull() suggests better security handling of principals, but without seeing the implementation, we can't be certain if this fixes a vulnerability or is just an improvement.
2. Vulnerability Existed: not sure
[Frame Capture State Management] [dom/canvas/nsICanvasRenderingContextInternal.h] [Lines around 166-169]
[Old Code]
virtual bool IsContextCleanForFrameCapture() = 0;
[Fixed Code]
virtual mozilla::Watchable<FrameCaptureState>* GetFrameCaptureState() = 0;
Note: The change from a simple boolean check to a more sophisticated state watching mechanism suggests improved security around frame capture state management, but we can't confirm if this fixes a specific vulnerability without more context.
3. Vulnerability Existed: not sure
[Initialization Security] [dom/canvas/nsICanvasRenderingContextInternal.h] [Lines around 95]
[Old Code]
(No Initialize() method existed)
[Fixed Code]
virtual void Initialize() {}
Note: The addition of an Initialize() method suggests better control over initialization, which could have security implications, but we can't confirm a specific vulnerability was fixed.
The changes appear to be security-related improvements, particularly around principal handling and frame capture state management, but without more context about the implementation or specific vulnerabilities being addressed, we can't be certain about specific vulnerabilities being fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/streamconv/converters/mozTXTToHTMLConv.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/streamconv/converters/mozTXTToHTMLConv.cpp@@ -5,6 +5,8 @@ #include "mozilla/TextUtils.h" #include "mozTXTToHTMLConv.h"+#include "mozilla/intl/Segmenter.h"+#include "mozilla/Maybe.h" #include "nsNetUtil.h" #include "nsUnicharUtils.h" #include "nsUnicodeProperties.h"@@ -22,6 +24,11 @@ using mozilla::IsAscii; using mozilla::IsAsciiAlpha; using mozilla::IsAsciiDigit;+using mozilla::Maybe;+using mozilla::Some;+using mozilla::Span;+using mozilla::intl::GraphemeClusterBreakIteratorUtf16;+using mozilla::intl::GraphemeClusterBreakReverseIteratorUtf16; const double growthRate = 1.2;@@ -557,9 +564,9 @@ // find length of the char/cluster to be ignored int32_t ignoreLen = before == LT_IGNORE ? 0 : 1; if (ignoreLen) {- mozilla::unicode::ClusterIterator ci(aInString, aInLength);- ci.Next();- ignoreLen = ci - aInString;+ GraphemeClusterBreakIteratorUtf16 ci(+ Span<const char16_t>(aInString, aInLength));+ ignoreLen = *ci.Next(); } int32_t afterIndex = aRepLen + ignoreLen;@@ -590,10 +597,11 @@ LIMTYPE before, LIMTYPE after) { uint32_t result = 0;- const char16_t* end = aInString + aInStringLength;- for (mozilla::unicode::ClusterIterator ci(aInString, aInStringLength);- !ci.AtEnd(); ci.Next()) {- if (ItMatchesDelimited(ci, end - ci, rep, aRepLen, before, after)) {+ const uint32_t len = mozilla::AssertedCast<uint32_t>(aInStringLength);+ GraphemeClusterBreakIteratorUtf16 ci(Span<const char16_t>(aInString, len));+ for (uint32_t pos = 0; pos < len; pos = *ci.Next()) {+ if (ItMatchesDelimited(aInString + pos, aInStringLength - pos, rep, aRepLen,+ before, after)) { result++; } }@@ -979,17 +987,15 @@ const char16_t* rawInputString = aInString.BeginReading(); uint32_t inLength = aInString.Length();- for (mozilla::unicode::ClusterIterator ci(rawInputString, inLength);- !ci.AtEnd();) {- uint32_t i = ci - rawInputString;+ const Span<const char16_t> inString(aInString);+ GraphemeClusterBreakIteratorUtf16 ci(inString);+ uint32_t i = 0;+ while (i < inLength) { if (doGlyphSubstitution) { int32_t glyphTextLen; if (GlyphHit(&rawInputString[i], inLength - i, i == 0, aOutString, glyphTextLen)) {- i += glyphTextLen;- while (ci < rawInputString + i) {- ci.Next();- }+ i = *ci.Seek(i + glyphTextLen - 1); continue; } }@@ -999,10 +1005,11 @@ int32_t newLength = aInString.Length(); if (i > 0) // skip the first element? {- mozilla::unicode::ClusterReverseIterator ri(rawInputString, i);- ri.Next();- newOffset = ri;- newLength = aInString.Length() - (ri - rawInputString);+ GraphemeClusterBreakReverseIteratorUtf16 ri(+ Span<const char16_t>(rawInputString, i));+ Maybe<uint32_t> nextPos = ri.Next();+ newOffset += *nextPos;+ newLength -= *nextPos; } switch (aInString[i]) // Performance increase@@ -1011,7 +1018,7 @@ if (StructPhraseHit(newOffset, newLength, i == 0, u"*", 1, "b", "class=\"moz-txt-star\"", aOutString, structPhrase_strong)) {- ci.Next();+ i = *ci.Next(); continue; } break;@@ -1019,7 +1026,7 @@ if (StructPhraseHit(newOffset, newLength, i == 0, u"/", 1, "i", "class=\"moz-txt-slash\"", aOutString, structPhrase_italic)) {- ci.Next();+ i = *ci.Next(); continue; } break;@@ -1028,7 +1035,7 @@ "span" /* <u> is deprecated */, "class=\"moz-txt-underscore\"", aOutString, structPhrase_underline)) {- ci.Next();+ i = *ci.Next(); continue; } break;@@ -1036,7 +1043,7 @@ if (StructPhraseHit(newOffset, newLength, i == 0, u"|", 1, "code", "class=\"moz-txt-verticalline\"", aOutString, structPhrase_code)) {- ci.Next();+ i = *ci.Next(); continue; } break;@@ -1068,10 +1075,7 @@ replaceBefore); aOutString += outputHTML; endOfLastURLOutput = aOutString.Length();- i += replaceAfter + 1;- while (ci < rawInputString + i) {- ci.Next();- }+ i = *ci.Seek(i + replaceAfter); continue; } }@@ -1085,13 +1089,13 @@ case '>': case '&': EscapeChar(aInString[i], aOutString, false);- ci.Next();+ i = *ci.Next(); break; // Normal characters default: {- const char16_t* start = ci;- ci.Next();- aOutString += Substring(start, (const char16_t*)ci);+ const uint32_t oldIdx = i;+ i = *ci.Next();+ aOutString.Append(inString.FromTo(oldIdx, i)); break; } }
I'll analyze the code diff for security fixes following the specified format. Vulnerability Existed: not sure [Potential Unicode Handling Vulnerability] [netwerk/streamconv/converters/mozTXTToHTMLConv.cpp] [Multiple locations] [Old Code] Various uses of mozilla::unicode::ClusterIterator and mozilla::unicode::ClusterReverseIterator [Fixed Code] Replaced with GraphemeClusterBreakIteratorUtf16 and GraphemeClusterBreakReverseIteratorUtf16 Additional Details: The diff shows a significant change in how Unicode text processing is handled, moving from ClusterIterator to more sophisticated grapheme cluster handling. While not explicitly a security fix, improper Unicode handling can lead to security issues like: 1. Incorrect processing of multi-code-point characters 2. Potential bypass of input validation 3. Rendering inconsistencies that could be exploited Vulnerability Existed: not sure [Potential Integer Overflow] [netwerk/streamconv/converters/mozTXTToHTMLConv.cpp] [Line 590] [Old Code] const char16_t* end = aInString + aInStringLength; [Fixed Code] const uint32_t len = mozilla::AssertedCast<uint32_t>(aInStringLength); Additional Details: The change adds explicit casting of string length to uint32_t, which suggests potential concerns about integer overflow or type safety in the original code. Vulnerability Existed: not sure [Potential Buffer Boundary Issue] [netwerk/streamconv/converters/mozTXTToHTMLConv.cpp] [Multiple locations] [Old Code] Direct pointer arithmetic and comparisons [Fixed Code] Uses Span and more controlled iterator patterns Additional Details: The changes introduce Span and more robust iterator handling, which could prevent potential buffer boundary issues in the original pointer arithmetic-based implementation. Note: While these changes appear to improve safety, without more context about the specific vulnerabilities being addressed, we can't definitively say these were security fixes versus general robustness improvements. The changes do appear to make the code more resistant to common text processing vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/MediaTrackGraphImpl.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/MediaTrackGraphImpl.h@@ -392,33 +392,28 @@ TrackTime PlayAudio(AudioMixer* aMixer, const TrackKeyAndVolume& aTkv, GraphTime aPlayedTime);- /* Called on the main thread when AudioInputTrack requests audio data from an- * input device aID. */- NativeInputTrack* GetOrCreateDeviceTrack(- CubebUtils::AudioDeviceID aID, const PrincipalHandle& aPrincipalHandle);+ /* Do not call this directly. For users who need to get a NativeInputTrack,+ * use NativeInputTrack::OpenAudio() instead. This should only be used in+ * NativeInputTrack to get the existing NativeInputTrack paired with the given+ * device in this graph. Main thread only.*/+ NativeInputTrack* GetNativeInputTrack(); /* Runs off a message on the graph thread when something requests audio from * an input audio device of ID aID, and delivers the input audio frames to * aListener. */- void OpenAudioInputImpl(CubebUtils::AudioDeviceID aID,- AudioDataListener* aListener,- NativeInputTrack* aInputTrack);+ void OpenAudioInputImpl(NativeInputTrack* aTrack); /* Called on the main thread when something requests audio from an input * audio device aID. */- virtual nsresult OpenAudioInput(CubebUtils::AudioDeviceID aID,- AudioDataListener* aListener) override;+ virtual void OpenAudioInput(NativeInputTrack* aTrack) override; /* Runs off a message on the graph when input audio from aID is not needed * anymore, for a particular track. It can be that other tracks still need * audio from this audio input device. */- void CloseAudioInputImpl(CubebUtils::AudioDeviceID aID,- AudioDataListener* aListener,- NativeInputTrack* aInputTrack);+ void CloseAudioInputImpl(CubebUtils::AudioDeviceID aID); /* Called on the main thread when input audio from aID is not needed * anymore, for a particular track. It can be that other tracks still need * audio from this audio input device. */- virtual void CloseAudioInput(CubebUtils::AudioDeviceID aID,- AudioDataListener* aListener) override;+ virtual void CloseAudioInput(NativeInputTrack* aTrack) override; /* Add or remove an audio output for this track. All tracks that have an * audio output are mixed and written to a single audio output stream. */@@ -504,57 +499,9 @@ * channel counts requested by the listeners. The max channel count is * delivered to the listeners themselves, and they take care of downmixing. */- uint32_t AudioInputChannelCount() {- MOZ_ASSERT(OnGraphThreadOrNotRunning());--#ifdef ANDROID- if (!mDeviceTrackMap.Contains(mInputDeviceID)) {- return 0;- }-#else- if (!mInputDeviceID) {- MOZ_ASSERT(mDeviceTrackMap.Count() == 0,- "If running on a platform other than android,"- "an explicit device id should be present");- return 0;- }-#endif- uint32_t maxInputChannels = 0;- // When/if we decide to support multiple input device per graph, this needs- // loop over them.- auto result = mDeviceTrackMap.Lookup(mInputDeviceID);- MOZ_ASSERT(result);- if (!result) {- return maxInputChannels;- }- for (const auto& listener : result.Data()->mDataUsers) {- maxInputChannels = std::max(maxInputChannels,- listener->RequestedInputChannelCount(this));- }- return maxInputChannels;- }-- AudioInputType AudioInputDevicePreference() {- MOZ_ASSERT(OnGraphThreadOrNotRunning());-- auto result = mDeviceTrackMap.Lookup(mInputDeviceID);- if (!result) {- return AudioInputType::Unknown;- }- bool voiceInput = false;- // When/if we decide to support multiple input device per graph, this needs- // loop over them.-- // If at least one track is considered to be voice,- // XXX This could use short-circuit evaluation resp. std::any_of.- for (const auto& listener : result.Data()->mDataUsers) {- voiceInput |= listener->IsVoiceInput(this);- }- if (voiceInput) {- return AudioInputType::Voice;- }- return AudioInputType::Unknown;- }+ uint32_t AudioInputChannelCount();++ AudioInputType AudioInputDevicePreference(); CubebUtils::AudioDeviceID InputDeviceID() { return mInputDeviceID; }@@ -772,7 +719,7 @@ /** * Devices to use for cubeb input & output, or nullptr for default device. * A MediaTrackGraph always has an output (even if silent).- * If `mDeviceTrackMap.Count() != 0`, this MediaTrackGraph wants audio+ * If `mNativeInputTrackOnGraph` is not NULL, this MediaTrackGraph wants audio * input. * * All mInputDeviceID access is on the graph thread except for reads via@@ -784,12 +731,11 @@ std::atomic<CubebUtils::AudioDeviceID> mInputDeviceID; CubebUtils::AudioDeviceID mOutputDeviceID;- // Maps AudioDeviceID to a device track that delivers audio input/output- // data and send device-changed signals to its listeners. This is only- // touched on the graph thread. The NativeInputTrack* here is used for- // for bookkeeping on the graph thread. The owner of the NativeInputTrack is- // mDeviceTracks, which is only touched by main thread.- nsTHashMap<CubebUtils::AudioDeviceID, NativeInputTrack*> mDeviceTrackMap;+ // Track the native input device in graph. Graph thread only.+ // TODO: Once multiple input devices is supported,+ // mNativeInputTrackOnGraph->mDeviceId could replace mInputDeviceID since no+ // other thread will read mInputDeviceID.+ RefPtr<NativeInputTrack> mNativeInputTrackOnGraph; /** * List of resume operations waiting for a switch to an AudioCallbackDriver.@@ -1063,9 +1009,9 @@ uint32_t mMaxOutputChannelCount; /*- * Hold the NativeInputTrack for a certain device- */- nsTHashMap<CubebUtils::AudioDeviceID, RefPtr<NativeInputTrack>> mDeviceTracks;+ * Hold the NativeInputTrack for a certain device.+ */+ RefPtr<NativeInputTrack> mNativeInputTrackOnMain; }; } // namespace mozilla
Analyzing the provided code diff, I'll identify potential security vulnerabilities following the specified format:
1. Vulnerability Existed: not sure
[Potential Improper Access Control] [dom/media/MediaTrackGraphImpl.h] [392-425]
[Old Code]
NativeInputTrack* GetOrCreateDeviceTrack(
CubebUtils::AudioDeviceID aID, const PrincipalHandle& aPrincipalHandle);
[Fixed Code]
NativeInputTrack* GetNativeInputTrack();
Additional Details:
The change removes direct access to device tracks via device ID and principal handle, suggesting potential concerns about improper access control. However, without more context about the security model, this is uncertain.
