Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.5.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.5.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.moveTo(0, 0); ctx.roundRect(100, 25, 0, 0, [0]); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.5.worker.js [Lines] 13-23
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains exactly the same, just with a different variable name. There are no security vulnerabilities being fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/inspector/compatibility/components/Footer.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/inspector/compatibility/components/Footer.js@@ -19,17 +19,6 @@ updateSettingsVisibility, } = require("devtools/client/inspector/compatibility/actions/compatibility");-loader.lazyRequireGetter(- this,- "openDocLink",- "devtools/client/shared/link",- true-);--const FEEDBACK_LINK =- "https://docs.google.com/forms/d/e/1FAIpQLSeevOHveQ1tDuKYY5Fxyb3vvbKKumdLWUT5-RuwJWoAAOST5g/viewform";--const REPORT_ICON = "chrome://devtools/skin/images/report.svg"; const SETTINGS_ICON = "chrome://devtools/skin/images/settings.svg"; class Footer extends PureComponent {@@ -80,12 +69,6 @@ "compatibility-settings-button-label", "compatibility-settings-button-title", this.props.updateSettingsVisibility- ),- this._renderButton(- REPORT_ICON,- "compatibility-feedback-button-label",- "compatibility-feedback-button-title",- () => openDocLink(FEEDBACK_LINK) ) ); }
Based on the provided diff, here's the analysis:
Vulnerability Existed: not sure
[Potential Information Disclosure] [devtools/client/inspector/compatibility/components/Footer.js] [Lines 19-29, 80-85]
[Old Code]
loader.lazyRequireGetter(
this,
"openDocLink",
"devtools/client/shared/link",
true
);
const FEEDBACK_LINK =
"https://docs.google.com/forms/d/e/1FAIpQLSeevOHveQ1tDuKYY5Fxyb3vvbKKumdLWUT5-RuwJWoAAOST5g/viewform";
const REPORT_ICON = "chrome://devtools/skin/images/report.svg";
...
this._renderButton(
REPORT_ICON,
"compatibility-feedback-button-label",
"compatibility-feedback-button-title",
() => openDocLink(FEEDBACK_LINK)
)
[Fixed Code]
[Removed in entirety]
Additional Details:
The removal could be related to several potential security concerns:
1. Removing external link functionality that could potentially be manipulated
2. Eliminating a dependency that might have security implications
3. Removing a hardcoded URL that could be a security risk if it were to be compromised
However, without more context about why these changes were made, we can't be certain if this was specifically a security fix or just a feature removal. The Google Forms link itself doesn't appear to be inherently vulnerable, but removing external links can generally reduce attack surface.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/gecko_taskgraph/main.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/gecko_taskgraph/main.py@@ -106,7 +106,7 @@ def format_taskgraph(options, parameters, logfile=None): import gecko_taskgraph- from gecko_taskgraph.parameters import parameters_loader+ from taskgraph.parameters import parameters_loader if logfile: oldhandler = logging.root.handlers[-1]@@ -135,7 +135,7 @@ def dump_output(out, path=None, params_spec=None):- from gecko_taskgraph.parameters import Parameters+ from taskgraph.parameters import Parameters params_name = Parameters.format_spec(params_spec) fh = None@@ -157,7 +157,7 @@ def generate_taskgraph(options, parameters, logdir):- from gecko_taskgraph.parameters import Parameters+ from taskgraph.parameters import Parameters def logfile(spec): """Determine logfile given a parameters specification."""@@ -315,7 +315,7 @@ ) def show_taskgraph(options): from mozversioncontrol import get_repository_object as get_repository- from gecko_taskgraph.parameters import Parameters+ from taskgraph.parameters import Parameters, parameters_loader if options.pop("verbose", False): logging.root.setLevel(logging.DEBUG)@@ -352,10 +352,12 @@ parameters: List[Any[str, Parameters]] = options.pop("parameters") if not parameters:- kwargs = {+ overrides = { "target-kind": options.get("target_kind"), }- parameters = [Parameters(strict=False, **kwargs)] # will use default values+ parameters = [+ parameters_loader(None, strict=False, overrides=overrides)+ ] # will use default values for param in parameters[:]: if isinstance(param, str) and os.path.isdir(param):@@ -429,17 +431,20 @@ base_path += f"_{params_name}" cur_path += f"_{params_name}"- # We only capture errors when the 'base' generation fails. This is- # because if the 'current' generation passed, the failure is likely- # due to a difference in the set of revisions being tested and- # harmless. We'll still log a warning to notify that the diff is- # not available. But if the current generation failed, the error- # needs to be addressed.- if not os.path.isfile(base_path):+ # If the base or cur files are missing it means that generation+ # failed. If one of them failed but not the other, the failure is+ # likely due to the patch making changes to taskgraph in modules+ # that don't get reloaded (safe to ignore). If both generations+ # failed, there's likely a real issue.+ base_missing = not os.path.isfile(base_path)+ cur_missing = not os.path.isfile(cur_path)+ if base_missing != cur_missing: # != is equivalent to XOR for booleans non_fatal_failures.append(os.path.basename(base_path)) continue try:+ # If the output file(s) are missing, this command will raise+ # CalledProcessError with a returncode > 1. proc = subprocess.run( diffcmd + [base_path, cur_path], stdout=subprocess.PIPE,@@ -668,7 +673,7 @@ @argument("--input", default=None, help="Action input (.yml or .json)") @argument("callback", default=None, help="Action callback name (Python function name)") def test_action_callback(options):- import gecko_taskgraph.parameters+ import taskgraph.parameters import gecko_taskgraph.actions from taskgraph.util import yaml from gecko_taskgraph.config import load_graph_config@@ -695,7 +700,7 @@ trust_domain = graph_config["trust-domain"] graph_config.register()- parameters = gecko_taskgraph.parameters.load_parameters_file(+ parameters = taskgraph.parameters.load_parameters_file( options["parameters"], strict=False, trust_domain=trust_domain ) parameters.check()
Let me analyze the code diff for potential security fixes. Here are the identified vulnerabilities:
1. Vulnerability Existed: yes
Dependency Confusion Attack [taskcluster/gecko_taskgraph/main.py] [Lines 106, 135, 157, 315, 668]
[Old Code]
from gecko_taskgraph.parameters import parameters_loader
from gecko_taskgraph.parameters import Parameters
import gecko_taskgraph.parameters
[Fixed Code]
from taskgraph.parameters import parameters_loader
from taskgraph.parameters import Parameters
import taskgraph.parameters
Additional Details: The changes involve moving from internal module imports (gecko_taskgraph.parameters) to a more standard taskgraph.parameters import path. This could prevent potential dependency confusion attacks where an attacker might try to publish a malicious package with the internal module name.
2. Vulnerability Existed: yes
Insecure Default Parameters [taskcluster/gecko_taskgraph/main.py] [Lines 352-357]
[Old Code]
kwargs = {
"target-kind": options.get("target_kind"),
}
parameters = [Parameters(strict=False, **kwargs)] # will use default values
[Fixed Code]
overrides = {
"target-kind": options.get("target_kind"),
}
parameters = [
parameters_loader(None, strict=False, overrides=overrides)
] # will use default values
Additional Details: The change moves from directly instantiating Parameters with potentially unsafe kwargs to using a parameters_loader with explicit overrides. This provides better control over parameter loading and validation.
3. Vulnerability Existed: yes
File Handling Vulnerability [taskcluster/gecko_taskgraph/main.py] [Lines 431-439]
[Old Code]
if not os.path.isfile(base_path):
non_fatal_failures.append(os.path.basename(base_path))
continue
[Fixed Code]
base_missing = not os.path.isfile(base_path)
cur_missing = not os.path.isfile(cur_path)
if base_missing != cur_missing:
non_fatal_failures.append(os.path.basename(base_path))
continue
Additional Details: The improved file existence checking logic provides better error handling when comparing files, reducing the chance of race conditions or incomplete file operations causing security issues.
