Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/async-task/tests/waker_panic.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/async-task/tests/waker_panic.rs@@ -86,7 +86,7 @@ let guard = Guard(Box::new(0)); let sched = move |runnable: Runnable| {- &guard;+ let _ = &guard; $sched.fetch_add(1, Ordering::SeqCst); s.send(runnable).unwrap(); };@@ -238,10 +238,15 @@ .run(); }-#[test]+#[flaky_test::flaky_test] fn cancel_and_wake_during_run() { future!(f, get_waker, POLL, DROP_F); schedule!(s, chan, SCHEDULE, DROP_S);+ POLL.store(0, Ordering::SeqCst);+ DROP_F.store(0, Ordering::SeqCst);+ SCHEDULE.store(0, Ordering::SeqCst);+ DROP_S.store(0, Ordering::SeqCst);+ let (runnable, task) = async_task::spawn(f, s); runnable.run();
Analyzing the provided code diff, here are the potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Unused Variable Leading to Memory Issues] [third_party/rust/async-task/tests/waker_panic.rs] [Lines 86-89] [Old Code] `&guard;` [Fixed Code] `let _ = &guard;` Additional Details: The change ensures the guard variable is properly bound to prevent potential memory issues from an unused reference, though it's not clear if this was an actual security vulnerability. 2. Vulnerability Existed: yes [Race Condition in Atomic Operations] [third_party/rust/async-task/tests/waker_panic.rs] [Lines 238-245] [Old Code] No initialization of atomic counters before test [Fixed Code] Added initialization of POLL, DROP_F, SCHEDULE, and DROP_S atomic counters Additional Details: The fix adds proper initialization of atomic counters which could prevent race conditions during test execution, though this appears to be more of a test reliability fix than a security vulnerability. 3. Vulnerability Existed: not sure [Test Flakiness] [third_party/rust/async-task/tests/waker_panic.rs] [Line 238] [Old Code] `#[test]` [Fixed Code] `#[flaky_test::flaky_test]` Additional Details: The change marks the test as flaky, suggesting potential concurrency issues, though this is more about test reliability than a direct security vulnerability. Note: While these changes improve code quality and reliability, none appear to address critical security vulnerabilities. The most significant change is the atomic counter initialization which prevents potential race conditions in test execution.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/swgl/build.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/swgl/build.rs@@ -110,10 +110,7 @@ } fn main() {- let shader_dir = match std::env::var("MOZ_SRC") {- Ok(dir) => dir + "/gfx/wr/webrender/res",- Err(_) => std::env::var("CARGO_MANIFEST_DIR").unwrap() + "/../webrender/res",- };+ let shader_dir = std::env::var("CARGO_MANIFEST_DIR").unwrap() + "/../webrender/res"; let shader_flags = ShaderFeatureFlags::GL |
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Hardcoded Path Issue] [gfx/wr/swgl/build.rs] [Lines 110-113]
[Old Code]
let shader_dir = match std::env::var("MOZ_SRC") {
Ok(dir) => dir + "/gfx/wr/webrender/res",
Err(_) => std::env::var("CARGO_MANIFEST_DIR").unwrap() + "/../webrender/res",
};
[Fixed Code]
let shader_dir = std::env::var("CARGO_MANIFEST_DIR").unwrap() + "/../webrender/res";
Additional Details:
- The change simplifies the path resolution logic by removing the MOZ_SRC environment variable fallback
- While not clearly a security vulnerability, the old code could potentially lead to path traversal if MOZ_SRC was controlled by an attacker
- The fixed version is more predictable as it only uses CARGO_MANIFEST_DIR
- This might be more of a reliability improvement than a security fix
No other obvious vulnerabilities were identified in this diff. The change appears to be simplifying the build configuration rather than addressing a clear security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/gl/GLBlitHelper.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/gl/GLBlitHelper.h@@ -36,6 +36,10 @@ class MacIOSurface; #endif+#ifdef MOZ_WIDGET_ANDROID+# include "mozilla/java/GeckoSurfaceTextureWrappers.h"+#endif+ namespace mozilla { namespace layers {@@ -54,7 +58,7 @@ #endif #ifdef MOZ_WIDGET_ANDROID-class SurfaceTextureImage;+class SurfaceTextureDescriptor; #endif #ifdef XP_MACOSX@@ -177,9 +181,8 @@ bool BlitPlanarYCbCr(const layers::PlanarYCbCrData&, const gfx::IntSize& destSize, OriginPos destOrigin); #ifdef MOZ_WIDGET_ANDROID- // Blit onto the current FB.- bool BlitImage(layers::SurfaceTextureImage* stImage,- const gfx::IntSize& destSize, OriginPos destOrigin) const;+ bool Blit(const java::GeckoSurfaceTexture::Ref& surfaceTexture,+ const gfx::IntSize& destSize, const OriginPos destOrigin) const; #endif #ifdef XP_MACOSX bool BlitImage(layers::MacIOSurfaceImage* srcImage,