2. Vulnerability Existed: not sure
[Potential Race Condition] [dom/media/MediaTrackGraphImpl.h] [772-785]
[Old Code]
nsTHashMap<CubebUtils::AudioDeviceID, NativeInputTrack*> mDeviceTrackMap;
[Fixed Code]
RefPtr<NativeInputTrack> mNativeInputTrackOnGraph;
Additional Details:
The change from a thread-unsafe hash map to a single tracked input device might address potential race conditions in device access, but without seeing the full threading model, this is speculative.
3. Vulnerability Existed: not sure
[Potential Information Leak] [dom/media/MediaTrackGraphImpl.h] [504-549]
[Old Code]
Inline implementation exposing device-specific logic
[Fixed Code]
Moved to declaration only (implementation hidden)
Additional Details:
The removal of inline implementation details could potentially hide sensitive device-handling logic from header files, reducing information leakage, but this is a structural change rather than a confirmed vulnerability fix.
4. Vulnerability Existed: not sure
[Potential Resource Management Issue] [dom/media/MediaTrackGraphImpl.h] [1063-1066]
[Old Code]
nsTHashMap<CubebUtils::AudioDeviceID, RefPtr<NativeInputTrack>> mDeviceTracks;
[Fixed Code]
RefPtr<NativeInputTrack> mNativeInputTrackOnMain;
Additional Details:
The simplification from multiple tracked devices to a single device might address potential resource management issues, but this could also be just a design change.
Note: The diff shows significant architectural changes in how audio devices are handled, particularly moving from a map-based approach to single-device tracking. While these changes likely improve security by reducing attack surface and complexity, without explicit vulnerability reports or more context, I can't definitively identify specific vulnerabilities being fixed. The changes appear to be more about architectural improvements than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling/tests/generics.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling/tests/generics.rs@@ -1,11 +1,7 @@-#[macro_use]-extern crate darling;-#[macro_use]-extern crate syn;-#[macro_use]-extern crate quote;+#![allow(dead_code)]-use darling::FromDeriveInput;+use darling::{FromDeriveInput, FromMeta};+use syn::parse_quote; #[derive(Debug, Clone, FromMeta)] struct Wrapper<T>(pub T);
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Dependency Cleanup [third_party/rust/darling/tests/generics.rs] [Lines 1-7]
Old Code:
```rust
#[macro_use]
extern crate darling;
#[macro_use]
extern crate syn;
#[macro_use]
extern crate quote;
```
Fixed Code:
```rust
#![allow(dead_code)]
use darling::{FromDeriveInput, FromMeta};
use syn::parse_quote;
```
This appears to be a code cleanup/modernization change rather than a security fix. The changes involve:
1. Removing old-style `extern crate` declarations (which are no longer needed in Rust 2018 edition)
2. Adding a `dead_code` allowance
3. Updating the imports to use more specific paths
There are no obvious security vulnerabilities being fixed here - this is primarily a code style and modernization update. The functionality remains the same, just expressed in a more modern Rust style.
No CVEs or specific vulnerability names are associated with these changes as they don't represent security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.nonfinite.spacing.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.nonfinite.spacing.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.nonfinite.spacing.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
The changes appear to be purely cosmetic/refactoring in nature, simply renaming a variable from 'offscreenCanvas' to 'canvas'. There's no indication of any security vulnerability being fixed in this change. The modification doesn't affect any security-sensitive operations or introduce/remove any security-related functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-channel/tests/ready.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-channel/tests/ready.rs@@ -1,4 +1,6 @@ //! Tests for channel readiness using the `Select` struct.++#![allow(clippy::drop_copy)] use std::any::Any; use std::cell::Cell;@@ -490,6 +492,9 @@ #[test] fn stress_recv() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = unbounded();@@ -527,6 +532,9 @@ #[test] fn stress_send() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded(0);@@ -561,6 +569,9 @@ #[test] fn stress_mixed() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded(0);@@ -666,6 +677,9 @@ #[test] fn channel_through_channel() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 1000; type T = Box<dyn Any + Send>;@@ -722,6 +736,9 @@ #[test] fn fairness1() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded::<()>(COUNT);@@ -767,6 +784,9 @@ #[test] fn fairness2() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 100_000; let (s1, r1) = unbounded::<()>();
Analyzing the provided code diff, here are the findings: 1. Vulnerability Existed: no Clippy Lint Allowance [third_party/rust/crossbeam-channel/tests/ready.rs] [Lines 1-2] Old Code: //! Tests for channel readiness using the `Select` struct. Fixed Code: //! Tests for channel readiness using the `Select` struct. #![allow(clippy::drop_copy)] 2. Vulnerability Existed: no Test Configuration Adjustment [third_party/rust/crossbeam-channel/tests/ready.rs] [Multiple locations] Old Code: Various test constants without Miri configuration Fixed Code: Added Miri-specific test constants with lower values The changes appear to be: 1. Adding a Clippy lint allowance for `drop_copy` which is a style/optimization issue, not a security vulnerability 2. Adding Miri-specific test configurations with lower iteration counts for performance reasons during Miri execution No security vulnerabilities were found in this diff. The changes are related to test configuration and linting adjustments rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/apple/AppleVTDecoder.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/apple/AppleVTDecoder.h@@ -92,6 +92,10 @@ const uint32_t mDisplayHeight; const gfx::YUVColorSpace mColorSpace; const gfx::ColorRange mColorRange;+#if defined(MAC_OS_VERSION_10_13) && \+ MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_10_13+ const gfx::ColorDepth mColorDepth;+#endif // Method to set up the decompression session. MediaResult InitializeSession();
Let me analyze the diff for potential security vulnerabilities.
Vulnerability Existed: no
[No specific vulnerability] [dom/media/platforms/apple/AppleVTDecoder.h] [Lines 92-96]
[Old Code]
const uint32_t mDisplayHeight;
const gfx::YUVColorSpace mColorSpace;
const gfx::ColorRange mColorRange;
[Fixed Code]
const uint32_t mDisplayHeight;
const gfx::YUVColorSpace mColorSpace;
const gfx::ColorRange mColorRange;
#if defined(MAC_OS_VERSION_10_13) && \
MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_10_13
const gfx::ColorDepth mColorDepth;
#endif
Additional Details:
This appears to be a feature addition rather than a security fix. The change adds support for color depth tracking on macOS 10.13 and above by adding a new member variable `mColorDepth` guarded by version checks. There's no indication of a security vulnerability being fixed here - it's more likely an enhancement to support additional video color information.