4. Vulnerability Existed: not sure
Potential Input Validation [taskcluster/gecko_taskgraph/main.py] [Lines 695-702]
[Old Code]
parameters = gecko_taskgraph.parameters.load_parameters_file(
options["parameters"], strict=False, trust_domain=trust_domain
)
[Fixed Code]
parameters = taskgraph.parameters.load_parameters_file(
options["parameters"], strict=False, trust_domain=trust_domain
)
Additional Details: While the import path changed, it's unclear if there were additional security improvements in the underlying parameter loading implementation. The change might include improved input validation, but we can't confirm from just this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/utilityOverlay.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/utilityOverlay.js@@ -81,20 +81,21 @@ ); }-function getTopWin(skipPopups) {+function getTopWin({ skipPopups, forceNonPrivate } = {}) { // If this is called in a browser window, use that window regardless of // whether it's the frontmost window, since commands can be executed in // background windows (bug 626148). if ( top.document.documentElement.getAttribute("windowtype") == "navigator:browser" &&- (!skipPopups || top.toolbar.visible)+ (!skipPopups || top.toolbar.visible) &&+ (!forceNonPrivate || !PrivateBrowsingUtils.isWindowPrivate(top)) ) { return top; } return BrowserWindowTracker.getTopWindow({- private: PrivateBrowsingUtils.isWindowPrivate(window),+ private: !forceNonPrivate && PrivateBrowsingUtils.isWindowPrivate(window), allowPopups: !skipPopups, }); }@@ -293,6 +294,7 @@ var aInBackground = params.inBackground; var aInitiatingDoc = params.initiatingDoc; var aIsPrivate = params.private;+ var aForceNonPrivate = params.forceNonPrivate; var aSkipTabAnimation = params.skipTabAnimation; var aAllowPinnedTabHostChange = !!params.allowPinnedTabHostChange; var aAllowPopups = !!params.allowPopups;@@ -304,6 +306,8 @@ var aCsp = params.csp; var aForceAboutBlankViewerInCurrent = params.forceAboutBlankViewerInCurrent; var aResolveOnNewTabCreated = params.resolveOnNewTabCreated;+ // This callback will be called with the content browser once it's created.+ var aResolveOnContentBrowserReady = params.resolveOnContentBrowserCreated; if (!aTriggeringPrincipal) { throw new Error("Must load with a triggering Principal");@@ -341,12 +345,12 @@ if (where == "current" && params.targetBrowser) { w = params.targetBrowser.ownerGlobal; } else {- w = getTopWin();+ w = getTopWin({ forceNonPrivate: aForceNonPrivate }); } // We don't want to open tabs in popups, so try to find a non-popup window in // that case. if ((where == "tab" || where == "tabshifted") && w && !w.toolbar.visible) {- w = getTopWin(true);+ w = getTopWin({ skipPopups: true, forceNonPrivate: aForceNonPrivate }); aRelatedToCurrent = false; }@@ -382,6 +386,8 @@ false, aReferrerInfo.originalReferrer );+ } else if (aForceNonPrivate) {+ features += ",non-private"; } // This propagates to window.arguments.@@ -424,36 +430,53 @@ const sourceWindow = w || window; let win;++ // Returns a promise that will be resolved when the new window's startup is finished.+ function waitForWindowStartup() {+ return new Promise(resolve => {+ const delayedStartupObserver = aSubject => {+ if (aSubject == win) {+ Services.obs.removeObserver(+ delayedStartupObserver,+ "browser-delayed-startup-finished"+ );+ resolve();+ }+ };+ Services.obs.addObserver(+ delayedStartupObserver,+ "browser-delayed-startup-finished"+ );+ });+ }+ if (params.frameID != undefined && sourceWindow) { // Only notify it as a WebExtensions' webNavigation.onCreatedNavigationTarget // event if it contains the expected frameID params. // (e.g. we should not notify it as a onCreatedNavigationTarget if the user is // opening a new window using the keyboard shortcut). const sourceTabBrowser = sourceWindow.gBrowser.selectedBrowser;- let delayedStartupObserver = aSubject => {- if (aSubject == win) {- Services.obs.removeObserver(- delayedStartupObserver,- "browser-delayed-startup-finished"- );- Services.obs.notifyObservers(- {- wrappedJSObject: {- url,- createdTabBrowser: win.gBrowser.selectedBrowser,- sourceTabBrowser,- sourceFrameID: params.frameID,- },+ waitForWindowStartup().then(() => {+ Services.obs.notifyObservers(+ {+ wrappedJSObject: {+ url,+ createdTabBrowser: win.gBrowser.selectedBrowser,+ sourceTabBrowser,+ sourceFrameID: params.frameID, },- "webNavigation-createdNavigationTarget"- );- }- };- Services.obs.addObserver(- delayedStartupObserver,- "browser-delayed-startup-finished"+ },+ "webNavigation-createdNavigationTarget"+ );+ });+ }++ if (aResolveOnContentBrowserReady) {+ waitForWindowStartup().then(() =>+ aResolveOnContentBrowserReady(win.gBrowser.selectedBrowser) ); }+ win = Services.ww.openWindow( sourceWindow, AppConstants.BROWSER_CHROME_URL,@@ -461,6 +484,7 @@ features, sa );+ return; }@@ -560,6 +584,9 @@ postData: aPostData, userContextId: aUserContextId, });+ if (aResolveOnContentBrowserReady) {+ aResolveOnContentBrowserReady(targetBrowser);+ } // Don't focus the content area if focus is in the address bar and we're // loading the New Tab page.@@ -597,6 +624,9 @@ if (aResolveOnNewTabCreated) { aResolveOnNewTabCreated(targetBrowser);+ }+ if (aResolveOnContentBrowserReady) {+ aResolveOnContentBrowserReady(targetBrowser); } if (params.frameID != undefined && w) {
Analyzing the provided code diff, I've identified the following security-related changes:
1. Vulnerability Existed: not sure
[Private Browsing Mode Bypass] [browser/base/content/utilityOverlay.js] [Lines 81-98]
[Old Code]
function getTopWin(skipPopups) {
if (
top.document.documentElement.getAttribute("windowtype") ==
"navigator:browser" &&
(!skipPopups || top.toolbar.visible)
) {
return top;
}
return BrowserWindowTracker.getTopWindow({
private: PrivateBrowsingUtils.isWindowPrivate(window),
allowPopups: !skipPopups,
});
}
[Fixed Code]
function getTopWin({ skipPopups, forceNonPrivate } = {}) {
if (
top.document.documentElement.getAttribute("windowtype") ==
"navigator:browser" &&
(!skipPopups || top.toolbar.visible) &&
(!forceNonPrivate || !PrivateBrowsingUtils.isWindowPrivate(top))
) {
return top;
}
return BrowserWindowTracker.getTopWindow({
private: !forceNonPrivate && PrivateBrowsingUtils.isWindowPrivate(window),
allowPopups: !skipPopups,
});
}
2. Vulnerability Existed: not sure
[Potential Information Leak] [browser/base/content/utilityOverlay.js] [Lines 293-294, 306, 382-384]
[Old Code]
var aIsPrivate = params.private;
...
if (aIsPrivate) {
features += ",private";
}
[Fixed Code]
var aIsPrivate = params.private;
var aForceNonPrivate = params.forceNonPrivate;
...
if (aIsPrivate) {
features += ",private";
} else if (aForceNonPrivate) {
features += ",non-private";
}
3. Vulnerability Existed: not sure
[Potential Race Condition in Window Creation] [browser/base/content/utilityOverlay.js] [Lines 430-484]
[Old Code]
let delayedStartupObserver = aSubject => {
if (aSubject == win) {
Services.obs.removeObserver(
delayedStartupObserver,
"browser-delayed-startup-finished"
);
Services.obs.notifyObservers(...);
}
};
Services.obs.addObserver(...);
[Fixed Code]
function waitForWindowStartup() {
return new Promise(resolve => {
const delayedStartupObserver = aSubject => {
if (aSubject == win) {
Services.obs.removeObserver(...);
resolve();
}
};
Services.obs.addObserver(...);
});
}
waitForWindowStartup().then(() => {
Services.obs.notifyObservers(...);
});
The changes appear to:
1. Add better handling of private browsing mode with a new `forceNonPrivate` parameter
2. Explicitly mark windows as non-private when requested
3. Improve the window creation observer pattern to use Promises, which might prevent race conditions
While these changes seem security-related, I can't definitively identify specific vulnerabilities being fixed without more context about the threat model or reported issues. The modifications appear to strengthen privacy controls and improve reliability of window creation notifications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_mac.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_mac.json@@ -24796,7 +24796,6 @@ "-Wno-shorten-64-to-32" ], "defines": [- "MULTI_MONITOR_SCREENSHARE", "_LIBCPP_HAS_NO_ALIGNED_ALLOCATION", "__STDC_CONSTANT_MACROS", "__STDC_FORMAT_MACROS",
Based on the provided diff, here's the analysis:
Vulnerability Existed: not sure
[Potential Information Exposure] [dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_mac.json] [Lines 24796-24796]
[Old Code]
"MULTI_MONITOR_SCREENSHARE",
[Fixed Code]
[Removed line]
Additional Details:
1. The removal of "MULTI_MONITOR_SCREENSHARE" define suggests this feature was disabled or removed, but without more context about how this define was used, we can't be certain if it posed a security risk.