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Class/Type Change] [File: gfx/gl/GLBlitHelper.h] [Lines: 54, 177-182]
[Old Code]
```cpp
class SurfaceTextureImage;
bool BlitImage(layers::SurfaceTextureImage* stImage,
const gfx::IntSize& destSize, OriginPos destOrigin) const;
```
[Fixed Code]
```cpp
class SurfaceTextureDescriptor;
bool Blit(const java::GeckoSurfaceTexture::Ref& surfaceTexture,
const gfx::IntSize& destSize, const OriginPos destOrigin) const;
```
Additional Details: The change involves replacing SurfaceTextureImage with SurfaceTextureDescriptor and modifying the Blit function signature to use java::GeckoSurfaceTexture::Ref. While this appears to be an API/implementation change, it's unclear if it fixes a specific vulnerability or is just a refactoring.
2. Vulnerability Existed: not sure
[Header Inclusion Change] [File: gfx/gl/GLBlitHelper.h] [Lines: 36-40]
[Old Code]
```cpp
#ifdef MOZ_WIDGET_ANDROID
# include "mozilla/java/GeckoSurfaceTextureWrappers.h"
#endif
```
[Fixed Code]
(This was added in the new version)
Additional Details: The addition of a new header include for Android-specific functionality might be related to security fixes, but without more context about the changes in GeckoSurfaceTextureWrappers.h, we can't be certain.
Note: The diff shows significant changes to the Android-specific implementation, but without more context about the vulnerabilities being addressed or the implementation details of the new classes, we can only speculate about potential security implications. The changes appear to modernize the Android surface texture handling, which could potentially address security issues related to improper texture handling, but this is not confirmed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/docs/testing-rust-code/index.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/docs/testing-rust-code/index.md@@ -2,8 +2,8 @@ This page explains how to test and debug Rust code in Firefox.-The [build documentation](../build/buildsystem/rust.html) explains how to add-new Rust code to Firefox. The [code documentation](../writing-rust-code)+The [build documentation](/build/buildsystem/rust.rst) explains how to add+new Rust code to Firefox. The [code documentation](/writing-rust-code/index.md) explains how to write and work with Rust code in Firefox. ## Testing Mozilla crates@@ -31,7 +31,7 @@ `testing/geckodriver/moz.build` and the [geckodriver testing docs] for an example.-[geckodriver testing docs]: ../testing/geckodriver/Testing.html+[geckodriver testing docs]: /testing/geckodriver/Testing.md ### GTests@@ -102,7 +102,7 @@ Rust logging can also be forwarded to the [Gecko logger] for capture via `MOZ_LOG` and `MOZ_LOG_FILE`.-[Gecko logger]: /xpcom/logging.html+[Gecko logger]: /xpcom/logging.rst - When parsing modules from `MOZ_LOG`, modules containing `::` are considered to be Rust modules. To log everything in a top-level module like
Here's my analysis of the provided code diff: Vulnerability Existed: no [Documentation Link Fixes] [docs/testing-rust-code/index.md] [Multiple lines] [Old Code] The [build documentation](../build/buildsystem/rust.html) explains how to add new Rust code to Firefox. The [code documentation](../writing-rust-code) [geckodriver testing docs]: ../testing/geckodriver/Testing.html [Gecko logger]: /xpcom/logging.html [Fixed Code] The [build documentation](/build/buildsystem/rust.rst) explains how to add new Rust code to Firefox. The [code documentation](/writing-rust-code/index.md) [geckodriver testing docs]: /testing/geckodriver/Testing.md [Gecko logger]: /xpcom/logging.rst Additional Details: This appears to be purely documentation updates changing file paths and extensions (from .html to .rst/.md) for better consistency in the documentation system. There are no security vulnerabilities being fixed here, just documentation link corrections and formatting improvements. The changes are all related to making the documentation links more accurate and consistent with the documentation system's preferred file extensions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mozglue/baseprofiler/core/platform.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mozglue/baseprofiler/core/platform.h@@ -33,6 +33,7 @@ #include "BaseProfiler.h"+#include "mozilla/Atomics.h" #include "mozilla/Logging.h" #include "mozilla/UniquePtr.h" #include "mozilla/Vector.h"@@ -102,6 +103,15 @@ namespace baseprofiler {+// If positive, skip stack-sampling in the sampler thread loop.+// Users should increment it atomically when samplings should be avoided, and+// later decrement it back. Multiple uses can overlap.+// There could be a sampling in progress when this is first incremented, so if+// it is critical to prevent any sampling, lock the profiler mutex instead.+// Relaxed ordering, because it's used to request that the profiler pause+// future sampling; this is not time critical, nor dependent on anything else.+extern mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling;+ typedef uint8_t* Address; class PlatformData;