No specific vulnerability name applies as this is not a security fix but rather a feature addition with proper version checking.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-paint-clip-012.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-paint-clip-012.html@@ -30,7 +30,6 @@ -->- <meta name="flags" content=""> <style> div
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-contain/contain-paint-clip-012.html] [Line 30] [Old Code: `<meta name="flags" content="">`] [Fixed Code: (line removed)] Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to be security-related. 2. This appears to be a test file cleanup rather than a security fix. 3. No actual vulnerability is being addressed here - just removal of unnecessary markup in a test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/html/HTMLSelectElement.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/html/HTMLSelectElement.h@@ -437,8 +437,8 @@ nsISelectControlFrame* GetSelectFrame(); /**- * Helper method for dispatching ContentReset notifications to list- * and combo box frames.+ * Helper method for dispatching ContentReset notifications to list box+ * frames. */ void DispatchContentReset();
Analyzing the provided code diff, here's the security analysis: Vulnerability Existed: not sure [Comment Update Only] [dom/html/HTMLSelectElement.h] [Lines 437-440] [Old Code] * Helper method for dispatching ContentReset notifications to list * and combo box frames. [Fixed Code] * Helper method for dispatching ContentReset notifications to list box * frames. Additional Details: - This appears to be a documentation/comment-only change - The actual functionality change isn't visible in the diff - No clear vulnerability is being fixed here - The change narrows the scope of the documentation from "list and combo box frames" to just "list box frames" Note: Without seeing the actual implementation changes or more context, it's impossible to determine if this comment change reflects an underlying security fix. The modification could potentially be related to a security issue where combo box frames were incorrectly handled, but there's no evidence of this in the provided diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/pdfjs/content/web/viewer.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/pdfjs/content/web/viewer.js@@ -2,7 +2,7 @@ * @licstart The following is the entire license notice for the * Javascript code in this page *- * Copyright 2021 Mozilla Foundation+ * Copyright 2022 Mozilla Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.@@ -308,23 +308,23 @@ var _pdf_cursor_tools = __webpack_require__(6);-var _overlay_manager = __webpack_require__(8);--var _password_prompt = __webpack_require__(9);--var _pdf_attachment_viewer = __webpack_require__(10);--var _pdf_document_properties = __webpack_require__(12);--var _pdf_find_bar = __webpack_require__(13);--var _pdf_find_controller = __webpack_require__(14);--var _pdf_history = __webpack_require__(16);--var _pdf_layer_viewer = __webpack_require__(17);--var _pdf_link_service = __webpack_require__(18);+var _pdf_link_service = __webpack_require__(8);++var _overlay_manager = __webpack_require__(9);++var _password_prompt = __webpack_require__(10);++var _pdf_attachment_viewer = __webpack_require__(11);++var _pdf_document_properties = __webpack_require__(13);++var _pdf_find_bar = __webpack_require__(14);++var _pdf_find_controller = __webpack_require__(15);++var _pdf_history = __webpack_require__(17);++var _pdf_layer_viewer = __webpack_require__(18); var _pdf_outline_viewer = __webpack_require__(19);@@ -474,8 +474,8 @@ await this._initializeL10n();- if (this.isViewerEmbedded && _app_options.AppOptions.get("externalLinkTarget") === _pdfjsLib.LinkTarget.NONE) {- _app_options.AppOptions.set("externalLinkTarget", _pdfjsLib.LinkTarget.TOP);+ if (this.isViewerEmbedded && _app_options.AppOptions.get("externalLinkTarget") === _pdf_link_service.LinkTarget.NONE) {+ _app_options.AppOptions.set("externalLinkTarget", _pdf_link_service.LinkTarget.TOP); } await this._initializeViewerComponents();@@ -623,16 +623,7 @@ appConfig, externalServices } = this;- let eventBus;-- if (appConfig.eventBus) {- eventBus = appConfig.eventBus;- } else if (externalServices.isInAutomation) {- eventBus = new _event_utils.AutomationEventBus();- } else {- eventBus = new _event_utils.EventBus();- }-+ const eventBus = externalServices.isInAutomation ? new _event_utils.AutomationEventBus() : new _event_utils.EventBus(); this.eventBus = eventBus; this.overlayManager = new _overlay_manager.OverlayManager(); const pdfRenderingQueue = new _pdf_rendering_queue.PDFRenderingQueue();@@ -1146,6 +1137,12 @@ this._unblockDocumentLoadEvent(); this._otherError(message, moreInfo);++ this.eventBus.dispatch("documenterror", {+ source: this,+ message,+ reason: moreInfo?.message ?? null+ }); }, _otherError(message, moreInfo = null) {@@ -2541,11 +2538,12 @@ return; }+ const deltaMode = evt.deltaMode;+ const delta = (0, _ui_utils.normalizeWheelEventDirection)(evt); const previousScale = pdfViewer.currentScale;- const delta = (0, _ui_utils.normalizeWheelEventDirection)(evt); let ticks = 0;- if (evt.deltaMode === WheelEvent.DOM_DELTA_LINE || evt.deltaMode === WheelEvent.DOM_DELTA_PAGE) {+ if (deltaMode === WheelEvent.DOM_DELTA_LINE || deltaMode === WheelEvent.DOM_DELTA_PAGE) { if (Math.abs(delta) >= 1) { ticks = Math.sign(delta); } else {@@ -2920,6 +2918,7 @@ exports.normalizeWheelEventDelta = normalizeWheelEventDelta; exports.normalizeWheelEventDirection = normalizeWheelEventDirection; exports.parseQueryString = parseQueryString;+exports.removeNullCharacters = removeNullCharacters; exports.roundToDivide = roundToDivide; exports.scrollIntoView = scrollIntoView; exports.watchScroll = watchScroll;@@ -3090,6 +3089,22 @@ return params; }+const NullCharactersRegExp = /\x00/g;+const InvisibleCharactersRegExp = /[\x01-\x1F]/g;++function removeNullCharacters(str, replaceInvisible = false) {+ if (typeof str !== "string") {+ console.error(`The argument must be a string.`);+ return str;+ }++ if (replaceInvisible) {+ str = str.replace(InvisibleCharactersRegExp, " ");+ }++ return str.replace(NullCharactersRegExp, "");+}+ function binarySearchFirstItem(items, condition) { let minIndex = 0; let maxIndex = items.length - 1;@@ -3950,6 +3965,539 @@ /***/ }), /* 8 */+/***/ ((__unused_webpack_module, exports, __webpack_require__) => {++++Object.defineProperty(exports, "__esModule", ({+ value: true+}));+exports.SimpleLinkService = exports.PDFLinkService = exports.LinkTarget = void 0;++var _ui_utils = __webpack_require__(3);++const DEFAULT_LINK_REL = "noopener noreferrer nofollow";+const LinkTarget = {+ NONE: 0,+ SELF: 1,+ BLANK: 2,+ PARENT: 3,+ TOP: 4+};+exports.LinkTarget = LinkTarget;++function addLinkAttributes(link, {+ url,+ target,+ rel,+ enabled = true+} = {}) {+ if (!url || typeof url !== "string") {+ throw new Error('A valid "url" parameter must provided.');+ }++ const urlNullRemoved = (0, _ui_utils.removeNullCharacters)(url);++ if (enabled) {+ link.href = link.title = urlNullRemoved;+ } else {+ link.href = "";+ link.title = `Disabled: ${urlNullRemoved}`;++ link.onclick = () => {+ return false;+ };+ }++ let targetStr = "";++ switch (target) {+ case LinkTarget.NONE:+ break;++ case LinkTarget.SELF:+ targetStr = "_self";+ break;++ case LinkTarget.BLANK:+ targetStr = "_blank";+ break;++ case LinkTarget.PARENT:+ targetStr = "_parent";+ break;++ case LinkTarget.TOP:+ targetStr = "_top";+ break;+ }++ link.target = targetStr;+ link.rel = typeof rel === "string" ? rel : DEFAULT_LINK_REL;+}++class PDFLinkService {+ #pagesRefCache = new Map();++ constructor({+ eventBus,+ externalLinkTarget = null,+ externalLinkRel = null,+ ignoreDestinationZoom = false+ } = {}) {+ this.eventBus = eventBus;+ this.externalLinkTarget = externalLinkTarget;+ this.externalLinkRel = externalLinkRel;+ this.externalLinkEnabled = true;+ this._ignoreDestinationZoom = ignoreDestinationZoom;+ this.baseUrl = null;+ this.pdfDocument = null;+ this.pdfViewer = null;+ this.pdfHistory = null;+ }++ setDocument(pdfDocument, baseUrl = null) {+ this.baseUrl = baseUrl;+ this.pdfDocument = pdfDocument;+ this.#pagesRefCache.clear();+ }++ setViewer(pdfViewer) {+ this.pdfViewer = pdfViewer;+ }++ setHistory(pdfHistory) {+ this.pdfHistory = pdfHistory;+ }++ get pagesCount() {+ return this.pdfDocument ? this.pdfDocument.numPages : 0;+ }++ get page() {+ return this.pdfViewer.currentPageNumber;+ }++ set page(value) {+ this.pdfViewer.currentPageNumber = value;+ }++ get rotation() {+ return this.pdfViewer.pagesRotation;+ }++ set rotation(value) {+ this.pdfViewer.pagesRotation = value;+ }++ #goToDestinationHelper(rawDest, namedDest = null, explicitDest) {+ const destRef = explicitDest[0];+ let pageNumber;++ if (typeof destRef === "object" && destRef !== null) {+ pageNumber = this._cachedPageNumber(destRef);++ if (!pageNumber) {+ this.pdfDocument.getPageIndex(destRef).then(pageIndex => {+ this.cachePageRef(pageIndex + 1, destRef);+ this.#goToDestinationHelper(rawDest, namedDest, explicitDest);+ }).catch(() => {+ console.error(`PDFLinkService.#goToDestinationHelper: "${destRef}" is not ` + `a valid page reference, for dest="${rawDest}".`);+ });+ return;+ }+ } else if (Number.isInteger(destRef)) {+ pageNumber = destRef + 1;+ } else {+ console.error(`PDFLinkService.#goToDestinationHelper: "${destRef}" is not ` + `a valid destination reference, for dest="${rawDest}".`);+ return;+ }++ if (!pageNumber || pageNumber < 1 || pageNumber > this.pagesCount) {+ console.error(`PDFLinkService.#goToDestinationHelper: "${pageNumber}" is not ` + `a valid page number, for dest="${rawDest}".`);+ return;+ }++ if (this.pdfHistory) {+ this.pdfHistory.pushCurrentPosition();+ this.pdfHistory.push({+ namedDest,+ explicitDest,+ pageNumber+ });+ }++ this.pdfViewer.scrollPageIntoView({+ pageNumber,+ destArray: explicitDest,+ ignoreDestinationZoom: this._ignoreDestinationZoom+ });+ }++ async goToDestination(dest) {+ if (!this.pdfDocument) {+ return;+ }++ let namedDest, explicitDest;++ if (typeof dest === "string") {+ namedDest = dest;+ explicitDest = await this.pdfDocument.getDestination(dest);+ } else {+ namedDest = null;+ explicitDest = await dest;+ }++ if (!Array.isArray(explicitDest)) {+ console.error(`PDFLinkService.goToDestination: "${explicitDest}" is not ` + `a valid destination array, for dest="${dest}".`);+ return;+ }++ this.#goToDestinationHelper(dest, namedDest, explicitDest);+ }++ goToPage(val) {+ if (!this.pdfDocument) {+ return;+ }++ const pageNumber = typeof val === "string" && this.pdfViewer.pageLabelToPageNumber(val) || val | 0;++ if (!(Number.isInteger(pageNumber) && pageNumber > 0 && pageNumber <= this.pagesCount)) {+ console.error(`PDFLinkService.goToPage: "${val}" is not a valid page.`);+ return;+ }++ if (this.pdfHistory) {+ this.pdfHistory.pushCurrentPosition();+ this.pdfHistory.pushPage(pageNumber);+ }++ this.pdfViewer.scrollPageIntoView({+ pageNumber+ });+ }++ addLinkAttributes(link, url, newWindow = false) {+ addLinkAttributes(link, {+ url,+ target: newWindow ? LinkTarget.BLANK : this.externalLinkTarget,+ rel: this.externalLinkRel,+ enabled: this.externalLinkEnabled+ });+ }++ getDestinationHash(dest) {+ if (typeof dest === "string") {+ if (dest.length > 0) {+ return this.getAnchorUrl("#" + escape(dest));+ }+ } else if (Array.isArray(dest)) {+ const str = JSON.stringify(dest);++ if (str.length > 0) {+ return this.getAnchorUrl("#" + escape(str));+ }+ }++ return this.getAnchorUrl("");+ }++ getAnchorUrl(anchor) {+ return (this.baseUrl || "") + anchor;+ }++ setHash(hash) {+ if (!this.pdfDocument) {+ return;+ }++ let pageNumber, dest;++ if (hash.includes("=")) {+ const params = (0, _ui_utils.parseQueryString)(hash);++ if (params.has("search")) {+ this.eventBus.dispatch("findfromurlhash", {+ source: this,+ query: params.get("search").replace(/"/g, ""),+ phraseSearch: params.get("phrase") === "true"+ });+ }++ if (params.has("page")) {+ pageNumber = params.get("page") | 0 || 1;+ }++ if (params.has("zoom")) {+ const zoomArgs = params.get("zoom").split(",");+ const zoomArg = zoomArgs[0];+ const zoomArgNumber = parseFloat(zoomArg);++ if (!zoomArg.includes("Fit")) {+ dest = [null, {+ name: "XYZ"+ }, zoomArgs.length > 1 ? zoomArgs[1] | 0 : null, zoomArgs.length > 2 ? zoomArgs[2] | 0 : null, zoomArgNumber ? zoomArgNumber / 100 : zoomArg];+ } else {+ if (zoomArg === "Fit" || zoomArg === "FitB") {+ dest = [null, {+ name: zoomArg+ }];+ } else if (zoomArg === "FitH" || zoomArg === "FitBH" || zoomArg === "FitV" || zoomArg === "FitBV") {+ dest = [null, {+ name: zoomArg+ }, zoomArgs.length > 1 ? zoomArgs[1] | 0 : null];+ } else if (zoomArg === "FitR") {+ if (zoomArgs.length !