2. The define name suggests it might have been related to screen sharing capabilities across multiple monitors, which could potentially have privacy implications if not properly secured.
3. Since we don't have information about how this define was actually used in the code, we can't definitively say whether this was a security fix or just a feature removal.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/actions/expressions.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/actions/expressions.js@@ -18,7 +18,6 @@ import { PROMISE } from "./utils/middleware/promise"; import { wrapExpression } from "../utils/expressions"; import { features } from "../utils/prefs";-import { isOriginal } from "../utils/source"; /** * Add expression for debugger to watch@@ -139,7 +138,7 @@ const selectedSource = getSelectedSource(getState());- if (selectedSource && isOriginal(source) && isOriginal(selectedSource)) {+ if (selectedSource && source.isOriginal && selectedSource.isOriginal) { const mapResult = await dispatch(getMappedExpression(input)); if (mapResult) { input = mapResult.expression;
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Information Leak or Improper Access Control] [devtools/client/debugger/src/actions/expressions.js] [Lines 139]
Old Code:
`if (selectedSource && isOriginal(source) && isOriginal(selectedSource)) {`
Fixed Code:
`if (selectedSource && source.isOriginal && selectedSource.isOriginal) {`
Additional Details:
- The change involves removing an imported function `isOriginal` and directly accessing the `isOriginal` property of source objects.
- While this doesn't appear to be a direct security fix, it might relate to access control or information validation.
- The modification could potentially affect how source code authenticity is checked, which might have security implications, but without more context about the `isOriginal` property and its usage, I can't be certain if this was fixing a specific vulnerability.
Note: The removed import of `isOriginal` at the top of the file appears to be a cleanup change related to the modification in line 139.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/tools/yaml/offscreen/text.yaml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/tools/yaml/offscreen/text.yaml@@ -1278,6 +1278,11 @@ ctx.wordSpacing = '-1px'; @assert ctx.letterSpacing === '-1px'; @assert ctx.wordSpacing === '-1px';++ ctx.letterSpacing = '1PX';+ ctx.wordSpacing = '1EM';+ @assert ctx.letterSpacing === '1px';+ @assert ctx.wordSpacing === '1em'; t.done(); - name: 2d.text.drawing.style.nonfinite.spacing@@ -1295,6 +1300,24 @@ @assert ctx.letterSpacing === '0px'; } @nonfinite test_word_spacing(<0 NaN Infinity -Infinity>);++ t.done();++- name: 2d.text.drawing.style.invalid.spacing+ desc: Testing letter spacing and word spacing with invalid units+ testing:+ - 2d.text.drawing.style.spacing+ code: |+ @assert ctx.letterSpacing === '0px';+ @assert ctx.wordSpacing === '0px';++ function test_word_spacing(value) {+ ctx.wordSpacing = value;+ ctx.letterSpacing = value;+ @assert ctx.wordSpacing === '0px';+ @assert ctx.letterSpacing === '0px';+ }+ @nonfinite test_word_spacing(< '0s' '1min' '1deg' '1pp'>); t.done();
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: not sure [Input Validation] [testing/web-platform/tests/html/canvas/tools/yaml/offscreen/text.yaml] [Lines 1278-1295] [Old Code] ctx.letterSpacing = '-1px'; ctx.wordSpacing = '-1px'; @assert ctx.letterSpacing === '-1px'; @assert ctx.wordSpacing === '-1px'; [Fixed Code] ctx.letterSpacing = '1PX'; ctx.wordSpacing = '1EM'; @assert ctx.letterSpacing === '1px'; @assert ctx.wordSpacing === '1em'; 2. Vulnerability Existed: not sure [Input Validation] [testing/web-platform/tests/html/canvas/tools/yaml/offscreen/text.yaml] [Lines 1295-1319] [Old Code] @nonfinite test_word_spacing(<0 NaN Infinity -Infinity>); [Fixed Code] @nonfinite test_word_spacing(< '0s' '1min' '1deg' '1pp'>); The changes appear to be adding test cases for: 1. Case sensitivity in spacing values (converting 'PX' to 'px') 2. Invalid unit types (testing rejection of non-length units like 's', 'min', 'deg') While these changes improve input validation testing, I can't determine if they're fixing actual security vulnerabilities or just improving test coverage. The changes seem more related to specification compliance than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,12 +27,12 @@ ctx.beginPath(); ctx.arc(50, 50, 50, 0, Math.PI, false); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 27-32]
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Additional Details:
- The changes appear to be purely a variable name refactoring from `offscreenCanvas` to `canvas`
- The functionality remains identical, just with a different variable name
- No security implications are apparent in this change
- This appears to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-conditional/at-supports-018.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-conditional/at-supports-018.html@@ -6,7 +6,6 @@ <link rel="author" href="http://opera.com" title="Opera Software ASA"> <link rel="help" href="http://www.w3.org/TR/css3-conditional/#at-supports"> <link rel="match" href="at-supports-001-ref.html">- <meta name="flags" content=""> <style> div { background:red;
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-conditional/at-supports-018.html [Lines] 6 [Old Code] `<meta name="flags" content="">` [Fixed Code] (Line removed) Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. There's no indication this was related to any security vulnerability - more likely a cleanup of test configuration. 3. The "flags" meta tag doesn't appear to have any security implications in this context. No other vulnerabilities are apparent in this small diff. The change appears to be a minor cleanup rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit-test/tests/wasm/simd/avx2-x64-ion-codegen.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit-test/tests/wasm/simd/avx2-x64-ion-codegen.js@@ -17,6 +17,46 @@ codegenTestX64_adhoc(wrap(options, ` (func (export "f") (param v128 v128 v128) (result v128) (${op} (local.get 1) (local.get 2)))`),+ 'f',+ expected,+ options);+ }+}+// (see codegenTestX64_v128xv128_v128_avxhack comment about AVX defect)+// v128 OP const -> v128+// inputs: [[complete-opname, const, expected-pattern], ...]+function codegenTestX64_v128xLITERAL_v128_avxhack(inputs, options = {}) {+ for ( let [op, const_, expected] of inputs ) {+ codegenTestX64_adhoc(wrap(options, `+ (func (export "f") (param v128 v128) (result v128)+ (${op} (local.get 1) ${const_}))`),+ 'f',+ expected,+ options);+ }+}+// (see codegenTestX64_v128xv128_v128_avxhack comment about AVX defect)+// const OP v128 -> v128+// inputs: [[complete-opname, const, expected-pattern], ...]+function codegenTestX64_LITERALxv128_v128_avxhack(inputs, options = {}) {+ for ( let [op, const_, expected] of inputs ) {+ codegenTestX64_adhoc(wrap(options, `+ (func (export "f") (param v128 v128) (result v128)+ (${op} ${const_} (local.get 1)))`),+ 'f',+ expected,+ options);+ }+}++// Utility function to test SIMD operations encoding, where the input argument+// has the specified type (T).+// inputs: [[type, complete-opname, expected-pattern], ...]+function codegenTestX64_T_v128_avxhack(inputs, options = {}) {+ for ( let [ty, op, expected] of inputs ) {+ codegenTestX64_adhoc(wrap(options, `+ (func (export "f") (param ${ty}) (result v128)+ (${op} (local.get 0)))`), 'f', expected, options);@@ -70,3 +110,326 @@ c4 .. f1 22 .. 01 vpinsrq \\$0x01, %r\\w+, %xmm1, %xmm0` ); // rdi (Linux) or r8 (Win)+if (isAvxPresent(2)) {+ // First i32 arg is: edi on Linux, and ecx on Windows.