Based on the provided diff, here's the analysis following the required format: Vulnerability Existed: not sure [Potential Race Condition] [mozglue/baseprofiler/core/platform.h] [Lines 102-103] [Old Code] [N/A - New code addition] [Fixed Code] extern mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling; Additional Details: 1. This appears to be a new addition rather than a fix to existing code 2. The addition of an atomic variable suggests potential concurrency concerns in the original implementation 3. The comments indicate this is meant to prevent race conditions during stack sampling 4. Without seeing the original implementation's threading behavior, we can't be certain if this fixes an actual vulnerability or is preventative Vulnerability Existed: no [No specific vulnerability] [mozglue/baseprofiler/core/platform.h] [Lines 33] [Old Code] #include "mozilla/Logging.h" [Fixed Code] #include "mozilla/Atomics.h" #include "mozilla/Logging.h" Additional Details: 1. This is just an additional include statement for atomic operations 2. No security implications in this particular change 3. Likely related to supporting the new gSkipSampling atomic variable
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hex8.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hex8.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = '#00ff00ff'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring (variable name change from `offscreenCanvas` to `canvas`). Here's the analysis following your format: Vulnerability Existed: no No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hex8.html] [17-25] [Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); ... _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255")] [Fixed Code: var canvas = new OffscreenCanvas(100, 50); ... _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255")] The changes are: 1. Variable name change from `offscreenCanvas` to `canvas` 2. Corresponding update in the `_assertPixel` call to use the new variable name No security implications were found in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-019-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-019-ref.html@@ -21,7 +21,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
After analyzing the provided code diff, here's the security assessment: Vulnerability Existed: no [No security vulnerability found] [layout/reftests/css-grid/grid-fragmentation-019-ref.html] [Lines 21] [Old Code: border: 2px dashed;] [Fixed Code: border: 2px solid salmon;] Additional Details: - This appears to be a purely visual/style change in a test reference file - The change modifies the border style from dashed to solid and adds a color (salmon) - No security implications are apparent as this is a CSS styling change in what appears to be a test file - No vulnerability name applies as this isn't a security-related change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/android/nsLookAndFeel.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/android/nsLookAndFeel.cpp@@ -6,7 +6,7 @@ #include "nsStyleConsts.h" #include "nsXULAppAPI.h" #include "nsLookAndFeel.h"-#include "nsNativeBasicTheme.h"+#include "Theme.h" #include "gfxFont.h" #include "gfxFontConstants.h" #include "mozilla/FontPropertyTypes.h"
Let me analyze the code diff according to the specified format. Vulnerability Existed: not sure [Header File Change] [widget/android/nsLookAndFeel.cpp] [Line 6] [Old Code] #include "nsNativeBasicTheme.h" [Fixed Code] #include "Theme.h" Additional Details: 1. This appears to be a simple header file change from "nsNativeBasicTheme.h" to "Theme.h" 2. Without more context about the functionality and security implications of these headers, I cannot determine if this fixes a specific vulnerability 3. The change might be related to code organization, refactoring, or functionality improvement rather than a direct security fix 4. No obvious security vulnerability patterns (like buffer overflow, XSS, etc.) are visible in this change Note: This could potentially be part of a larger security fix where the Theme.h implementation provides more secure functionality, but that would require examining more of the codebase to determine.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-179.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-179.xml@@ -10,7 +10,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-line-green-color.xht"/>- <meta name="flags" content="" /> </head> <body> <p><span>This line should be green.</span></p>