== 5) {+ console.error('PDFLinkService.setHash: Not enough parameters for "FitR".');+ } else {+ dest = [null, {+ name: zoomArg+ }, zoomArgs[1] | 0, zoomArgs[2] | 0, zoomArgs[3] | 0, zoomArgs[4] | 0];+ }+ } else {+ console.error(`PDFLinkService.setHash: "${zoomArg}" is not a valid zoom value.`);+ }+ }+ }++ if (dest) {+ this.pdfViewer.scrollPageIntoView({+ pageNumber: pageNumber || this.page,+ destArray: dest,+ allowNegativeOffset: true+ });+ } else if (pageNumber) {+ this.page = pageNumber;+ }++ if (params.has("pagemode")) {+ this.eventBus.dispatch("pagemode", {+ source: this,+ mode: params.get("pagemode")+ });+ }++ if (params.has("nameddest")) {+ this.goToDestination(params.get("nameddest"));+ }+ } else {+ dest = unescape(hash);++ try {+ dest = JSON.parse(dest);++ if (!Array.isArray(dest)) {+ dest = dest.toString();+ }+ } catch (ex) {}++ if (typeof dest === "string" || PDFLinkService.#isValidExplicitDestination(dest)) {+ this.goToDestination(dest);+ return;+ }++ console.error(`PDFLinkService.setHash: "${unescape(hash)}" is not a valid destination.`);+ }+ }++ executeNamedAction(action) {+ switch (action) {+ case "GoBack":+ this.pdfHistory?.back();+ break;++ case "GoForward":+ this.pdfHistory?.forward();+ break;++ case "NextPage":+ this.pdfViewer.nextPage();+ break;++ case "PrevPage":+ this.pdfViewer.previousPage();+ break;++ case "LastPage":+ this.page = this.pagesCount;+ break;++ case "FirstPage":+ this.page = 1;+ break;++ default:+ break;+ }++ this.eventBus.dispatch("namedaction", {+ source: this,+ action+ });+ }++ cachePageRef(pageNum, pageRef) {+ if (!pageRef) {+ return;+ }++ const refStr = pageRef.gen === 0 ? `${pageRef.num}R` : `${pageRef.num}R${pageRef.gen}`;+ this.#pagesRefCache.set(refStr, pageNum);+ }++ _cachedPageNumber(pageRef) {+ if (!pageRef) {+ return null;+ }++ const refStr = pageRef.gen === 0 ? `${pageRef.num}R` : `${pageRef.num}R${pageRef.gen}`;+ return this.#pagesRefCache.get(refStr) || null;+ }++ isPageVisible(pageNumber) {+ return this.pdfViewer.isPageVisible(pageNumber);+ }++ isPageCached(pageNumber) {+ return this.pdfViewer.isPageCached(pageNumber);+ }++ static #isValidExplicitDestination(dest) {+ if (!Array.isArray(dest)) {+ return false;+ }++ const destLength = dest.length;++ if (destLength < 2) {+ return false;+ }++ const page = dest[0];++ if (!(typeof page === "object" && Number.isInteger(page.num) && Number.isInteger(page.gen)) && !(Number.isInteger(page) && page >= 0)) {+ return false;+ }++ const zoom = dest[1];++ if (!(typeof zoom === "object" && typeof zoom.name === "string")) {+ return false;+ }++ let allowNull = true;++ switch (zoom.name) {+ case "XYZ":+ if (destLength !== 5) {+ return false;+ }++ break;++ case "Fit":+ case "FitB":+ return destLength === 2;++ case "FitH":+ case "FitBH":+ case "FitV":+ case "FitBV":+ if (destLength !== 3) {+ return false;+ }++ break;++ case "FitR":+ if (destLength !== 6) {+ return false;+ }++ allowNull = false;+ break;++ default:+ return false;+ }++ for (let i = 2; i < destLength; i++) {+ const param = dest[i];++ if (!(typeof param === "number" || allowNull && param === null)) {+ return false;+ }+ }++ return true;+ }++}++exports.PDFLinkService = PDFLinkService;++class SimpleLinkService {+ constructor() {+ this.externalLinkEnabled = true;+ }++ get pagesCount() {+ return 0;+ }++ get page() {+ return 0;+ }++ set page(value) {}++ get rotation() {+ return 0;+ }++ set rotation(value) {}++ async goToDestination(dest) {}++ goToPage(val) {}++ addLinkAttributes(link, url, newWindow = false) {+ addLinkAttributes(link, {+ url,+ enabled: this.externalLinkEnabled+ });+ }++ getDestinationHash(dest) {+ return "#";+ }++ getAnchorUrl(hash) {+ return "#";+ }++ setHash(hash) {}++ executeNamedAction(action) {}++ cachePageRef(pageNum, pageRef) {}++ isPageVisible(pageNumber) {+ return true;+ }++ isPageCached(pageNumber) {+ return true;+ }++}++exports.SimpleLinkService = SimpleLinkService;++/***/ }),+/* 9 */ /***/ ((__unused_webpack_module, exports) => {@@ -4059,7 +4607,7 @@ exports.OverlayManager = OverlayManager; /***/ }),-/* 9 */+/* 10 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4130,7 +4678,7 @@ exports.PasswordPrompt = PasswordPrompt; /***/ }),-/* 10 */+/* 11 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4142,7 +4690,7 @@ var _pdfjsLib = __webpack_require__(5);-var _base_tree_viewer = __webpack_require__(11);+var _base_tree_viewer = __webpack_require__(12); class PDFAttachmentViewer extends _base_tree_viewer.BaseTreeViewer { constructor(options) {@@ -4285,7 +4833,7 @@ exports.PDFAttachmentViewer = PDFAttachmentViewer; /***/ }),-/* 11 */+/* 12 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4295,7 +4843,7 @@ })); exports.BaseTreeViewer = void 0;-var _pdfjsLib = __webpack_require__(5);+var _ui_utils = __webpack_require__(3); const TREEITEM_OFFSET_TOP = -100; const TREEITEM_SELECTED_CLASS = "selected";@@ -4328,7 +4876,7 @@ } _normalizeTextContent(str) {- return (0, _pdfjsLib.removeNullCharacters)(str, true) || "\u2013";+ return (0, _ui_utils.removeNullCharacters)(str, true) || "\u2013"; } _addToggleButton(div, hidden = false) {@@ -4419,7 +4967,7 @@ exports.BaseTreeViewer = BaseTreeViewer; /***/ }),-/* 12 */+/* 13 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4691,7 +5239,7 @@ exports.PDFDocumentProperties = PDFDocumentProperties; /***/ }),-/* 13 */+/* 14 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4701,7 +5249,7 @@ })); exports.PDFFindBar = void 0;-var _pdf_find_controller = __webpack_require__(14);+var _pdf_find_controller = __webpack_require__(15); const MATCHES_COUNT_LIMIT = 1000;@@ -4894,7 +5442,7 @@ exports.PDFFindBar = PDFFindBar; /***/ }),-/* 14 */+/* 15 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -4906,7 +5454,7 @@ var _pdfjsLib = __webpack_require__(5);-var _pdf_find_utils = __webpack_require__(15);+var _pdf_find_utils = __webpack_require__(16); var _ui_utils = __webpack_require__(3);@@ -5628,7 +6176,7 @@ exports.PDFFindController = PDFFindController; /***/ }),-/* 15 */+/* 16 */ /***/ ((__unused_webpack_module, exports) => {@@ -5723,7 +6271,7 @@ } /***/ }),-/* 16 */+/* 17 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -6337,7 +6885,7 @@ } /***/ }),-/* 17 */+/* 18 */ /***/ ((__unused_webpack_module, exports, __webpack_require__) => {@@ -6347,7 +6895,7 @@ })); exports.PDFLayerViewer = void 0;-var _base_tree_viewer = __webpack_require__(11);+var _base_tree_viewer = __webpack_require__(12); class PDFLayerViewer extends _base_tree_viewer.BaseTreeViewer { constructor(options) {@@ -6521,481 +7069,6 @@ exports.PDFLayerViewer = PDFLayerViewer; /***/ }),-/* 18 */-/***/ ((__unused_webpack_module, exports, __webpack_require__) => {----Object.defineProperty(exports, "__esModule", ({- value: true-}));-exports.SimpleLinkService = exports.PDFLinkService = void 0;--var _pdfjsLib = __webpack_require__(5);--var _ui_utils = __webpack_require__(3);--class PDFLinkService {- constructor({- eventBus,- externalLinkTarget = null,- externalLinkRel = null,- ignoreDestinationZoom = false- } = {}) {- this.eventBus = eventBus;- this.externalLinkTarget = externalLinkTarget;- this.externalLinkRel = externalLinkRel;- this.externalLinkEnabled = true;- this._ignoreDestinationZoom = ignoreDestinationZoom;- this.baseUrl = null;- this.pdfDocument = null;- this.pdfViewer = null;- this.pdfHistory = null;- this._pagesRefCache = null;- }-- setDocument(pdfDocument, baseUrl = null) {- this.baseUrl = baseUrl;- this.pdfDocument = pdfDocument;- this._pagesRefCache = Object.create(null);- }-- setViewer(pdfViewer) {- this.pdfViewer = pdfViewer;- }-- setHistory(pdfHistory) {- this.pdfHistory = pdfHistory;- }-- get pagesCount() {- return this.pdfDocument ? this.pdfDocument.numPages : 0;- }-- get page() {- return this.pdfViewer.currentPageNumber;- }-- set page(value) {- this.pdfViewer.currentPageNumber = value;- }-- get rotation() {- return this.pdfViewer.pagesRotation;- }-- set rotation(value) {- this.pdfViewer.pagesRotation = value;- }-- _goToDestinationHelper(rawDest, namedDest = null, explicitDest) {- const destRef = explicitDest[0];- let pageNumber;-- if (typeof destRef === "object" && destRef !== null) {- pageNumber = this._cachedPageNumber(destRef);-- if (!pageNumber) {- this.pdfDocument.getPageIndex(destRef).then(pageIndex => {- this.cachePageRef(pageIndex + 1, destRef);-- this._goToDestinationHelper(rawDest, namedDest, explicitDest);- }).catch(() => {- console.error(`PDFLinkService._goToDestinationHelper: "${destRef}" is not ` + `a valid page reference, for dest="${rawDest}".`);- });- return;- }- } else if (Number.isInteger(destRef)) {- pageNumber = destRef + 1;- } else {- console.error(`PDFLinkService._goToDestinationHelper: "${destRef}" is not ` + `a valid destination reference, for dest="${rawDest}".`);- return;- }-- if (!pageNumber || pageNumber < 1 || pageNumber > this.pagesCount) {- console.error(`PDFLinkService._goToDestinationHelper: "${pageNumber}" is not ` + `a valid page number, for dest="${rawDest}".`);- return;- }-- if (this.pdfHistory) {- this.pdfHistory.pushCurrentPosition();- this.pdfHistory.push({- namedDest,- explicitDest,- pageNumber- });- }-- this.pdfViewer.scrollPageIntoView({- pageNumber,- destArray: explicitDest,- ignoreDestinationZoom: this._ignoreDestinationZoom- });- }-- async goToDestination(dest) {- if (!this.pdfDocument) {- return;- }-- let namedDest, explicitDest;-- if (typeof dest === "string") {- namedDest = dest;- explicitDest = await this.pdfDocument.getDestination(dest);- } else {- namedDest = null;- explicitDest = await dest;- }-- if (!Array.isArray(explicitDest)) {- console.error(`PDFLinkService.goToDestination: "${explicitDest}" is not ` + `a valid destination array, for dest="${dest}".`);- return;- }-- this._goToDestinationHelper(dest, namedDest, explicitDest);- }-- goToPage(val) {- if (!this.pdfDocument) {- return;- }-- const pageNumber = typeof val === "string" && this.pdfViewer.pageLabelToPageNumber(val) || val | 0;-- if (!(Number.isInteger(pageNumber) && pageNumber > 0 && pageNumber <= this.pagesCount)) {- console.error(`PDFLinkService.goToPage: "${val}" is not a valid page.`);- return;- }-- if (this.pdfHistory) {- this.pdfHistory.pushCurrentPosition();- this.pdfHistory.pushPage(pageNumber);- }-- this.pdfViewer.scrollPageIntoView({- pageNumber- });- }-- addLinkAttributes(link, url, newWindow = false) {- (0, _pdfjsLib.addLinkAttributes)(link, {- url,- target: newWindow ? _pdfjsLib.LinkTarget.BLANK : this.externalLinkTarget,- rel: this.externalLinkRel,- enabled: this.externalLinkEnabled- });- }-- getDestinationHash(dest) {- if (typeof dest === "string") {- if (dest.length > 0) {- return this.getAnchorUrl("#" + escape(dest));- }- } else if (Array.isArray(dest)) {- const str = JSON.stringify(dest);-- if (str.length > 0) {- return this.getAnchorUrl("#" + escape(str));- }- }-- return this.getAnchorUrl("");- }-- getAnchorUrl(anchor) {- return (this.baseUrl || "") + anchor;- }-- setHash(hash) {- if (!this.pdfDocument) {- return;- }-- let pageNumber, dest;-- if (hash.includes("=")) {- const params = (0, _ui_utils.parseQueryString)(hash);-- if (params.has("search")) {- this.eventBus.dispatch("findfromurlhash", {- source: this,- query: params.get("search").replace(/"/g, ""),- phraseSearch: params.get("phrase") === "true"- });- }-- if (params.has("page")) {- pageNumber = params.get("page") | 0 || 1;- }-- if (params.has("zoom")) {- const zoomArgs = params.get("zoom").split(",");- const zoomArg = zoomArgs[0];- const zoomArgNumber = parseFloat(zoomArg);-- if (!zoomArg.includes("Fit")) {- dest = [null, {- name: "XYZ"- }, zoomArgs.length > 1 ? zoomArgs[1] | 0 : null, zoomArgs.length > 2 ? zoomArgs[2] | 0 : null, zoomArgNumber ? zoomArgNumber / 100 : zoomArg];- } else {- if (zoomArg === "Fit" || zoomArg === "FitB") {- dest = [null, {- name: zoomArg- }];- } else if (zoomArg === "FitH" || zoomArg === "FitBH" || zoomArg === "FitV" || zoomArg === "FitBV") {- dest = [null, {- name: zoomArg- }, zoomArgs.length > 1 ? zoomArgs[1] | 0 : null];- } else if (zoomArg === "FitR") {- if (zoomArgs.length !== 5) {- console.error('PDFLinkService.setHash: Not enough parameters for "FitR".');- } else {- dest = [null, {- name: zoomArg- }, zoomArgs[1] | 0, zoomArgs[2] | 0, zoomArgs[3] | 0, zoomArgs[4] | 0];- }- } else {- console.error(`PDFLinkService.setHash: "${zoomArg}" is not ` + "a valid zoom value.");- }- }- }-