+ codegenTestX64_T_v128_avxhack(+ [['i32', 'i8x16.splat', `+c5 f9 6e .. vmovd %e\\w+, %xmm0+c4 e2 79 78 c0 vpbroadcastb %xmm0, %xmm0`],+ ['i32', 'i16x8.splat', `+c5 f9 6e .. vmovd %e\\w+, %xmm0+c4 e2 79 79 c0 vpbroadcastw %xmm0, %xmm0`],+ ['i32', 'i32x4.splat', `+c5 f9 6e .. vmovd %e\\w+, %xmm0+c4 e2 79 58 c0 vpbroadcastd %xmm0, %xmm0`],+ ['f32', 'f32x4.splat', `c4 e2 79 18 c0 vbroadcastss %xmm0, %xmm0`]]);++ codegenTestX64_T_v128_avxhack(+ [['i32', 'v128.load8_splat',+ 'c4 c2 79 78 04 .. vpbroadcastbb \\(%r15,%r\\w+,1\\), %xmm0'],+ ['i32', 'v128.load16_splat',+ 'c4 c2 79 79 04 .. vpbroadcastww \\(%r15,%r\\w+,1\\), %xmm0'],+ ['i32', 'v128.load32_splat',+ 'c4 c2 79 18 04 .. vbroadcastssl \\(%r15,%r\\w+,1\\), %xmm0']], {memory: 1});+}++// Using VEX during shuffle ops+codegenTestX64_v128xv128_v128_avxhack([+ // Identity op on second argument should generate a move+ ['i8x16.shuffle 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15',+ 'c5 f9 6f c1 vmovdqa %xmm1, %xmm0'],++ // Broadcast a byte from first argument+ ['i8x16.shuffle 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5',+ `+c5 f1 60 c1 vpunpcklbw %xmm1, %xmm1, %xmm0+c5 fa 70 c0 55 vpshufhw \\$0x55, %xmm0, %xmm0+c5 f9 70 c0 aa vpshufd \\$0xAA, %xmm0, %xmm0`],++ // Broadcast a word from first argument+ ['i8x16.shuffle 4 5 4 5 4 5 4 5 4 5 4 5 4 5 4 5',+ `+c5 fb 70 c1 aa vpshuflw \\$0xAA, %xmm1, %xmm0+c5 f9 70 c0 00 vpshufd \\$0x00, %xmm0, %xmm0`],++ // Permute words+ ['i8x16.shuffle 2 3 0 1 6 7 4 5 10 11 8 9 14 15 12 13',+`+c5 fb 70 c1 b1 vpshuflw \\$0xB1, %xmm1, %xmm0+c5 fa 70 c0 b1 vpshufhw \\$0xB1, %xmm0, %xmm0`],++ // Permute doublewords+ ['i8x16.shuffle 4 5 6 7 0 1 2 3 12 13 14 15 8 9 10 11',+ 'c5 f9 70 c1 b1 vpshufd \\$0xB1, %xmm1, %xmm0'],++ // Interleave doublewords+ ['i8x16.shuffle 0 1 2 3 16 17 18 19 4 5 6 7 20 21 22 23',+ 'c5 f1 62 c2 vpunpckldq %xmm2, %xmm1, %xmm0'],++ // Interleave quadwords+ ['i8x16.shuffle 24 25 26 27 28 29 30 31 8 9 10 11 12 13 14 15',+ 'c5 e9 6d c1 vpunpckhqdq %xmm1, %xmm2, %xmm0'],+ + // Rotate right+ ['i8x16.shuffle 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12',+ `c4 e3 71 0f c1 0d vpalignr \\$0x0D, %xmm1, %xmm1, %xmm0`],+ ['i8x16.shuffle 28 29 30 31 0 1 2 3 4 5 6 7 8 9 10 11',+ `c4 e3 71 0f c2 0c vpalignr \\$0x0C, %xmm2, %xmm1, %xmm0`]]);++if (isAvxPresent(2)) {+ codegenTestX64_v128xv128_v128_avxhack([+ // Broadcast low byte from second argument+ ['i8x16.shuffle 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0',+ 'c4 e2 79 78 c1 vpbroadcastb %xmm1, %xmm0'],++ // Broadcast low word from third argument+ ['i8x16.shuffle 16 17 16 17 16 17 16 17 16 17 16 17 16 17 16 17',+ 'c4 e2 79 79 c2 vpbroadcastw %xmm2, %xmm0'],++ // Broadcast low doubleword from second argument+ ['i8x16.shuffle 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3',+ 'c4 e2 79 58 c1 vpbroadcastd %xmm1, %xmm0']]);+}++// Testing AVX optimization where VPBLENDVB accepts four XMM registers as args.+codegenTestX64_adhoc(+ `(func (export "f") (param v128 v128 v128 v128) (result v128)+ (i8x16.shuffle 0 17 2 3 4 5 6 7 24 25 26 11 12 13 30 15+ (local.get 2)(local.get 3)))`,+ 'f',+`+66 0f 6f 0d ${RIPRADDR} movdqax ${RIPR}, %xmm1+c4 e3 69 4c c3 10 vpblendvb %xmm1, %xmm3, %xmm2, %xmm0`);++// Constant arguments that are folded into the instruction+codegenTestX64_v128xLITERAL_v128_avxhack(+ [['i8x16.add', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 fc 05 ${RIPRADDR} vpaddbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.sub', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 f8 05 ${RIPRADDR} vpsubbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.add_sat_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 ec 05 ${RIPRADDR} vpaddsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.add_sat_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 dc 05 ${RIPRADDR} vpaddusbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.sub_sat_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 e8 05 ${RIPRADDR} vpsubsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.sub_sat_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 d8 05 ${RIPRADDR} vpsubusbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.min_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c4 e2 71 38 05 ${RIPRADDR} vpminsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.min_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 da 05 ${RIPRADDR} vpminubx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.max_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3c 05 ${RIPRADDR} vpmaxsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.max_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 de 05 ${RIPRADDR} vpmaxubx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.eq', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 74 05 ${RIPRADDR} vpcmpeqbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.ne', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)', `+ c5 f1 74 05 ${RIPRADDR} vpcmpeqbx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i8x16.gt_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 64 05 ${RIPRADDR} vpcmpgtbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.le_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)', `+ c5 f1 64 05 ${RIPRADDR} vpcmpgtbx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i8x16.narrow_i16x8_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 63 05 ${RIPRADDR} vpacksswbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.narrow_i16x8_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 67 05 ${RIPRADDR} vpackuswbx ${RIPR}, %xmm1, %xmm0`],+ + ['i16x8.add', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 fd 05 ${RIPRADDR} vpaddwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.sub', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 f9 05 ${RIPRADDR} vpsubwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.mul', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 d5 05 ${RIPRADDR} vpmullwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.add_sat_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ed 05 ${RIPRADDR} vpaddswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.add_sat_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 dd 05 ${RIPRADDR} vpadduswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.sub_sat_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 e9 05 ${RIPRADDR} vpsubswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.sub_sat_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 d9 05 ${RIPRADDR} vpsubuswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.min_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ea 05 ${RIPRADDR} vpminswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.min_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3a 05 ${RIPRADDR} vpminuwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.max_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ee 05 ${RIPRADDR} vpmaxswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.max_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3e 05 ${RIPRADDR} vpmaxuwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.eq', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 75 05 ${RIPRADDR} vpcmpeqwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.ne', '(v128.const i16x8 1 2 1 2 1 2 1 2)', `+ c5 f1 75 05 ${RIPRADDR} vpcmpeqwx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i16x8.gt_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 65 05 ${RIPRADDR} vpcmpgtwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.le_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)', `+ c5 f1 65 05 ${RIPRADDR} vpcmpgtwx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i16x8.narrow_i32x4_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 6b 05 ${RIPRADDR} vpackssdwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.narrow_i32x4_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c4 e2 71 2b 05 ${RIPRADDR} vpackusdwx ${RIPR}, %xmm1, %xmm0`],+ + ['i32x4.add', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 fe 05 ${RIPRADDR} vpadddx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.sub', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 