Based on the provided diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability [File] [Lines] [Old Code] `<meta name="flags" content="" />` [Fixed Code] (removed line) Additional details: - The diff shows the removal of an empty meta tag with a "flags" attribute. This doesn't appear to be related to any known security vulnerability. - The change seems to be a simple cleanup of unnecessary markup rather than a security fix. - No CVE or known vulnerability is associated with this type of change. - The meta tag wasn't serving any apparent security purpose in either its presence or removal. The modification appears to be part of routine test file maintenance rather than a security-related fix. The empty flags meta tag wasn't providing any functionality and its removal doesn't impact security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.parse.junk.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.parse.junk.html@@ -17,10 +17,10 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-assert_throws_js(TypeError, function() { offscreenCanvas.width = '#!?'; });+assert_throws_js(TypeError, function() { canvas.width = '#!?'; }); t.done(); });
Here's the analysis following your requested format:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.parse.junk.html] [Lines 17-22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
assert_throws_js(TypeError, function() { offscreenCanvas.width = '#!?'; });
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
assert_throws_js(TypeError, function() { canvas.width = '#!?'; });
Additional Details:
The changes appear to be primarily variable renaming (from 'offscreenCanvas' to 'canvas') rather than security fixes. The test continues to verify that setting invalid width values throws a TypeError, which was already properly implemented in the old version. No actual security vulnerability appears to be addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/2d/2D.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/2d/2D.h@@ -135,6 +135,8 @@ AntialiasMode mAntialiasMode; /**< The AntiAlias mode used for this drawing operation. */ };++struct StoredStrokeOptions; /** * This structure is used to send stroke options that are used in stroking@@ -168,7 +170,45 @@ stroking begins. */ JoinStyle mLineJoin; //!< Join style used for joining lines. CapStyle mLineCap; //!< Cap style used for capping lines.-};++ StoredStrokeOptions* Clone() const;++ bool operator==(const StrokeOptions& aOther) const {+ return mLineWidth == aOther.mLineWidth &&+ mMiterLimit == aOther.mMiterLimit &&+ mDashLength == aOther.mDashLength &&+ (!mDashLength || (mDashPattern && aOther.mDashPattern &&+ !memcmp(mDashPattern, aOther.mDashPattern,+ mDashLength * sizeof(Float)))) &&+ mDashOffset == aOther.mDashOffset && mLineJoin == aOther.mLineJoin &&+ mLineCap == aOther.mLineCap;+ }+};++/**+ * Heap-allocated variation of StrokeOptions that ensures dash patterns are+ * properly allocated and destroyed even if the source was stack-allocated.+ */+struct StoredStrokeOptions : public StrokeOptions {+ explicit StoredStrokeOptions(const StrokeOptions& aOptions)+ : StrokeOptions(aOptions) {+ if (mDashLength) {+ Float* pattern = new Float[mDashLength];+ memcpy(pattern, mDashPattern, mDashLength * sizeof(Float));+ mDashPattern = pattern;+ }+ }++ ~StoredStrokeOptions() {+ if (mDashPattern) {+ delete[] mDashPattern;+ }+ }+};++inline StoredStrokeOptions* StrokeOptions::Clone() const {+ return new StoredStrokeOptions(*this);+} /** * This structure supplies additional options for calls to DrawSurface.@@ -218,6 +258,14 @@ virtual PatternType GetType() const = 0;+ /** Instantiate a new clone with the same pattern type and values. */+ virtual Pattern* Clone() const { return nullptr; }++ /** Determine if the pattern type and values exactly match. */+ virtual bool operator==(const Pattern& aOther) const = 0;++ bool operator!=(const Pattern& aOther) const { return !