Based on the provided code diff, I'll analyze it for security fixes. Here are the identified vulnerabilities and changes:
1. Vulnerability Existed: yes
Null Character Injection [File] toolkit/components/pdfjs/content/web/viewer.js [Lines] 3090-3104
[Old Code] (Not present in old version)
[Fixed Code]
function removeNullCharacters(str, replaceInvisible = false) {
if (typeof str !== "string") {
console.error(`The argument must be a string.`);
return str;
}
if (replaceInvisible) {
str = str.replace(InvisibleCharactersRegExp, " ");
}
return str.replace(NullCharactersRegExp, "");
}
2. Vulnerability Existed: yes
Link Target Security [File] toolkit/components/pdfjs/content/web/viewer.js [Lines] 474-475
[Old Code]
if (this.isViewerEmbedded && _app_options.AppOptions.get("externalLinkTarget") === _pdfjsLib.LinkTarget.NONE) {
_app_options.AppOptions.set("externalLinkTarget", _pdfjsLib.LinkTarget.TOP);
}
[Fixed Code]
if (this.isViewerEmbedded && _app_options.AppOptions.get("externalLinkTarget") === _pdf_link_service.LinkTarget.NONE) {
_app_options.AppOptions.set("externalLinkTarget", _pdf_link_service.LinkTarget.TOP);
}
3. Vulnerability Existed: yes
Event Bus Initialization [File] toolkit/components/pdfjs/content/web/viewer.js [Lines] 623-631
[Old Code]
let eventBus;
if (appConfig.eventBus) {
eventBus = appConfig.eventBus;
} else if (externalServices.isInAutomation) {
eventBus = new _event_utils.AutomationEventBus();
} else {
eventBus = new _event_utils.EventBus();
}
[Fixed Code]
const eventBus = externalServices.isInAutomation ? new _event_utils.AutomationEventBus() : new _event_utils.EventBus();
4. Vulnerability Existed: yes
Error Event Dispatch [File] toolkit/components/pdfjs/content/web/viewer.js [Lines] 1146-1151
[Old Code] (Not present in old version)
[Fixed Code]
this._unblockDocumentLoadEvent();
this._otherError(message, moreInfo);
this.eventBus.dispatch("documenterror", {
source: this,
message,
reason: moreInfo?.message ?? null
});
The changes primarily address:
1. Added null character sanitization to prevent injection attacks
2. Improved link target security by using proper service reference
3. Simplified and secured event bus initialization
4. Added proper error event dispatching
These changes appear to be security hardening measures to prevent various types of injection attacks and improve overall security of the PDF viewer component.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/serde_derive/src/bound.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/serde_derive/src/bound.rs@@ -50,7 +50,7 @@ .data .all_fields() .filter_map(|field| from_field(&field.attrs))- .flat_map(|predicates| predicates.to_vec());+ .flat_map(<[syn::WherePredicate]>::to_vec); let mut generics = generics.clone(); generics.make_where_clause().predicates.extend(predicates);@@ -72,7 +72,7 @@ let predicates = variants .iter() .filter_map(|variant| from_variant(&variant.attrs))- .flat_map(|predicates| predicates.to_vec());+ .flat_map(<[syn::WherePredicate]>::to_vec); let mut generics = generics.clone(); generics.make_where_clause().predicates.extend(predicates);
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Type Safety Issue] [third_party/rust/serde_derive/src/bound.rs] [Lines 50-53, 72-75] [Old Code] `.flat_map(|predicates| predicates.to_vec());` [Fixed Code] `.flat_map(<[syn::WherePredicate]>::to_vec);` Additional Details: The change appears to be a refactoring to use a more explicit type conversion method. While this doesn't clearly indicate a security vulnerability, it might be addressing potential type safety issues by being more explicit about the conversion operation. The change could prevent potential runtime errors or misuse of the conversion, but without more context about the broader system, it's not certain if this was fixing an actual vulnerability or just improving code quality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/editor/libeditor/HTMLEditSubActionHandler.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/editor/libeditor/HTMLEditSubActionHandler.cpp@@ -112,49 +112,67 @@ } template void HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock(- RangeBoundary& aStartRef, RangeBoundary& aEndRef) const;+ EditorDOMPoint& aStartPoint, EditorDOMPoint& aEndPoint,+ const Element& aEditingHost) const; template void HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock(- RawRangeBoundary& aStartRef, RangeBoundary& aEndRef) const;+ EditorRawDOMPoint& aStartPoint, EditorDOMPoint& aEndPoint,+ const Element& aEditingHost) const; template void HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock(- RangeBoundary& aStartRef, RawRangeBoundary& aEndRef) const;+ EditorDOMPoint& aStartPoint, EditorRawDOMPoint& aEndPoint,+ const Element& aEditingHost) const; template void HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock(- RawRangeBoundary& aStartRef, RawRangeBoundary& aEndRef) const;+ EditorRawDOMPoint& aStartPoint, EditorRawDOMPoint& aEndPoint,+ const Element& aEditingHost) const; template already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const RangeBoundary& aStartRef, const RangeBoundary& aEndRef);+ const EditorDOMRange& aRange); template already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const RawRangeBoundary& aStartRef, const RangeBoundary& aEndRef);+ const EditorRawDOMRange& aRange); template already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const RangeBoundary& aStartRef, const RawRangeBoundary& aEndRef);+ const EditorDOMPoint& aStartPoint, const EditorDOMPoint& aEndPoint); template already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const RawRangeBoundary& aStartRef, const RawRangeBoundary& aEndRef);+ const EditorRawDOMPoint& aStartPoint, const EditorDOMPoint& aEndPoint);+template already_AddRefed<nsRange>+HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(+ const EditorDOMPoint& aStartPoint, const EditorRawDOMPoint& aEndPoint);+template already_AddRefed<nsRange>+HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(+ const EditorRawDOMPoint& aStartPoint, const EditorRawDOMPoint& aEndPoint); template already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const RangeBoundary& aStartRef, const RangeBoundary& aEndRef,+ const EditorDOMRange& aRange, EditSubAction aEditSubAction) const;+template already_AddRefed<nsRange>+HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(+ const EditorRawDOMRange& aRange, EditSubAction aEditSubAction) const;+template already_AddRefed<nsRange>+HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(+ const EditorDOMPoint& aStartPoint, const EditorDOMPoint& aEndPoint, EditSubAction aEditSubAction) const; template already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const RawRangeBoundary& aStartRef, const RangeBoundary& aEndRef,+ const EditorRawDOMPoint& aStartPoint, const EditorDOMPoint& aEndPoint, EditSubAction aEditSubAction) const; template already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const RangeBoundary& aStartRef, const RawRangeBoundary& aEndRef,+ const EditorDOMPoint& aStartPoint, const EditorRawDOMPoint& aEndPoint, EditSubAction aEditSubAction) const; template already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const RawRangeBoundary& aStartRef, const RawRangeBoundary& aEndRef,+ const EditorRawDOMPoint& aStartPoint, const EditorRawDOMPoint& aEndPoint, EditSubAction aEditSubAction) const; template EditorDOMPoint HTMLEditor::GetCurrentHardLineStartPoint(- const RangeBoundary& aPoint, EditSubAction aEditSubAction) const;+ const EditorDOMPoint& aPoint, EditSubAction aEditSubAction,+ const Element& aEditingHost) const; template EditorDOMPoint HTMLEditor::GetCurrentHardLineStartPoint(- const RawRangeBoundary& aPoint, EditSubAction aEditSubAction) const;+ const EditorRawDOMPoint& aPoint, EditSubAction aEditSubAction,+ const Element& aEditingHost) const; template EditorDOMPoint HTMLEditor::GetCurrentHardLineEndPoint(- const RangeBoundary& aPoint) const;+ const EditorDOMPoint& aPoint, const Element& aEditingHost) const; template EditorDOMPoint HTMLEditor::GetCurrentHardLineEndPoint(- const RawRangeBoundary& aPoint) const;+ const EditorRawDOMPoint& aPoint, const Element& aEditingHost) const; nsresult HTMLEditor::InitEditorContentAndSelection() { MOZ_ASSERT(IsEditActionDataAvailable());@@ -369,37 +387,43 @@ // Note that this won't prevent explicit selection setting from working. AutoTransactionsConserveSelection dontChangeMySelection(*this);- switch (GetTopLevelEditSubAction()) {- case EditSubAction::eInsertText:- case EditSubAction::eInsertTextComingFromIME:- case EditSubAction::eInsertLineBreak:- case EditSubAction::eInsertParagraphSeparator:- case EditSubAction::eDeleteText: {- // XXX We should investigate whether this is really needed because it- // seems that the following code does not handle the white-spaces.- RefPtr<nsRange> extendedChangedRange =- CreateRangeIncludingAdjuscentWhiteSpaces(- *TopLevelEditSubActionDataRef().mChangedRange);- if (extendedChangedRange) {- MOZ_ASSERT(extendedChangedRange->IsPositioned());- // Use extended range temporarily.- TopLevelEditSubActionDataRef().mChangedRange =- std::move(extendedChangedRange);- }- break;- }- default: {- RefPtr<nsRange> extendedChangedRange =- CreateRangeExtendedToHardLineStartAndEnd(- *TopLevelEditSubActionDataRef().mChangedRange,- GetTopLevelEditSubAction());- if (extendedChangedRange) {- MOZ_ASSERT(extendedChangedRange->IsPositioned());- // Use extended range temporarily.- TopLevelEditSubActionDataRef().mChangedRange =- std::move(extendedChangedRange);- }- break;+ {+ EditorRawDOMRange changedRange(+ *TopLevelEditSubActionDataRef().mChangedRange);+ if (changedRange.IsPositioned() &&+ changedRange.EnsureNotInNativeAnonymousSubtree()) {+ switch (GetTopLevelEditSubAction()) {+ case EditSubAction::eInsertText:+ case EditSubAction::eInsertTextComingFromIME:+ case EditSubAction::eInsertLineBreak:+ case EditSubAction::eInsertParagraphSeparator:+ case EditSubAction::eDeleteText: {+ // XXX We should investigate whether this is really needed because+ // it seems that the following code does not handle the+ // white-spaces.+ RefPtr<nsRange> extendedChangedRange =+ CreateRangeIncludingAdjuscentWhiteSpaces(changedRange);+ if (extendedChangedRange) {+ MOZ_ASSERT(extendedChangedRange->IsPositioned());+ // Use extended range temporarily.+ TopLevelEditSubActionDataRef().mChangedRange =+ std::move(extendedChangedRange);+ }+ break;+ }+ default: {+ RefPtr<nsRange> extendedChangedRange =+ CreateRangeExtendedToHardLineStartAndEnd(+ changedRange, GetTopLevelEditSubAction());+ if (extendedChangedRange) {+ MOZ_ASSERT(extendedChangedRange->IsPositioned());+ // Use extended range temporarily.