fa 05 ${RIPRADDR} vpsubdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.mul', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 40 05 ${RIPRADDR} vpmulldx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.min_s', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 39 05 ${RIPRADDR} vpminsdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.min_u', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3b 05 ${RIPRADDR} vpminudx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.max_s', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3d 05 ${RIPRADDR} vpmaxsdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.max_u', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3f 05 ${RIPRADDR} vpmaxudx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.eq', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 76 05 ${RIPRADDR} vpcmpeqdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.ne', '(v128.const i32x4 1 2 1 2)', `+ c5 f1 76 05 ${RIPRADDR} vpcmpeqdx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i32x4.gt_s', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 66 05 ${RIPRADDR} vpcmpgtdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.le_s', '(v128.const i32x4 1 2 1 2)', `+ c5 f1 66 05 ${RIPRADDR} vpcmpgtdx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i32x4.dot_i16x8_s', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 f5 05 ${RIPRADDR} vpmaddwdx ${RIPR}, %xmm1, %xmm0`],+ + ['i64x2.add', '(v128.const i64x2 1 2)',+ `c5 f1 d4 05 ${RIPRADDR} vpaddqx ${RIPR}, %xmm1, %xmm0`],+ ['i64x2.sub', '(v128.const i64x2 1 2)',+ `c5 f1 fb 05 ${RIPRADDR} vpsubqx ${RIPR}, %xmm1, %xmm0`],+ + ['v128.and', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 db 05 ${RIPRADDR} vpandx ${RIPR}, %xmm1, %xmm0`],+ ['v128.or', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 eb 05 ${RIPRADDR} vporx ${RIPR}, %xmm1, %xmm0`],+ ['v128.xor', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 ef 05 ${RIPRADDR} vpxorx ${RIPR}, %xmm1, %xmm0`],+ + ['f32x4.add', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 58 05 ${RIPRADDR} vaddpsx ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.sub', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 5c 05 ${RIPRADDR} vsubpsx ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.mul', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 59 05 ${RIPRADDR} vmulpsx ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.div', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 5e 05 ${RIPRADDR} vdivpsx ${RIPR}, %xmm1, %xmm0`],+ + ['f64x2.add', '(v128.const f64x2 1 2)',+ `c5 f1 58 05 ${RIPRADDR} vaddpdx ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.sub', '(v128.const f64x2 1 2)',+ `c5 f1 5c 05 ${RIPRADDR} vsubpdx ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.mul', '(v128.const f64x2 1 2)',+ `c5 f1 59 05 ${RIPRADDR} vmulpdx ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.div', '(v128.const f64x2 1 2)',+ `c5 f1 5e 05 ${RIPRADDR} vdivpdx ${RIPR}, %xmm1, %xmm0`],++ ['f32x4.eq', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 c2 05 ${RIPRADDR} 00 vcmppsx \\$0x00, ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.ne', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 c2 05 ${RIPRADDR} 04 vcmppsx \\$0x04, ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.lt', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 c2 05 ${RIPRADDR} 01 vcmppsx \\$0x01, ${RIPR}, %xmm1, %xmm0`],+ ['f32x4.le', '(v128.const f32x4 1 2 3 4)',+ `c5 f0 c2 05 ${RIPRADDR} 02 vcmppsx \\$0x02, ${RIPR}, %xmm1, %xmm0`],++ ['f64x2.eq', '(v128.const f64x2 1 2)',+ `c5 f1 c2 05 ${RIPRADDR} 00 vcmppdx \\$0x00, ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.ne', '(v128.const f64x2 1 2)',+ `c5 f1 c2 05 ${RIPRADDR} 04 vcmppdx \\$0x04, ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.lt', '(v128.const f64x2 1 2)',+ `c5 f1 c2 05 ${RIPRADDR} 01 vcmppdx \\$0x01, ${RIPR}, %xmm1, %xmm0`],+ ['f64x2.le', '(v128.const f64x2 1 2)',+ `c5 f1 c2 05 ${RIPRADDR} 02 vcmppdx \\$0x02, ${RIPR}, %xmm1, %xmm0`]]);+ + // Commutative operations with constants on the lhs should generate the same+ // code as with the constant on the rhs.+ codegenTestX64_LITERALxv128_v128_avxhack(+ [['i8x16.add', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 fc 05 ${RIPRADDR} vpaddbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.add_sat_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 ec 05 ${RIPRADDR} vpaddsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.add_sat_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 dc 05 ${RIPRADDR} vpaddusbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.min_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c4 e2 71 38 05 ${RIPRADDR} vpminsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.min_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 da 05 ${RIPRADDR} vpminubx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.max_s', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3c 05 ${RIPRADDR} vpmaxsbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.max_u', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 de 05 ${RIPRADDR} vpmaxubx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.eq', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 74 05 ${RIPRADDR} vpcmpeqbx ${RIPR}, %xmm1, %xmm0`],+ ['i8x16.ne', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)', `+ c5 f1 74 05 ${RIPRADDR} vpcmpeqbx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ + ['i16x8.add', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 fd 05 ${RIPRADDR} vpaddwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.mul', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 d5 05 ${RIPRADDR} vpmullwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.add_sat_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ed 05 ${RIPRADDR} vpaddswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.add_sat_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 dd 05 ${RIPRADDR} vpadduswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.min_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ea 05 ${RIPRADDR} vpminswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.min_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3a 05 ${RIPRADDR} vpminuwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.max_s', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 ee 05 ${RIPRADDR} vpmaxswx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.max_u', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c4 e2 71 3e 05 ${RIPRADDR} vpmaxuwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.eq', '(v128.const i16x8 1 2 1 2 1 2 1 2)',+ `c5 f1 75 05 ${RIPRADDR} vpcmpeqwx ${RIPR}, %xmm1, %xmm0`],+ ['i16x8.ne', '(v128.const i16x8 1 2 1 2 1 2 1 2)', `+ c5 f1 75 05 ${RIPRADDR} vpcmpeqwx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ + ['i32x4.add', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 fe 05 ${RIPRADDR} vpadddx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.mul', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 40 05 ${RIPRADDR} vpmulldx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.min_s', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 39 05 ${RIPRADDR} vpminsdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.min_u', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3b 05 ${RIPRADDR} vpminudx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.max_s', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3d 05 ${RIPRADDR} vpmaxsdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.max_u', '(v128.const i32x4 1 2 1 2)',+ `c4 e2 71 3f 05 ${RIPRADDR} vpmaxudx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.eq', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 76 05 ${RIPRADDR} vpcmpeqdx ${RIPR}, %xmm1, %xmm0`],+ ['i32x4.ne', '(v128.const i32x4 1 2 1 2)', `+ c5 f1 76 05 ${RIPRADDR} vpcmpeqdx ${RIPR}, %xmm1, %xmm0+ 66 45 0f 75 ff pcmpeqw %xmm15, %xmm15+ 66 41 0f ef c7 pxor %xmm15, %xmm0`],+ ['i32x4.dot_i16x8_s', '(v128.const i32x4 1 2 1 2)',+ `c5 f1 f5 05 ${RIPRADDR} vpmaddwdx ${RIPR}, %xmm1, %xmm0`],+ + ['i64x2.add', '(v128.const i64x2 1 2)',+ `c5 f1 d4 05 ${RIPRADDR} vpaddqx ${RIPR}, %xmm1, %xmm0`],+ + ['v128.and', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 db 05 ${RIPRADDR} vpandx ${RIPR}, %xmm1, %xmm0`],+ ['v128.or', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 eb 05 ${RIPRADDR} vporx ${RIPR}, %xmm1, %xmm0`],+ ['v128.xor', '(v128.const i8x16 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2)',+ `c5 f1 ef 05 ${RIPRADDR} vpxorx ${RIPR}, %xmm1, %xmm0`]]);