(*this == aOther); }+ protected: Pattern() = default; };@@ -229,6 +277,16 @@ explicit ColorPattern(const DeviceColor& aColor) : mColor(aColor) {} PatternType GetType() const override { return PatternType::COLOR; }++ Pattern* Clone() const override { return new ColorPattern(mColor); }++ bool operator==(const Pattern& aOther) const override {+ if (aOther.GetType() != PatternType::COLOR) {+ return false;+ }+ const ColorPattern& other = static_cast<const ColorPattern&>(aOther);+ return mColor == other.mColor;+ } DeviceColor mColor; };@@ -247,6 +305,20 @@ : mBegin(aBegin), mEnd(aEnd), mStops(aStops), mMatrix(aMatrix) {} PatternType GetType() const override { return PatternType::LINEAR_GRADIENT; }++ Pattern* Clone() const override {+ return new LinearGradientPattern(mBegin, mEnd, do_AddRef(mStops), mMatrix);+ }++ bool operator==(const Pattern& aOther) const override {+ if (aOther.GetType() != PatternType::LINEAR_GRADIENT) {+ return false;+ }+ const LinearGradientPattern& other =+ static_cast<const LinearGradientPattern&>(aOther);+ return mBegin == other.mBegin && mEnd == other.mEnd &&+ mStops == other.mStops && mMatrix.ExactlyEquals(other.mMatrix);+ } Point mBegin; //!< Start of the linear gradient Point mEnd; /**< End of the linear gradient - NOTE: In the case@@ -281,6 +353,22 @@ PatternType GetType() const override { return PatternType::RADIAL_GRADIENT; }+ Pattern* Clone() const override {+ return new RadialGradientPattern(mCenter1, mCenter2, mRadius1, mRadius2,+ do_AddRef(mStops), mMatrix);+ }++ bool operator==(const Pattern& aOther) const override {+ if (aOther.GetType() != PatternType::RADIAL_GRADIENT) {+ return false;+ }+ const RadialGradientPattern& other =+ static_cast<const RadialGradientPattern&>(aOther);+ return mCenter1 == other.mCenter1 && mCenter2 == other.mCenter2 &&+ mRadius1 == other.mRadius1 && mRadius2 == other.mRadius2 &&+ mStops == other.mStops && mMatrix.ExactlyEquals(other.mMatrix);+ }+ Point mCenter1; //!< Center of the inner (focal) circle. Point mCenter2; //!< Center of the outer circle. Float mRadius1; //!< Radius of the inner (focal) circle.@@ -312,6 +400,23 @@ PatternType GetType() const override { return PatternType::CONIC_GRADIENT; }+ Pattern* Clone() const override {+ return new ConicGradientPattern(mCenter, mAngle, mStartOffset, mEndOffset,+ do_AddRef(mStops), mMatrix);+ }++ bool operator==(const Pattern& aOther) const override {+ if (aOther.GetType() != PatternType::CONIC_GRADIENT) {+ return false;+ }+ const ConicGradientPattern& other =+ static_cast<const ConicGradientPattern&>(aOther);+ return mCenter == other.mCenter && mAngle == other.mAngle &&+ mStartOffset == other.mStartOffset &&+ mEndOffset == other.mEndOffset && mStops == other.mStops &&+ mMatrix.ExactlyEquals(other.mMatrix);+ }+ Point mCenter; //!< Center of the gradient Float mAngle; //!< Start angle of gradient Float mStartOffset; // Offset of first stop@@ -341,6 +446,22 @@ mSamplingRect(aSamplingRect) {} PatternType GetType() const override { return PatternType::SURFACE; }++ Pattern* Clone() const override {+ return new SurfacePattern(mSurface, mExtendMode, mMatrix, mSamplingFilter,+ mSamplingRect);+ }++ bool operator==(const Pattern& aOther) const override {+ if (aOther.GetType() != PatternType::SURFACE) {+ return false;+ }+ const SurfacePattern& other = static_cast<const SurfacePattern&>(aOther);+ return mSurface == other.mSurface && mExtendMode == other.mExtendMode &&+ mSamplingFilter == other.mSamplingFilter &&+ mMatrix.ExactlyEquals(other.mMatrix) &&+ mSamplingRect.IsEqualEdges(other.mSamplingRect);+ } RefPtr<SourceSurface> mSurface; //!< Surface to use for drawing ExtendMode mExtendMode; /**< This determines how the image is extended
Here's the security analysis of the provided code diff: 1. Vulnerability Existed: yes Memory Management Vulnerability [File] gfx/2d/2D.h [Lines 168-170] [Old Code] No explicit memory management for mDashPattern in StrokeOptions [Fixed Code] Added StoredStrokeOptions with proper memory allocation/deallocation for mDashPattern 2. Vulnerability Existed: yes Missing Operator Overload Vulnerability [File] gfx/2d/2D.h [Lines 218-258] [Old Code] No comparison operators for Pattern class [Fixed Code] Added virtual operator== and operator!= to Pattern class and implementations in derived classes 3. Vulnerability Existed: yes Shallow Copy Vulnerability [File] gfx/2d/2D.h [Lines 218-446] [Old Code] No clone methods for Pattern class and its derived classes [Fixed Code] Added virtual Clone() method to Pattern class and implementations in all derived classes The changes primarily address memory management issues (preventing memory leaks and ensuring proper copying of dash patterns) and add proper comparison and cloning functionality to prevent shallow copy issues and enable proper object comparison. The most significant security fix is the proper handling of the mDashPattern memory allocation/deallocation through the new StoredStrokeOptions class.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/config/version.txt+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/config/version.txt@@ -1 +1 @@-97.0.2+98.0.3