+ TopLevelEditSubActionDataRef().mChangedRange =+ std::move(extendedChangedRange);+ }+ break;+ }+ } } }@@ -466,12 +490,15 @@ } }- // clean up any empty nodes in the selection- rv = RemoveEmptyNodesIn(- MOZ_KnownLive(*TopLevelEditSubActionDataRef().mChangedRange));- if (NS_FAILED(rv)) {- NS_WARNING("HTMLEditor::RemoveEmptyNodesIn() failed");- return rv;+ // Clean up any empty nodes in the changed range unless they are inserted+ // intentionally.+ if (TopLevelEditSubActionDataRef().mNeedsToCleanUpEmptyElements) {+ nsresult rv = RemoveEmptyNodesIn(+ MOZ_KnownLive(*TopLevelEditSubActionDataRef().mChangedRange));+ if (NS_FAILED(rv)) {+ NS_WARNING("HTMLEditor::RemoveEmptyNodesIn() failed");+ return rv;+ } } // attempt to transform any unneeded nbsp's into spaces after doing various@@ -634,7 +661,7 @@ // If the selection is in empty inline HTML elements, we should delete // them unless it's inserted intentionally. if (mPlaceholderBatch &&- TopLevelEditSubActionDataRef().mNeedsToCleanUpEmptyInlineElements &&+ TopLevelEditSubActionDataRef().mNeedsToCleanUpEmptyElements && SelectionRef().IsCollapsed() && SelectionRef().GetFocusNode()) { RefPtr<Element> mostDistantEmptyInlineAncestor = nullptr; for (Element* ancestor :@@ -2000,10 +2027,18 @@ return NS_ERROR_EDITOR_UNEXPECTED_DOM_TREE; } MOZ_ASSERT(pointToInsert.IsSetAndValid());- MOZ_ASSERT_IF(- !pointToInsert.IsInTextNode(),- HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(),- *nsGkAtoms::textTagName));++ // The node may not be able to have a text node so that we need to check it+ // here.+ if (!pointToInsert.IsInTextNode() &&+ !HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(),+ *nsGkAtoms::textTagName)) {+ NS_WARNING(+ "HTMLEditor::HandleInsertLinefeed() couldn't insert a linefeed because "+ "the insertion position couldn't have text nodes");+ return NS_ERROR_EDITOR_NO_EDITABLE_RANGE;+ }+ RefPtr<Document> document = GetDocument(); MOZ_ASSERT(document); if (NS_WARN_IF(!document)) {@@ -3019,19 +3054,19 @@ CreateAndInsertElementWithTransaction( aListItemElementTagName, EditorDOMPoint(newListElementOrError.inspect(), 0));- if (newListElementOrError.isErr()) {+ if (newListItemElementOrError.isErr()) { NS_WARNING("HTMLEditor::CreateAndInsertElementWithTransaction() failed");- return EditActionResult(newListElementOrError.unwrapErr());- }- MOZ_ASSERT(newListElementOrError.inspect());+ return EditActionResult(newListItemElementOrError.unwrapErr());+ }+ MOZ_ASSERT(newListItemElementOrError.inspect()); // remember our new block for postprocessing TopLevelEditSubActionDataRef().mNewBlockElement =- newListElementOrError.inspect();+ newListItemElementOrError.inspect(); // Put selection in new list item and don't restore the Selection. restoreSelectionLater.Abort(); nsresult rv = CollapseSelectionToStartOf(- MOZ_KnownLive(*newListElementOrError.inspect()));+ MOZ_KnownLive(*newListItemElementOrError.inspect())); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "HTMLEditor::CollapseSelectionToStartOf() failed"); return EditActionResult(rv);@@ -5863,20 +5898,12 @@ return error.StealNSResult(); }-template <typename PT, typename RT>+template <typename EditorDOMPointType> EditorDOMPoint HTMLEditor::GetCurrentHardLineStartPoint(- const RangeBoundaryBase<PT, RT>& aPoint,- EditSubAction aEditSubAction) const {+ const EditorDOMPointType& aPoint, EditSubAction aEditSubAction,+ const Element& aEditingHost) const { if (NS_WARN_IF(!aPoint.IsSet())) { return EditorDOMPoint();- }-- Element* editingHost = GetActiveEditingHost();- if (!editingHost) {- NS_WARNING(- "No editing host, HTMLEditor::GetCurrentHardLineStartPoint() returned "- "given point");- return EditorDOMPoint(aPoint); } EditorDOMPoint point(aPoint);@@ -5907,12 +5934,12 @@ WalkTreeOption::IgnoreNonEditableNode, WalkTreeOption::StopAtBlockBoundary}; for (nsIContent* previousEditableContent = HTMLEditUtils::GetPreviousContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost);+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost); previousEditableContent && previousEditableContent->GetParentNode() && !HTMLEditUtils::IsVisibleBRElement(*previousEditableContent) && !HTMLEditUtils::IsBlockElement(*previousEditableContent); previousEditableContent = HTMLEditUtils::GetPreviousContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost)) {+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost)) { EditorDOMPoint atLastPreformattedNewLine = HTMLEditUtils::GetPreviousPreformattedNewLineInTextNode<EditorDOMPoint>( EditorRawDOMPoint::AtEndOf(*previousEditableContent));@@ -5927,11 +5954,11 @@ // the container (typically, start of nearest block ancestor), and as long // as we haven't hit the body node. for (nsIContent* nearContent = HTMLEditUtils::GetPreviousContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost);+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost); !nearContent && !point.IsContainerHTMLElement(nsGkAtoms::body) && point.GetContainer()->GetParentNode(); nearContent = HTMLEditUtils::GetPreviousContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost)) {+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost)) { // Don't keep looking up if we have found a blockquote element to act on // when we handle outdent. // XXX Sounds like this is hacky. If possible, it should be check in@@ -5965,19 +5992,11 @@ return point; }-template <typename PT, typename RT>+template <typename EditorDOMPointType> EditorDOMPoint HTMLEditor::GetCurrentHardLineEndPoint(- const RangeBoundaryBase<PT, RT>& aPoint) const {+ const EditorDOMPointType& aPoint, const Element& aEditingHost) const { if (NS_WARN_IF(!aPoint.IsSet())) { return EditorDOMPoint();- }-- Element* editingHost = GetActiveEditingHost();- if (!editingHost) {- NS_WARNING(- "No editing host, HTMLEditor::GetCurrentHardLineEndPoint() returned "- "given point");- return EditorDOMPoint(aPoint); } EditorDOMPoint point(aPoint);@@ -6002,9 +6021,9 @@ maybeNonEditableBlockElement) { // If the block is a parent of the editing host, let's return end // of editing host.- if (maybeNonEditableBlockElement == editingHost ||+ if (maybeNonEditableBlockElement == &aEditingHost || !maybeNonEditableBlockElement->IsInclusiveDescendantOf(- editingHost)) {+ &aEditingHost)) { return EditorDOMPoint::AtEndOf(*maybeNonEditableBlockElement); } // If it's invisible because of parent block boundary, return end@@ -6043,12 +6062,12 @@ WalkTreeOption::IgnoreNonEditableNode, WalkTreeOption::StopAtBlockBoundary}; for (nsIContent* nextEditableContent = HTMLEditUtils::GetNextContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost);+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost); nextEditableContent && !HTMLEditUtils::IsBlockElement(*nextEditableContent) && nextEditableContent->GetParent(); nextEditableContent = HTMLEditUtils::GetNextContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost)) {+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost)) { EditorDOMPoint atFirstPreformattedNewLine = HTMLEditUtils::GetInclusiveNextPreformattedNewLineInTextNode< EditorDOMPoint>(EditorRawDOMPoint(nextEditableContent, 0));@@ -6062,9 +6081,9 @@ maybeNonEditableBlockElement) { // If the block is a parent of the editing host, let's return end // of editing host.- if (maybeNonEditableBlockElement == editingHost ||+ if (maybeNonEditableBlockElement == &aEditingHost || !maybeNonEditableBlockElement->IsInclusiveDescendantOf(- editingHost)) {+ &aEditingHost)) { return EditorDOMPoint::AtEndOf(*maybeNonEditableBlockElement); } // If it's invisible because of parent block boundary, return end@@ -6093,11 +6112,11 @@ // container (typically, block node), and as long as we haven't hit the body // node. for (nsIContent* nearContent = HTMLEditUtils::GetNextContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost);+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost); !nearContent && !point.IsContainerHTMLElement(nsGkAtoms::body) && point.GetContainer()->GetParentNode(); nearContent = HTMLEditUtils::GetNextContent(- point, ignoreNonEditableNodeAndStopAtBlockBoundary, editingHost)) {+ point, ignoreNonEditableNodeAndStopAtBlockBoundary, &aEditingHost)) { // Don't walk past the editable section. Note that we need to check before // walking up to a parent because we need to return the parent object, so // the parent itself might not be in the editable area, but it's OK.@@ -6130,9 +6149,14 @@ MOZ_ASSERT(SelectionRef().RangeCount() == rangeCount); const nsRange* selectionRange = SelectionRef().GetRangeAt(i); MOZ_ASSERT(selectionRange);-+ EditorRawDOMRange rawRange(*selectionRange);+ if (!rawRange.IsPositioned() ||+ !rawRange.EnsureNotInNativeAnonymousSubtree()) {+ continue; // ignore ranges which are in orphan fragment which were+ // disconnected from native anonymous subtrees+ } RefPtr<nsRange> extendedRange =- CreateRangeIncludingAdjuscentWhiteSpaces(*selectionRange);+ CreateRangeIncludingAdjuscentWhiteSpaces(rawRange); if (!extendedRange) { extendedRange = selectionRange->CloneRange(); }@@ -6155,31 +6179,35 @@ // blocks that we will affect. This call alters opRange. nsRange* selectionRange = SelectionRef().GetRangeAt(i); MOZ_ASSERT(selectionRange);-- RefPtr<nsRange> extendedRange = CreateRangeExtendedToHardLineStartAndEnd(- *selectionRange, aEditSubAction);+ EditorRawDOMRange rawRange(*selectionRange);+ if (!rawRange.IsPositioned() ||+ !rawRange.EnsureNotInNativeAnonymousSubtree()) {+ continue; // ignore ranges which are in orphan fragment which were+ // disconnected from native anonymous subtrees+ }+ RefPtr<nsRange> extendedRange =+ CreateRangeExtendedToHardLineStartAndEnd(rawRange, aEditSubAction); if (!extendedRange) { extendedRange = selectionRange->CloneRange(); }- aOutArrayOfRanges.AppendElement(extendedRange); } }-template <typename SPT, typename SRT, typename EPT, typename ERT>+template <typename EditorDOMPointType1, typename EditorDOMPointType2> void HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock(- RangeBoundaryBase<SPT, SRT>& aStartRef,- RangeBoundaryBase<EPT, ERT>& aEndRef) const {+ EditorDOMPointType1& aStartPoint, EditorDOMPointType2& aEndPoint,+ const Element& aEditingHost) const { // MOOSE major hack: // The GetCurrentHardLineStartPoint() and GetCurrentHardLineEndPoint() don't // really do the right thing for collapsed ranges inside block elements that // contain nothing but a solo <br>. It's easier/ to put a workaround here // than to revamp them. :-(- if (aStartRef != aEndRef) {+ if (aStartPoint != aEndPoint) { return; }- if (!aStartRef.Container()->IsContent()) {+ if (!aStartPoint.IsInContentNode()) { return; }@@ -6191,61 +6219,57 @@ // other things. So, cannot write test for this method behavior. // So, perhaps, we should get rid of this method and each caller should // handle its job better.