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be: 1. Adding new test functions for SIMD operations with constants (codegenTestX64_v128xLITERAL_v128_avxhack and codegenTestX64_LITERALxv128_v128_avxhack) 2. Adding a utility function for testing SIMD operations (codegenTestX64_T_v128_avxhack) 3. Adding extensive test cases for various SIMD operations with AVX2 instructions The changes seem focused on testing and verifying correct code generation for SIMD operations rather than fixing security issues. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [js/src/jit-test/tests/wasm/simd/avx2-x64-ion-codegen.js] [Various lines] [Old Code] [New test cases and functions added] The diff primarily adds test coverage for SIMD operations rather than fixing security vulnerabilities. The changes appear to be part of normal development to support and verify WebAssembly SIMD functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/broadcastchannel/tests/test_bfcache.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/broadcastchannel/tests/test_bfcache.html@@ -18,76 +18,98 @@ * The page which is loaded from session history should be persisted if * expectedPersisted is true. */++ SimpleTest.waitForExplicitFinish(); var testUrl1 = "testUrl1_bfcache.html";- var bc1 = new BroadcastChannel("testUrl1_bfcache");- var bc2 = new BroadcastChannel("testUrl2_bfcache");- bc1.onmessage = function(event) {- if (event.data == "closed") {- info("Closed");- runTest();- return;- }- page1Shown(event.data);- };- bc2.onmessage = function(event) { page2Shown(event.data); };- var counter = 0;- var expectedPersisted = false;- var bc = new BroadcastChannel("a");- function page1Shown(e) {- if (counter == 0) {- ok(!e.persisted, "test page should have been persisted initially");- bc1.postMessage("load");- } else {- is(e.persisted, expectedPersisted, "test page should have been persisted in pageshow");- bc1.postMessage("close");+ function executeTest() {+ var bc1 = new BroadcastChannel("testUrl1_bfcache");+ var bc2 = new BroadcastChannel("testUrl2_bfcache");+ bc1.onmessage = function(event) {+ if (event.data == "closed") {+ info("Closed");+ runTest();+ return;+ }+ page1Shown(event.data);+ };+ bc2.onmessage = function(event) { page2Shown(event.data); };++ var counter = 0;+ var expectedPersisted = false;+ var bc = new BroadcastChannel("a");++ function page1Shown(e) {+ if (counter == 0) {+ ok(!e.persisted, "test page should have been persisted initially");+ bc1.postMessage("load");+ } else {+ is(e.persisted, expectedPersisted, "test page should have been persisted in pageshow");+ bc1.postMessage("close");+ }++ counter++; }- counter++;- }+ function page2Shown(e) {+ if (!expectedPersisted) {+ SimpleTest.executeSoon(function() {+ info("Posting a message.");+ bc.postMessage(42);+ });+ }- function page2Shown(e) {- if (!expectedPersisted) { SimpleTest.executeSoon(function() {- info("Posting a message.");- bc.postMessage(42);+ info("Going back");+ bc2.postMessage("back"); }); }- SimpleTest.executeSoon(function() {- info("Going back");- bc2.postMessage("back");+ var tests = [+ { expectedPersisted: true },+ { expectedPersisted: false },+ ];++ function runTest() {+ if (!tests.length) {+ bc.close();+ bc1.close();+ bc2.close();+ SimpleTest.finish();+ return;+ }++ var test = tests.shift();++ counter = 0;+ expectedPersisted = test.expectedPersisted;+ window.open(testUrl1, "", "noopener");+ }+++ // If Fission is disabled, the pref is no-op.+ SpecialPowers.pushPrefEnv({set: [["fission.bfcacheInParent", true]]}, () => {+ runTest(); });+ }- var tests = [- { expectedPersisted: true },- { expectedPersisted: false },- ];-- function runTest() {- if (!tests.length) {- bc.close();- bc1.close();- bc2.close();- SimpleTest.finish();- return;- }-- var test = tests.shift();-- counter = 0;- expectedPersisted = test.expectedPersisted;- window.open(testUrl1, "", "noopener");+ if (isXOrigin) {+ // Bug 1746646: Make mochitests work with TCP enabled (cookieBehavior = 5)+ // Acquire storage access permission here so that the BroadcastChannel used to+ // communicate with the opened windows works in xorigin tests. Otherwise,+ // the iframe containing this page is isolated from first-party storage access,+ // which isolates BroadcastChannel communication.+ SpecialPowers.wrap(document).notifyUserGestureActivation();+ SpecialPowers.addPermission("storageAccessAPI", true, window.location.href).then(() => {+ SpecialPowers.wrap(document).requestStorageAccess().then(() => {+ executeTest();+ });+ });+ } else {+ executeTest(); }-- SimpleTest.waitForExplicitFinish();-- // If Fission is disabled, the pref is no-op.- SpecialPowers.pushPrefEnv({set: [["fission.bfcacheInParent", true]]}, () => {- runTest();- }); </script> </body>
Here is the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Cross-Origin Communication Issue] [dom/broadcastchannel/tests/test_bfcache.html] [Lines 18-98] [Old Code: No explicit handling of cross-origin storage access for BroadcastChannel] [Fixed Code: Added cross-origin storage access permission handling via SpecialPowers.wrap and requestStorageAccess()] 2. Vulnerability Existed: not sure [Potential Race Condition in Test Initialization] [dom/broadcastchannel/tests/test_bfcache.html] [Lines 18-98] [Old Code: Test execution started immediately without waiting for explicit finish] [Fixed Code: Added SimpleTest.waitForExplicitFinish() at the beginning and restructured test execution flow] 3. Vulnerability Existed: not sure [Potential Resource Leak] [dom/broadcastchannel/tests/test_bfcache.html] [Lines 18-98] [Old Code: BroadcastChannel objects created globally] [Fixed Code: BroadcastChannel objects moved inside executeTest() function for better scoping] Note: The changes appear to be primarily test improvements rather than direct security fixes, but they do address potential issues that could affect test reliability and security behavior in cross-origin scenarios. The most significant change is the addition of storage access permission handling for cross-origin cases.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/font-size-zero-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/font-size-zero-1.html@@ -5,7 +5,6 @@ <link rel="help" href="http://www.w3.org/TR/css3-fonts/#font-size-prop"> <link rel="help" href="http://www.w3.org/TR/CSS21/box.html#collapsing-margins"> <link rel="match" href="font-size-zero-1-ref.html">-<meta name="flags" content=""> <style> /* spec ambiguous whether font-size-adjust influences line-height: normal */ body { line-height: 1.2 }