Analysis of the provided code diff: 1. Vulnerability Existed: no Version Update [File] browser/config/version.txt [Lines] 1 [Old Code] 97.0.2 [Fixed Code] 98.0.3 Additional Details: - This appears to be a standard version number update in Firefox from version 97.0.2 to 98.0.3 - No security vulnerabilities are evident from this version number change alone - Version updates often include security fixes, but the diff doesn't show any specific vulnerability being addressed - Without access to the full changelog or release notes, we can't determine what specific security fixes might be included in this version bump Note: While this version update might contain security fixes (as most Firefox updates do), the diff itself doesn't reveal any specific vulnerabilities being patched. The version number change is routine maintenance and doesn't indicate any particular security issue in the version.txt file itself.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mozglue/baseprofiler/public/BaseProfilerState.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mozglue/baseprofiler/public/BaseProfilerState.h@@ -216,7 +216,10 @@ "Record markers from all registered threads") \ \ MACRO(22, "unregisteredthreads", UnregisteredThreads, \- "Discover and profile unregistered threads -- beware: expensive!")+ "Discover and profile unregistered threads -- beware: expensive!") \+ \+ MACRO(23, "processcpu", ProcessCPU, \+ "Sample the CPU utilization of each process") // *** Synchronize with lists in ProfilerState.h and geckoProfiler.json *** struct ProfilerFeature {
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
[Feature Addition] [mozglue/baseprofiler/public/BaseProfilerState.h] [Lines 216-220]
[Old Code]
"Discover and profile unregistered threads -- beware: expensive!")
[Fixed Code]
"Discover and profile unregistered threads -- beware: expensive!") \
\
MACRO(23, "processcpu", ProcessCPU, \
"Sample the CPU utilization of each process")
The change appears to be adding a new profiling feature (ProcessCPU) rather than fixing a security vulnerability. There's no indication of any security-related fixes in this diff - it's purely a feature addition to the profiler capabilities.
No security vulnerabilities were fixed in this change, and no potential vulnerabilities are apparent from the diff content. The modification simply extends the profiler's functionality to include process CPU utilization sampling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/vk/aliases.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/vk/aliases.rs@@ -164,3 +164,4 @@ pub type AabbPositionsNV = AabbPositionsKHR; pub type TransformMatrixNV = TransformMatrixKHR; pub type AccelerationStructureInstanceNV = AccelerationStructureInstanceKHR;+pub type AttachmentSampleCountInfoNV = AttachmentSampleCountInfoAMD;
Let me analyze the provided code diff for security fixes. Vulnerability Existed: no [No specific vulnerability found] [third_party/rust/ash/src/vk/aliases.rs] [Lines 164-165] [Old Code] pub type AabbPositionsNV = AabbPositionsKHR; pub type TransformMatrixNV = TransformMatrixKHR; pub type AccelerationStructureInstanceNV = AccelerationStructureInstanceKHR; [Fixed Code] pub type AabbPositionsNV = AabbPositionsKHR; pub type TransformMatrixNV = TransformMatrixKHR; pub type AccelerationStructureInstanceNV = AccelerationStructureInstanceKHR; pub type AttachmentSampleCountInfoNV = AttachmentSampleCountInfoAMD; Analysis: 1. The diff shows only an addition of a new type alias (`AttachmentSampleCountInfoNV`) that points to an existing type (`AttachmentSampleCountInfoAMD`). 2. There are no security-related changes visible in this diff - no removal or modification of potentially dangerous code. 3. The change appears to be purely additive, adding support for another Vulkan extension type alias. 4. No vulnerability patterns (like memory safety issues, input validation, etc.) are present in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.multiple.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.multiple.worker.js@@ -13,19 +13,19 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-offscreenCanvas.width = 200;+canvas.width = 200; var g = ctx.createLinearGradient(0, 0, 200, 0); g.addColorStop(0, '#ff0'); g.addColorStop(0.5, '#0ff'); g.addColorStop(1, '#f0f'); ctx.fillStyle = g; ctx.fillRect(0, 0, 200, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 127,255,127,255, "50,25", "127,255,127,255", 3);-_assertPixelApprox(offscreenCanvas, 100,25, 0,255,255,255, "100,25", "0,255,255,255", 3);-_assertPixelApprox(offscreenCanvas, 150,25, 127,127,255,255, "150,25", "127,127,255,255", 3);+_assertPixelApprox(canvas, 50,25, 127,255,127,255, "50,25", "127,255,127,255", 3);+_assertPixelApprox(canvas, 100,25, 0,255,255,255, "100,25", "0,255,255,255", 3);+_assertPixelApprox(canvas, 150,25, 127,127,255,255, "150,25", "127,127,255,255", 3); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security aspects. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.multiple.worker.js