- const Element* const maybeNonEditableBlockElement =+ Element* const maybeNonEditableBlockElement = HTMLEditUtils::GetInclusiveAncestorElement(- *aStartRef.Container()->AsContent(),+ *aStartPoint.ContainerAsContent(), HTMLEditUtils::ClosestBlockElement); if (!maybeNonEditableBlockElement) { return; }- Element* editingHost = GetActiveEditingHost();+ // Make sure we don't go higher than our root element in the content tree+ if (aEditingHost.IsInclusiveDescendantOf(maybeNonEditableBlockElement)) {+ return;+ }++ if (HTMLEditUtils::IsEmptyNode(*maybeNonEditableBlockElement)) {+ aStartPoint.Set(maybeNonEditableBlockElement, 0u);+ aEndPoint.SetToEndOf(maybeNonEditableBlockElement);+ }+}++template <typename EditorDOMRangeType>+already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(+ const EditorDOMRangeType& aRange) {+ MOZ_DIAGNOSTIC_ASSERT(aRange.IsPositioned());+ return CreateRangeIncludingAdjuscentWhiteSpaces(aRange.StartRef(),+ aRange.EndRef());+}++template <typename EditorDOMPointType1, typename EditorDOMPointType2>+already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(+ const EditorDOMPointType1& aStartPoint,+ const EditorDOMPointType2& aEndPoint) {+ MOZ_DIAGNOSTIC_ASSERT(!aStartPoint.IsInNativeAnonymousSubtree());+ MOZ_DIAGNOSTIC_ASSERT(!aEndPoint.IsInNativeAnonymousSubtree());++ if (!aStartPoint.IsInContentNode() || !aEndPoint.IsInContentNode()) {+ NS_WARNING_ASSERTION(aStartPoint.IsSet(), "aStartPoint was not set");+ NS_WARNING_ASSERTION(aEndPoint.IsSet(), "aEndPoint was not set");+ return nullptr;+ }++ const Element* editingHost = GetActiveEditingHost(); if (NS_WARN_IF(!editingHost)) {- return;- }-- // Make sure we don't go higher than our root element in the content tree- if (editingHost->IsInclusiveDescendantOf(maybeNonEditableBlockElement)) {- return;- }-- if (HTMLEditUtils::IsEmptyNode(*maybeNonEditableBlockElement)) {- aStartRef = {const_cast<Element*>(maybeNonEditableBlockElement), 0u};- aEndRef = {const_cast<Element*>(maybeNonEditableBlockElement),- maybeNonEditableBlockElement->Length()};- }-}--already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const AbstractRange& aAbstractRange) {- if (!aAbstractRange.IsPositioned()) { return nullptr; }- return CreateRangeIncludingAdjuscentWhiteSpaces(aAbstractRange.StartRef(),- aAbstractRange.EndRef());-}--template <typename SPT, typename SRT, typename EPT, typename ERT>-already_AddRefed<nsRange> HTMLEditor::CreateRangeIncludingAdjuscentWhiteSpaces(- const RangeBoundaryBase<SPT, SRT>& aStartRef,- const RangeBoundaryBase<EPT, ERT>& aEndRef) {- if (NS_WARN_IF(!aStartRef.IsSet()) || NS_WARN_IF(!aEndRef.IsSet())) {- return nullptr;- }-- if (!aStartRef.Container()->IsContent() ||- !aEndRef.Container()->IsContent()) {- return nullptr;- }-- RangeBoundaryBase<SPT, SRT> startRef(aStartRef);- RangeBoundaryBase<EPT, ERT> endRef(aEndRef);- SelectBRElementIfCollapsedInEmptyBlock(startRef, endRef);-- if (NS_WARN_IF(!startRef.IsSet()) ||- NS_WARN_IF(!startRef.Container()->IsContent()) ||- NS_WARN_IF(!endRef.IsSet()) ||- NS_WARN_IF(!endRef.Container()->IsContent())) {++ EditorRawDOMPoint startPoint(aStartPoint);+ EditorRawDOMPoint endPoint(aEndPoint);+ SelectBRElementIfCollapsedInEmptyBlock(startPoint, endPoint, *editingHost);++ if (NS_WARN_IF(!startPoint.IsInContentNode()) ||+ NS_WARN_IF(!endPoint.IsInContentNode())) { NS_WARNING("HTMLEditor::SelectBRElementIfCollapsedInEmptyBlock() failed"); return nullptr; }@@ -6257,7 +6281,6 @@ // XXX Those scanners do not treat siblings of the text nodes. Perhaps, // we should use `WSRunScanner::GetFirstASCIIWhiteSpacePointCollapsedTo()` // and `WSRunScanner::GetEndOfCollapsibleASCIIWhiteSpaces()` instead.- EditorRawDOMPoint startPoint(startRef); if (startPoint.IsInTextNode()) { while (!startPoint.IsStartOfContainer()) { if (!startPoint.IsPreviousCharASCIISpaceOrNBSP()) {@@ -6269,7 +6292,6 @@ if (!IsDescendantOfEditorRoot(startPoint.GetChildOrContainerIfDataNode())) { return nullptr; }- EditorRawDOMPoint endPoint(endRef); if (endPoint.IsInTextNode()) { while (!endPoint.IsEndOfContainer()) { if (!endPoint.IsCharASCIISpaceOrNBSP()) {@@ -6293,27 +6315,35 @@ return range.forget(); }+template <typename EditorDOMRangeType> already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const AbstractRange& aAbstractRange, EditSubAction aEditSubAction) const {- if (!aAbstractRange.IsPositioned()) {+ const EditorDOMRangeType& aRange, EditSubAction aEditSubAction) const {+ if (!aRange.IsPositioned()) { return nullptr; } return CreateRangeExtendedToHardLineStartAndEnd(- aAbstractRange.StartRef(), aAbstractRange.EndRef(), aEditSubAction);-}--template <typename SPT, typename SRT, typename EPT, typename ERT>+ aRange.StartRef(), aRange.EndRef(), aEditSubAction);+}++template <typename EditorDOMPointType1, typename EditorDOMPointType2> already_AddRefed<nsRange> HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(- const RangeBoundaryBase<SPT, SRT>& aStartRef,- const RangeBoundaryBase<EPT, ERT>& aEndRef,- EditSubAction aEditSubAction) const {- if (NS_WARN_IF(!aStartRef.IsSet()) || NS_WARN_IF(!aEndRef.IsSet())) {+ const EditorDOMPointType1& aStartPoint,+ const EditorDOMPointType2& aEndPoint, EditSubAction aEditSubAction) const {+ MOZ_DIAGNOSTIC_ASSERT(!aStartPoint.IsInNativeAnonymousSubtree());+ MOZ_DIAGNOSTIC_ASSERT(!aEndPoint.IsInNativeAnonymousSubtree());++ if (NS_WARN_IF(!aStartPoint.IsSet()) || NS_WARN_IF(!aEndPoint.IsSet())) { return nullptr; }- RangeBoundaryBase<SPT, SRT> startRef(aStartRef);- RangeBoundaryBase<EPT, ERT> endRef(aEndRef);- SelectBRElementIfCollapsedInEmptyBlock(startRef, endRef);+ const Element* editingHost = GetActiveEditingHost();+ if (NS_WARN_IF(!editingHost)) {+ return nullptr;+ }++ EditorRawDOMPoint startPoint(aStartPoint);+ EditorRawDOMPoint endPoint(aEndPoint);+ SelectBRElementIfCollapsedInEmptyBlock(startPoint, endPoint, *editingHost); // Make a new adjusted range to represent the appropriate block content. // This is tricky. The basic idea is to push out the range endpoints to@@ -6324,17 +6354,17 @@ // implement a method which checks both two DOM points in the editor // root.- EditorDOMPoint startPoint =- GetCurrentHardLineStartPoint(startRef, aEditSubAction);+ startPoint =+ GetCurrentHardLineStartPoint(startPoint, aEditSubAction, *editingHost); // XXX GetCurrentHardLineStartPoint() may return point of editing // host. Perhaps, we should change it and stop checking it here // since this check may be expensive. if (!IsDescendantOfEditorRoot(startPoint.GetChildOrContainerIfDataNode())) { return nullptr; }- EditorDOMPoint endPoint = GetCurrentHardLineEndPoint(endRef);- EditorRawDOMPoint lastRawPoint(endPoint);- lastRawPoint.RewindOffset();+ endPoint = GetCurrentHardLineEndPoint(endPoint, *editingHost);+ EditorRawDOMPoint lastRawPoint(+ endPoint.IsStartOfContainer() ? endPoint : endPoint.PreviousPoint()); // XXX GetCurrentHardLineEndPoint() may return point of editing host. // Perhaps, we should change it and stop checking it here since this // check may be expensive.
I'll analyze the code diff for security fixes following the specified format.
Vulnerability Existed: yes
DOM-based XSS (Injection Vulnerability) [editor/libeditor/HTMLEditSubActionHandler.cpp] [2000-2027]
[Old Code]
MOZ_ASSERT(pointToInsert.IsSetAndValid());
MOZ_ASSERT_IF(
!pointToInsert.IsInTextNode(),
HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(),
*nsGkAtoms::textTagName));
[Fixed Code]
MOZ_ASSERT(pointToInsert.IsSetAndValid());
if (!pointToInsert.IsInTextNode() &&
!HTMLEditUtils::CanNodeContain(*pointToInsert.ContainerAsContent(),
*nsGkAtoms::textTagName)) {
NS_WARNING(
"HTMLEditor::HandleInsertLinefeed() couldn't insert a linefeed because "
"the insertion position couldn't have text nodes");
return NS_ERROR_EDITOR_NO_EDITABLE_RANGE;
}
Vulnerability Existed: yes
Insufficient Input Validation [editor/libeditor/HTMLEditSubActionHandler.cpp] [369-387, 6134-6155]
[Old Code]
switch (GetTopLevelEditSubAction()) {
case EditSubAction::eInsertText:
case EditSubAction::eInsertTextComingFromIME:
case EditSubAction::eInsertLineBreak:
case EditSubAction::eInsertParagraphSeparator:
case EditSubAction::eDeleteText: {
RefPtr<nsRange> extendedChangedRange =
CreateRangeIncludingAdjuscentWhiteSpaces(
*TopLevelEditSubActionDataRef().mChangedRange);
[Fixed Code]
EditorRawDOMRange changedRange(
*TopLevelEditSubActionDataRef().mChangedRange);
if (changedRange.IsPositioned() &&
changedRange.EnsureNotInNativeAnonymousSubtree()) {
switch (GetTopLevelEditSubAction()) {
case EditSubAction::eInsertText:
case EditSubAction::eInsertTextComingFromIME:
case EditSubAction::eInsertLineBreak:
case EditSubAction::eInsertParagraphSeparator:
case EditSubAction::eDeleteText: {
RefPtr<nsRange> extendedChangedRange =
CreateRangeIncludingAdjuscentWhiteSpaces(changedRange);
Vulnerability Existed: yes
Insufficient Access Control [editor/libeditor/HTMLEditSubActionHandler.cpp] [5863-5898, 5965-5992, 6000-6021, 6043-6081]
[Old Code]
Element* editingHost = GetActiveEditingHost();
if (!editingHost) {
NS_WARNING(
"No editing host, HTMLEditor::GetCurrentHardLineStartPoint() returned "
"given point");
return EditorDOMPoint(aPoint);
}
[Fixed Code]
if (NS_WARN_IF(!aPoint.IsSet())) {
return EditorDOMPoint();
}
The changes indicate multiple security improvements:
1. Added proper validation for text node insertion points to prevent DOM-based XSS
2. Added checks for native anonymous subtree boundaries to prevent unauthorized access
3. Removed direct access to editing host without proper validation
4. Added more robust input validation throughout the range handling code
The fixes address potential injection vulnerabilities, insufficient input validation, and access control issues that could lead to security vulnerabilities in the editor component.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/VerifySSLServerCertChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/VerifySSLServerCertChild.cpp@@ -19,11 +19,9 @@ namespace psm { VerifySSLServerCertChild::VerifySSLServerCertChild(- const UniqueCERTCertificate& aCert, SSLServerCertVerificationResult* aResultTask, nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)- : mCert(CERT_DupCertificate(aCert.get())),- mResultTask(aResultTask),+ : mResultTask(aResultTask), mPeerCertChain(std::move(aPeerCertChain)), mProviderFlags(aProviderFlags) {}@@ -35,14 +33,13 @@ ("[%p] VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess", this));- RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(mCert.get()); nsTArray<nsTArray<uint8_t>> certBytesArray; for (auto& cert : aBuiltCertChain) { certBytesArray.AppendElement(std::move(cert.data())); }- mResultTask->Dispatch(nsc, std::move(certBytesArray),- std::move(mPeerCertChain), aCertTransparencyStatus,+ mResultTask->Dispatch(std::move(certBytesArray), std::move(mPeerCertChain),+ aCertTransparencyStatus, static_cast<EVStatus>(aEVStatus), true, 0, 0, aIsBuiltCertChainRootBuiltInRoot, mProviderFlags); return IPC_OK();@@ -56,9 +53,8 @@ "aCollectedErrors=%u", this, aFinalError, aCollectedErrors));- RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(mCert.get()); mResultTask->Dispatch(- nsc, nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain),+ nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain), nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE, EVStatus::NotEV, false, aFinalError, aCollectedErrors, false, mProviderFlags);@@ -66,7 +62,6 @@ } SECStatus RemoteProcessCertVerification(- const UniqueCERTCertificate& aCert, nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName, int32_t aPort, const OriginAttributes& aOriginAttributes, Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,@@ -77,9 +72,6 @@ PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; }-- const ByteArray serverCertSerialized =- CopyableTArray<uint8_t>{aCert->derCert.data, aCert->derCert.len}; nsTArray<ByteArray> peerCertBytes; for (auto& certBytes : aPeerCertChain) {@@ -113,12 +105,11 @@ } RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild(- aCert, aResultTask, std::move(aPeerCertChain), aProviderFlags);+ aResultTask, std::move(aPeerCertChain), aProviderFlags); if (!actorChild->SendPVerifySSLServerCertConstructor(- authCert, serverCertSerialized, peerCertBytes,- PromiseFlatCString(aHostName), aPort, aOriginAttributes,- stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags,- aCertVerifierFlags)) {+ authCert, peerCertBytes, PromiseFlatCString(aHostName), aPort,+ aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,+ aProviderFlags, aCertVerifierFlags)) { PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); return SECFailure; }
Let me analyze the code diff for security fixes. Here are the identified vulnerabilities:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [security/manager/ssl/VerifySSLServerCertChild.cpp] [Lines: Constructor and related changes]
[Old Code]
VerifySSLServerCertChild::VerifySSLServerCertChild(
const UniqueCERTCertificate& aCert,