Analyzing the provided code diff, I don't see any security-related changes. The modification appears to be a simple removal of an empty meta tag flag, which doesn't have any security implications. Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/css-fonts/font-size-zero-1.html [Lines] 5 [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) This change appears to be a cleanup of test metadata rather than a security fix. The removed meta tag was empty and didn't serve any security-related purpose. No known vulnerabilities are associated with this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"7a506673848716ef5e06813c09213344e8325ef38bf454832fa63802e3c36ed5","README.md":"78377f5876fafd77963eff7e3c2ba3a7e3ad5cf9201b09ed5612e49c2288eb18","examples/halmark/main.rs":"b19dc4df52e55195703f3b42f1cc3ac555faedf2357ff821a2d7dd305eb9ec19","examples/halmark/shader.wgsl":"d63ba820574d2809b8a5d16342fddbede5dd0ff0024b3448c947fb7da896dd8d","src/auxil/mod.rs":"d914553bea210dab9e1ed9a77c2f2adad568e6678e9684df503584627e63beaa","src/auxil/renderdoc.rs":"3a4da908ebd6230177ca55c541c8278639e83d78badb4595a941aea30dd7f80f","src/dx12/adapter.rs":"e2d7ea916b173f85d31bd7ee5c42ebc2726aead4dd28f2f3e6046b0b5180271e","src/dx12/command.rs":"2caa5de75265c8f973b66b6843e64f33daa0cdda669f268a168ee070905bda2e","src/dx12/conv.rs":"7dfa5fb67b11acd2ffcee400b7e737aa1b08ee1f22d93d9fffaab5f275efee44","src/dx12/descriptor.rs":"c0108edad4a7a8c77d52c6172844d4310820edb400e351c843d56aab997a5dc2","src/dx12/device.rs":"4f0de6a54063832177bb60eb9cb5d984605b49ced0915a85fead2819b8af0805","src/dx12/instance.rs":"e93de85ddf6772ca366e02b7d0b4ee4d619164fd4700df4a389515f4f4500ebc","src/dx12/mod.rs":"26026ed4bd54c4c1469d048c1a7fd4f58f7b637c8320570742208f978ba4fcfa","src/dx12/view.rs":"7449d7459e39178491e76812f154ef2895f8137e944c1c821c0d441fdb173cae","src/empty.rs":"6bf65e405f63eff49b25d079af644b352b95a9c7edcf3a57be2e96a50307b66b","src/gles/adapter.rs":"263fc8b38a2c834ec2e3ffb74cfb1fb1941d0f5eb2cb82e6cf3f85b7bdf7aae8","src/gles/command.rs":"ca0ec997ee2cdb7b15ccbbd5f7a556438f0d552ee1674528da4400b5364c1dfa","src/gles/conv.rs":"ec87ddf4b509a394f5faaacdae2e2eb119f100585f5850e4f52ccb8687e67452","src/gles/device.rs":"638e992c22c1f32ccaff6d2a59d27eef32a3f01e2dc04cd32361d2ff462750ff","src/gles/egl.rs":"ad9bd308b1c3d8de0d8a42e2f6ef4a5624de8653825e7991b80999a400875002","src/gles/mod.rs":"c895ccb75b1c7c2d5022ab85a50545b2949e220891642e0a9b80b0914d79b09d","src/gles/queue.rs":"52b30df16fc7a258d271f3b47e2d10753aea9c9ea337c86aa07a9fe0d34160a0","src/gles/shaders/clear.frag":"aac702eed9ece5482db5ba6783a678b119a5e7802b1ecf93f4975dee8acab0b3","src/gles/shaders/clear.vert":"8f636168e1da2cac48091c466a543c3b09fb4a0dd8c60c1c9bf34cc890766740","src/gles/shaders/present.frag":"dd9a43c339a2fa4ccf7f6a1854c6f400cabf271a7d5e9230768e9f39d47f3ff5","src/gles/shaders/present.vert":"6e85d489403d80b81cc94790730bb53b309dfc5eeede8f1ea3412a660f31d357","src/gles/web.rs":"dbc27a61666351cf0a9f24d36a8c9df400bae621dde402ae6d6d97fa287ec0d9","src/lib.rs":"0868962ae28c1c4523de54170707f1651865bc53c6be1b2efb5ce78b6f5b5204","src/metal/adapter.rs":"b41e8b53fd915946229e57bec59f1049cc2007838b646c4cf879121816f54c58","src/metal/command.rs":"3edc6151d0edd7106cd3bd489e1ae57203648133ccd8d658cec7042e381798c8","src/metal/conv.rs":"0f8065cbe54b499476381fd93002a377d6ae756d63d5d8dacb18fe292dfa30eb","src/metal/device.rs":"776e640cb8bc25bc049eaa3663a293cfdd62eccc66e1712689d029f98b91aed4","src/metal/mod.rs":"2787a452103eab4e4129556840f5893f3b9c5b4c780ce1a03cbe32d334c1d363","src/metal/surface.rs":"74f81d37f0f1362603c26fd085ad2821f82810e2b5c5f816a6c1e83c5295d47b","src/vulkan/adapter.rs":"59c5b6da7c6ecadd27629e93626b11319473695897c3481f139e5d5c0127f9da","src/vulkan/command.rs":"d89d775bf4c1d608ea44834c5f22a95ccc519b0b7c5150de8bd94c7994a172a3","src/vulkan/conv.rs":"87d93d187ce445d5645329e1a87f53b3b4327db675732250be9c82cd4ee0c322","src/vulkan/device.rs":"b39fcd5047e6425eeac6bb2c8e16273c94d39db598a30a21419d60297a113df6","src/vulkan/instance.rs":"639f768984ec7de0d974dd147e735610caaf06f0e5b2bf02f4cac255bb709801","src/vulkan/mod.rs":"9e9e8ce5d3fd49baf7790299119efb1d08ca05fa50ef9b99cbbe583e4fd395e9"},"package":null}+{"files":{"Cargo.toml":"3862315ca7f4457023d24cc734caf97344767b109b6aff70bf521842f23e057a","README.md":"78377f5876fafd77963eff7e3c2ba3a7e3ad5cf9201b09ed5612e49c2288eb18","examples/halmark/main.rs":"9985c489565558c44023c2e0939c6f23f73840d336ebc552063277a85ea5136f","examples/halmark/shader.wgsl":"d63ba820574d2809b8a5d16342fddbede5dd0ff0024b3448c947fb7da896dd8d","examples/raw-gles.rs":"e1a47d82b58eef8a74fee37f9e2d190bf33ed764818af532c31fe2ffd160d070","src/auxil/mod.rs":"80e81fb7421f29553922fe67f16859cb5a3e2e199413f10a87e58253bb4fe6f6","src/auxil/renderdoc.rs":"3a4da908ebd6230177ca55c541c8278639e83d78badb4595a941aea30dd7f80f","src/dx12/adapter.rs":"7ce0b5398973584df4a314627c9958cfd120e31533c222a7a81e9e643552c27f","src/dx12/command.rs":"f8b84a576a5f2eea82d5c001ea1a7d4552f9fc7a7d0bc496a096ac3ffee2ff14","src/dx12/conv.rs":"7dfa5fb67b11acd2ffcee400b7e737aa1b08ee1f22d93d9fffaab5f275efee44","src/dx12/descriptor.rs":"c0108edad4a7a8c77d52c6172844d4310820edb400e351c843d56aab997a5dc2","src/dx12/device.rs":"fed1f2286c153998448bf07c423f320eade15d7dbce0a1d1d719f822bebd2936","src/dx12/instance.rs":"e93de85ddf6772ca366e02b7d0b4ee4d619164fd4700df4a389515f4f4500ebc","src/dx12/mod.rs":"b11a6b29ecb9dce95ffeb0b65d69d0af0a6adb1437faf0f561c82010ca6306c9","src/dx12/view.rs":"7449d7459e39178491e76812f154ef2895f8137e944c1c821c0d441fdb173cae","src/empty.rs":"6bf65e405f63eff49b25d079af644b352b95a9c7edcf3a57be2e96a50307b66b","src/gles/adapter.rs":"854215a4a93eacb8f15bb4e905de6cf6d064b5e4773cc48f64f0acb0c1c50811","src/gles/command.rs":"557effbdf8a885fec118e926f1e322253b4e4f417d4f7efbc300f7b75580e0f5","src/gles/conv.rs":"ec87ddf4b509a394f5faaacdae2e2eb119f100585f5850e4f52ccb8687e67452","src/gles/device.rs":"6ff31ffe2f5266c73f3de787ca06da8347ae19ec178792cd215b844cc309eaf9","src/gles/egl.rs":"0d8993a0d722063042ee9fa83a4de868e91689f1ce8c8aec47e538a6c0f38553","src/gles/mod.rs":"714ce10a4929a3f0d9a32bb0bbbfbe87a3b3162a8532b2cd79f228d32b958dd1","src/gles/queue.rs":"fea36dc55becee4493cea6b554e8d7a8ffe946201eb21c563e7dc4bcacab3bcd","src/gles/shaders/clear.frag":"aac702eed9ece5482db5ba6783a678b119a5e7802b1ecf93f4975dee8acab0b3","src/gles/shaders/clear.vert":"8f636168e1da2cac48091c466a543c3b09fb4a0dd8c60c1c9bf34cc890766740","src/gles/shaders/present.frag":"dd9a43c339a2fa4ccf7f6a1854c6f400cabf271a7d5e9230768e9f39d47f3ff5","src/gles/shaders/present.vert":"6e85d489403d80b81cc94790730bb53b309dfc5eeede8f1ea3412a660f31d357","src/gles/web.rs":"083500c0b36d079a82754895d06b993ea8ed4393690b226c85f07cbec373a730","src/lib.rs":"354670f72b69e3c6b704b9668dab681032d48ff2a650be3c07807d803582900c","src/metal/adapter.rs":"daae4f4c8097dd2fa4c915b1521457e38d9f143e468c45daba5b124f06608359","src/metal/command.rs":"233e646076d94b5d2b109f254ba129b8dcc30f683b30178a66d59bd7e2a25b78","src/metal/conv.rs":"0f8065cbe54b499476381fd93002a377d6ae756d63d5d8dacb18fe292dfa30eb","src/metal/device.rs":"b0dc77b3567b4d456118d7428a0594f0ace5c1a3bb75cee9b24a61645feae0ba","src/metal/mod.rs":"29092cc039a844611b6e6755e735ec232a947c25531fb3c185a4a9422891e6af","src/metal/surface.rs":"74f81d37f0f1362603c26fd085ad2821f82810e2b5c5f816a6c1e83c5295d47b","src/vulkan/adapter.rs":"627d67199a49ebffa8e183cb68b61ee8646418ac0f81e8634acccddccc8c0ac4","src/vulkan/command.rs":"60d1867acd0e46c34dabecea708cd776a1f435721b6673a506b5bb8aee87ff80","src/vulkan/conv.rs":"241764384cb35a7fbd453923fc0e968909689e4698e69ff61df87d2aa6cf37cb","src/vulkan/device.rs":"a88d85962e1d819b903a4b6f1b2e2822ecf770d05fa5a16673e87b77fbadc38f","src/vulkan/instance.rs":"b258b87760150feda3e1f23166fd5e6067b0af0c9ed404e0208433b3b10d42bd","src/vulkan/mod.rs":"bb4d3c01a7a75fa167f03123794f747a21e2cbe0ec93fbf473b1d40f9b2c2d42"},"package":null}=========testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.rtl.text.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.rtl.text.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.rtl.text.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); metrics = ctx.measureText('اَلْعَرَبِيَّةُ'); _assert(metrics.actualBoundingBoxLeft < metrics.actualBoundingBoxRight, "metrics.actualBoundingBoxLeft < metrics.actualBoundingBoxRight");
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. First file (wgpu-hal/.cargo-checksum.json):
Vulnerability Existed: no
This appears to be a standard checksum file update with no security implications. The changes are just hash updates for various files in the Rust wgpu-hal package.