Lines: 13-28
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); offscreenCanvas.width = 200;
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); canvas.width = 200;
The changes only involve:
1. Renaming 'offscreenCanvas' variable to 'canvas'
2. Updating all references to the renamed variable
3. No security-related changes in functionality or behavior
The rest of the changes are just updates to the variable name in the assertions, which don't impact security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.unclosed.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.unclosed.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.moveTo(0, 0); ctx.lineTo(20, 0);
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.unclosed.worker.js [Lines] 13-14
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional details:
- The change appears to be purely a variable renaming from "offscreenCanvas" to "canvas"
- No security-related changes are evident in this diff
- The modification doesn't affect any security-sensitive operations or introduce/remove any security controls
- This seems to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/glean-core/src/upload/directory.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/glean-core/src/upload/directory.rs@@ -171,7 +171,7 @@ if let (Some(Ok(path)), Some(Ok(body)), Ok(metadata)) = (lines.next(), lines.next(), lines.next().transpose()) {- let headers = metadata.map(|m| process_metadata(&path, &m)).flatten();+ let headers = metadata.and_then(|m| process_metadata(&path, &m)); return Some((document_id.into(), path, body, headers)); } else { log::warn!(
Let me analyze the code diff for security vulnerabilities: Vulnerability Existed: yes Unwrapping Potential None Value [third_party/rust/glean-core/src/upload/directory.rs] [Lines 171] [Old Code] let headers = metadata.map(|m| process_metadata(&path, &m)).flatten(); [Fixed Code] let headers = metadata.and_then(|m| process_metadata(&path, &m)); Additional Details: The vulnerability here relates to improper handling of Option types. The old code used map().flatten() which could potentially panic if process_metadata returned None and then tried to flatten it. The fixed version uses and_then() which is the more idiomatic and safer way to handle this case in Rust, as it properly chains the Option operations without risking unwrapping a None value. While this might not be a direct security vulnerability in terms of remote exploitation, it could lead to application crashes (denial of service) if the None case wasn't properly handled elsewhere.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/webrender_bindings/WebRenderTypes.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/webrender_bindings/WebRenderTypes.h@@ -18,6 +18,7 @@ #include "mozilla/layers/LayersTypes.h" #include "mozilla/PodOperations.h" #include "mozilla/Range.h"+#include "mozilla/ScrollGeneration.h" #include "mozilla/TypeTraits.h" #include "Units.h" #include "nsIWidgetListener.h"@@ -889,6 +890,17 @@ } }+static inline wr::APZScrollGeneration ToWrAPZScrollGeneration(+ const mozilla::APZScrollGeneration& aGeneration) {+ return wr::APZScrollGeneration(aGeneration.Raw());+}++static inline wr::HasScrollLinkedEffect ToWrHasScrollLinkedEffect(+ bool aHasScrollLinkedEffect) {+ return aHasScrollLinkedEffect ? wr::HasScrollLinkedEffect::Yes+ : wr::HasScrollLinkedEffect::No;+}+ } // namespace wr } // namespace mozilla
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] gfx/webrender_bindings/WebRenderTypes.h [Lines] 18, 889-900
[Old Code]
(No previous code for these specific functions)
[Fixed Code]
static inline wr::APZScrollGeneration ToWrAPZScrollGeneration(
const mozilla::APZScrollGeneration& aGeneration) {
return wr::APZScrollGeneration(aGeneration.Raw());
}
static inline wr::HasScrollLinkedEffect ToWrHasScrollLinkedEffect(
bool aHasScrollLinkedEffect) {
return aHasScrollLinkedEffect ? wr::HasScrollLinkedEffect::Yes
: wr::HasScrollLinkedEffect::No;
}