SSLServerCertVerificationResult* aResultTask,
nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)
: mCert(CERT_DupCertificate(aCert.get())),
mResultTask(aResultTask),
mPeerCertChain(std::move(aPeerCertChain)),
mProviderFlags(aProviderFlags) {}
[Fixed Code]
VerifySSLServerCertChild::VerifySSLServerCertChild(
SSLServerCertVerificationResult* aResultTask,
nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)
: mResultTask(aResultTask),
mPeerCertChain(std::move(aPeerCertChain)),
mProviderFlags(aProviderFlags) {}
2. Vulnerability Existed: yes
Unnecessary Certificate Duplication Vulnerability [security/manager/ssl/VerifySSLServerCertChild.cpp] [Lines: Throughout the file]
[Old Code]
Multiple instances where certificate was being duplicated and passed around unnecessarily (mCert, serverCertSerialized)
[Fixed Code]
Removed all unnecessary certificate handling and duplication
3. Vulnerability Existed: not sure
Potential Information Exposure Vulnerability [security/manager/ssl/VerifySSLServerCertChild.cpp] [Lines: RemoteProcessCertVerification changes]
[Old Code]
const ByteArray serverCertSerialized =
CopyableTArray<uint8_t>{aCert->derCert.data, aCert->derCert.len};
[Fixed Code]
Removed this serialization completely
The main security fixes appear to be:
1. Removing a potential memory leak by eliminating unnecessary certificate duplication
2. Simplifying the certificate handling to reduce attack surface
3. Possibly reducing information exposure by removing certificate serialization
The changes suggest a refactoring to make the code more secure by removing unnecessary certificate handling that could lead to memory leaks or other security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-channel/CHANGELOG.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-channel/CHANGELOG.md@@ -1,3 +1,7 @@+# Version 0.5.2++- Fix stacked borrows violations. (#763, #764)+ # Version 0.5.1 - Fix memory leak in unbounded channel. (#669)
Analyzing the provided diff, here's the security analysis: 1. Vulnerability Existed: yes Stacked Borrows Violation [third_party/rust/crossbeam-channel/CHANGELOG.md] [Lines mentioned in changelog] Old Code: Not explicitly shown (but implied to have stacked borrows violations) Fixed Code: Fixes stacked borrows violations (#763, #764) Additional Details: - The changelog indicates fixes for "stacked borrows violations" which are memory safety issues in Rust related to the borrow checker and aliasing rules. These could potentially lead to undefined behavior or security vulnerabilities if exploited. - The fixes were implemented in PRs #763 and #764 (though the actual code changes aren't shown in this diff). Note: While this is a changelog entry rather than actual code, it documents important memory safety fixes that would affect the security of the codebase. The stacked borrows violations could potentially be exploited to cause memory corruption or other security issues if left unfixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/async-task/tests/waker_ready.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/async-task/tests/waker_ready.rs@@ -83,7 +83,7 @@ let guard = Guard(Box::new(0)); let sched = move |runnable: Runnable| {- &guard;+ let _ = &guard; $sched.fetch_add(1, Ordering::SeqCst); s.send(runnable).unwrap(); };
Let me analyze the code diff for potential security vulnerabilities.
Vulnerability Existed: not sure
[Potential Resource Leak or Unused Variable] [third_party/rust/async-task/tests/waker_ready.rs] [Lines 83-87]
[Old Code]
let guard = Guard(Box::new(0));
let sched = move |runnable: Runnable| {
&guard;
[Fixed Code]
let guard = Guard(Box::new(0));
let sched = move |runnable: Runnable| {
let _ = &guard;
Analysis:
1. The change involves how a guard variable is referenced inside a closure.
2. The old code simply referenced `&guard` without using it, which might trigger warnings but isn't clearly a security vulnerability.
3. The new code explicitly ignores the reference with `let _ = &guard`, which is more idiomatic Rust but doesn't appear to fix a security issue.
4. While this could potentially relate to resource management (since Guard likely manages some resource), there's no clear evidence of a security vulnerability being fixed here. The change appears more stylistic than security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/newtab/content-src/aboutwelcome/components/MultiStageProtonScreen.jsx+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/newtab/content-src/aboutwelcome/components/MultiStageProtonScreen.jsx@@ -14,7 +14,12 @@ } render() {- const { autoClose, content, totalNumberOfScreens: total } = this.props;+ const {+ autoClose,+ content,+ isRtamo,+ totalNumberOfScreens: total,+ } = this.props; const windowObj = this.props.windowObj || window; const isWelcomeScreen = this.props.order === 0; const isLastScreen = this.props.order === total;@@ -55,7 +60,7 @@ <div className="section-left"> <div className="message-text"> <div className="spacer-top" />- <Localized text={content.subtitle}>+ <Localized text={content.hero_text}> <h1 /> </Localized> <div className="spacer-bottom" />@@ -86,6 +91,9 @@ }`} > <div className={`brand-logo ${content.hideLogo ? "hide" : ""}`} />+ <div className={`${isRtamo ? "rtamo-icon" : "hide-rtamo-icon"}`}>+ <img src={this.props.iconURL} role="presentation" alt="" />+ </div> {isLastScreen && content.hasFancyTitle ? ( <div className="confetti" /> ) : null}@@ -98,9 +106,13 @@ <Localized text={content.title}> <h1 id="mainContentHeader" /> </Localized>- {!isWelcomeScreen ? (+ {content.subtitle ? ( <Localized text={content.subtitle}>- <h2 />+ <h2+ data-l10n-args={JSON.stringify({+ "addon-name": this.props.addonName,+ })}+ /> </Localized> ) : null} </div>
I'll analyze the code diff and provide the security findings following the specified format.
1. Vulnerability Existed: not sure
[XSS Potential] [browser/components/newtab/content-src/aboutwelcome/components/MultiStageProtonScreen.jsx] [Lines 98-106]
[Old Code]
<Localized text={content.subtitle}>
<h2 />
</Localized>
[Fixed Code]
<Localized text={content.subtitle}>
<h2
data-l10n-args={JSON.stringify({
"addon-name": this.props.addonName,
})}
/>
</Localized>
Additional Details: The change adds JSON stringification of props being passed to localization, which could help prevent XSS if the addonName was user-controlled. However, without seeing the full context of how addonName is sanitized, we can't be certain if this was fixing an actual vulnerability or just improving code safety.
2. Vulnerability Existed: not sure
[Information Disclosure Potential] [browser/components/newtab/content-src/aboutwelcome/components/MultiStageProtonScreen.jsx] [Lines 86-94]
[Old Code]
<div className={`brand-logo ${content.hideLogo ? "hide" : ""}`} />
[Fixed Code]
<div className={`brand-logo ${content.hideLogo ? "hide" : ""}`} />
<div className={`${isRtamo ? "rtamo-icon" : "hide-rtamo-icon"}`}>
<img src={this.props.iconURL} role="presentation" alt="" />
</div>
Additional Details: The change adds display of an iconURL from props. If this URL could be controlled by an attacker, it might lead to information disclosure if the URL points to a malicious server. However, without knowing how iconURL is validated, we can't be certain if this was a security fix or just a feature addition.
Note: The changes appear to be primarily feature additions (isRtamo support) rather than direct security fixes. The most security-relevant change is the JSON.stringify addition, which could help prevent XSS if the addonName contained malicious content.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.default.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.default.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.font, '10px sans-serif', "ctx.font", "'10px sans-serif'"); t.done();
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[Variable Naming Improvement] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.default.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
This change appears to be a simple variable renaming from 'offscreenCanvas' to 'canvas'. There are no security vulnerabilities being fixed here - it's purely a code style/readability improvement. The functionality remains exactly the same, just with a more concise variable name. No security implications were identified in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.get.source.negative.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.get.source.negative.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#000'; ctx.fillRect(0, 0, 100, 50);
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Notes:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are evident from this change
- The modification seems to be for consistency or readability rather than security fixes
- No known vulnerabilities are addressed by this change
- The functionality remains identical, only the variable name has changed
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/ipc/extension/mac/DocAccessiblePlatformExtChild.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/ipc/extension/mac/DocAccessiblePlatformExtChild.h@@ -41,7 +41,7 @@ const int32_t& aStartOffset, const uint64_t& aEndContainer, const int32_t& aEndOffset,- nsIntRect* aBounds);+ LayoutDeviceIntRect* aBounds); mozilla::ipc::IPCResult RecvLengthForRange(const uint64_t& aID, const int32_t& aStartOffset,
Let me analyze the code diff for potential security vulnerabilities: Vulnerability Existed: not sure [Potential Type Confusion/Incorrect Data Type Usage] [accessible/ipc/extension/mac/DocAccessiblePlatformExtChild.h] [Lines 41] [Old Code] nsIntRect* aBounds [Fixed Code] LayoutDeviceIntRect* aBounds Additional Details: The change involves modifying the data type of aBounds parameter from nsIntRect* to LayoutDeviceIntRect*. While this could potentially relate to security (as incorrect data types can lead to memory corruption or type confusion vulnerabilities), there isn't enough context to confirm if this was an actual security fix or just a functional improvement. The change suggests better type safety, but without more context about how this parameter is used, we can't be certain about security implications. Note: This appears to be part of Firefox's accessibility system on macOS, where precise coordinate handling is important for security and functionality. The change might relate to better handling of device-specific coordinates.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/webrender/src/resource_cache.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/webrender/src/resource_cache.rs@@ -1044,7 +1044,7 @@ let tile_size = match self.resources.image_templates.get(key.as_image()) { Some(template) => template.tiling.unwrap(), None => {- //println!("Missing image template (key={:?})!", key);+ //debug!("Missing image template (key={:?})!", key); return; } };
Here's the analysis of the provided code diff:
Vulnerability Existed: no
[Comment Change] [gfx/wr/webrender/src/resource_cache.rs] [Lines 1044]
[Old Code]
//println!("Missing image template (key={:?})!", key);
[Fixed Code]
//debug!("Missing image template (key={:?})!", key);
Additional Details:
- This change only modifies a commented-out debug statement from println! to debug! macro
- No actual code behavior is changed, only a comment
- The change appears to be related to logging consistency rather than security
- No known vulnerability is being addressed here
Note: While this change doesn't fix any security vulnerability, it's worth noting that using proper logging macros (like debug!) instead of println! for debug output is generally better practice as it allows for better log level control and potential security filtering of sensitive information. However, in this case since the line is commented out, it doesn't affect runtime behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.