The changes appear to be adding new functionality (conversion functions for scroll generation and scroll-linked effects) rather than fixing security vulnerabilities. The changes include:
1. Adding a new include for ScrollGeneration.h
2. Adding two new inline conversion functions
There are no obvious security vulnerabilities being fixed here, just new feature additions. The changes seem to be related to improving scroll handling functionality in WebRender.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/2d.getcontext.unique.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/2d.getcontext.unique.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var offscreenCanvas2 = new OffscreenCanvas(100, 50); _assertSame(offscreenCanvas2.getContext('2d'), offscreenCanvas2.getContext('2d'), "offscreenCanvas2.getContext('2d')", "offscreenCanvas2.getContext('2d')");
Let me analyze the code diff for potential security vulnerabilities:
Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
This appears to be a simple variable renaming from 'offscreenCanvas' to 'canvas' for consistency or clarity. There are no security implications in this change, and no known vulnerability is being addressed. The functionality remains identical, only the variable name has changed. The rest of the test case continues to use 'offscreenCanvas2' for comparison purposes.
No other vulnerabilities or changes were detected in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/test/unit/test_http3_fast_fallback.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/test/unit/test_http3_fast_fallback.js@@ -37,7 +37,7 @@ trr_test_setup(); Services.prefs.setIntPref("network.trr.mode", 2); // TRR first- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref("network.http.speculative-parallel-limit", 6); }@@ -50,7 +50,7 @@ Services.prefs.clearUserPref("network.dns.http3_echconfig.enabled"); Services.prefs.clearUserPref("network.dns.echconfig.fallback_to_origin"); Services.prefs.clearUserPref("network.dns.httpssvc.reset_exclustion_list");- Services.prefs.clearUserPref("network.http.http3.enabled");+ Services.prefs.clearUserPref("network.http.http3.enable"); Services.prefs.clearUserPref( "network.dns.httpssvc.http3_fast_fallback_timeout" );@@ -146,7 +146,7 @@ // backup connection is ready, the http transaction is still in pending // queue because the h3 connection is never ready to accept transactions. add_task(async function test_fast_fallback_with_speculative_connection() {- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setCharPref("network.dns.localDomains", "foo.example.com"); // Set AltSvc to point to not existing HTTP3 server on port 443 Services.prefs.setCharPref(@@ -192,7 +192,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",@@ -281,7 +281,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",@@ -371,7 +371,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",@@ -476,7 +476,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",@@ -558,7 +558,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",@@ -629,7 +629,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); // Disable fast fallback. Services.prefs.setIntPref(@@ -700,7 +700,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref("network.http.speculative-parallel-limit", 6); Services.prefs.clearUserPref(@@ -795,7 +795,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref("network.http.speculative-parallel-limit", 6); Services.prefs.clearUserPref(@@ -857,7 +857,7 @@ "network.trr.uri", `https://foo.example.com:${trrServer.port}/dns-query` );- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setIntPref( "network.dns.httpssvc.http3_fast_fallback_timeout",
Here's the analysis of the provided code diff:
Vulnerability Existed: no
[Preference Name Correction] [netwerk/test/unit/test_http3_fast_fallback.js] [Multiple lines throughout file]
[Old Code]
Services.prefs.setBoolPref("network.http.http3.enabled", true);
[Fixed Code]
Services.prefs.setBoolPref("network.http.http3.enable", true);
Additional Details:
The diff shows a consistent change throughout the file where the preference name is corrected from "network.http.http3.enabled" to "network.http.http3.enable". This appears to be a configuration correction rather than a security fix. The change is made in multiple locations (lines 37, 50, 146, 192, 281, 371, 476, 558, 629, 700, 795, and 857) where the preference is either set or cleared. There's no indication of a security vulnerability being fixed - it's simply a correction of the preference name to match the intended configuration setting.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.