2. Second file (2d.text.drawing.style.measure.rtl.text.worker.js):
Vulnerability Existed: no
The change is a simple variable rename from `offscreenCanvas` to `canvas` in a test file. This doesn't appear to have any security implications.
No security vulnerabilities were found in the provided diff. The changes are either:
1. Routine checksum updates for build integrity
2. Test code refactoring with no security impact
Additional notes:
- The checksum updates could indicate underlying code changes in the referenced files, but without seeing those actual file changes, we can't determine if they contain security fixes.
- The test file change is purely cosmetic/readability improvement.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,7 +27,7 @@ ctx.shadowOffsetY = 50; ctx.globalAlpha = 0.707; ctx.fillRect(0, -50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);+_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2); t.done(); });
After analyzing the provided code diff, here's the security analysis following the requested format:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.html] [Lines 17-27]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
Additional Details:
The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas') with no security implications. The functionality remains identical, and there are no security-related patterns or vulnerabilities being addressed in this diff. The modification seems to be for code consistency or readability rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/docshell/shistory/nsSHEntry.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/docshell/shistory/nsSHEntry.cpp@@ -1105,3 +1105,9 @@ *aBFCacheID = mShared->GetId(); return NS_OK; }++NS_IMETHODIMP+nsSHEntry::GetWireframe(JSContext* aCx, JS::MutableHandleValue aOut) {+ aOut.set(JS::NullValue());+ return NS_OK;+}
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
No Vulnerability Found [File] [Lines]
[Old Code] (No code existed before the change)
[Fixed Code]
NS_IMETHODIMP
nsSHEntry::GetWireframe(JSContext* aCx, JS::MutableHandleValue aOut) {
aOut.set(JS::NullValue());
return NS_OK;
}
Additional Details:
1. This appears to be a new method addition rather than a security fix
2. The method simply returns a null value in a safe way
3. No security vulnerabilities are being patched here
4. The change is likely adding functionality rather than fixing a security issue
The diff shows only an addition of a new method that safely handles JavaScript values by returning null, with no indication of any security vulnerability being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/grammar-error-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/grammar-error-001.html@@ -11,7 +11,6 @@ <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-styling"> <link rel="match" href="grammar-error-001-ref.html">- <meta content="" name="flags"> <style> div
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-pseudo/grammar-error-001.html [Lines] 11 [Old Code] `<meta content="" name="flags">` [Fixed Code] (line removed) Additional Details: - The diff shows only the removal of an empty `<meta>` tag with a "flags" attribute, which doesn't appear to be security-related - No known vulnerabilities are associated with this change - This appears to be a simple cleanup or test configuration change rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/rust_decimal/src/constants.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/rust_decimal/src/constants.rs@@ -9,7 +9,7 @@ // contain a value between 0 and 28 inclusive. pub const SCALE_MASK: u32 = 0x00FF_0000; pub const U8_MASK: u32 = 0x0000_00FF;-pub const U32_MASK: u64 = 0xFFFF_FFFF;+pub const U32_MASK: u64 = u32::MAX as _; // Number of bits scale is shifted by. pub const SCALE_SHIFT: u32 = 16;@@ -65,3 +65,8 @@ pub const MAX_I64_SCALE: u32 = 19; #[cfg(not(feature = "legacy-ops"))] pub const U32_MAX: u64 = u32::MAX as u64;++// Determines potential overflow for 128 bit operations+pub const OVERFLOW_U96: u128 = 1u128 << 96;+pub const WILL_OVERFLOW_U64: u64 = u64::MAX / 10 - u8::MAX as u64;+pub const BYTES_TO_OVERFLOW_U64: usize = 18; // We can probably get away with less
Let me analyze the diff for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Integer Overflow] [third_party/rust/rust_decimal/src/constants.rs] [Lines 9]
[Old Code] pub const U32_MASK: u64 = 0xFFFF_FFFF;
[Fixed Code] pub const U32_MASK: u64 = u32::MAX as _;
Additional Details: The change makes the mask definition more explicit by using u32::MAX, but it's unclear if this was fixing an actual vulnerability or just improving code clarity.
2. Vulnerability Existed: yes
[Integer Overflow Prevention] [third_party/rust/rust_decimal/src/constants.rs] [Lines 65-68]
[Old Code] (none - new constants added)
[Fixed Code] pub const OVERFLOW_U96: u128 = 1u128 << 96;
pub const WILL_OVERFLOW_U64: u64 = u64::MAX / 10 - u8::MAX as u64;
pub const BYTES_TO_OVERFLOW_U64: usize = 18;
Additional Details: These new constants appear to be added to help prevent integer overflow scenarios in calculations, particularly for 128-bit and 64-bit operations. The explicit overflow detection thresholds suggest previous potential for overflow vulnerabilities.
The changes appear to be focused on making integer operations safer and more explicit, particularly around overflow conditions. The first change improves code clarity while the second set of changes adds explicit overflow detection thresholds.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/feature-policy/reporting/xr-reporting.https.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/feature-policy/reporting/xr-reporting.https.html@@ -8,7 +8,7 @@ <script> var check_report_format = (reports, observer) => { let report = reports[0];- assert_equals(report.type, "feature-policy-violation");+ assert_equals(report.type, "permissions-policy-violation"); assert_equals(report.url, document.location.href); assert_equals(report.body.featureId, "xr-spatial-tracking"); assert_equals(report.body.sourceFile, document.location.href);@@ -20,7 +20,7 @@ promise_test(async (t) => { const report = new Promise(resolve => { new ReportingObserver((reports, observer) => resolve([reports, observer]),- {types: ['feature-policy-violation']}).observe();+ {types: ['permissions-policy-violation']}).observe(); }); await promise_rejects_dom(t, 'SecurityError', navigator.xr.isSessionSupported('immersive-vr'),
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Feature Policy to Permissions Policy Renaming] [testing/web-platform/tests/feature-policy/reporting/xr-reporting.https.html] [Lines 8,20]
[Old Code]
`assert_equals(report.type, "feature-policy-violation");`
`{types: ['feature-policy-violation']}).observe();`
[Fixed Code]
`assert_equals(report.type, "permissions-policy-violation");`
`{types: ['permissions-policy-violation']}).observe();`
Additional Details:
The changes appear to be related to a naming convention update from "feature-policy" to "permissions-policy" in the reporting mechanism. While this doesn't appear to be fixing a direct security vulnerability, it might be part of a broader security-related standardization update. The change could potentially affect how security policies are enforced and reported, but without more context about the broader changes, it's difficult to determine if this was fixing a specific vulnerability or just updating to new terminology.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-content-box-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-content-box-002.html@@ -8,7 +8,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#shapes-from-box-values"> <link rel="match" href="reference/shape-outside-content-box-002-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the right float shape defined by the content-box value."> <style> .container {
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 8] Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Details: - The diff shows removal of an empty meta tag with "flags" attribute, which doesn't appear to be security-related - This appears to be a cleanup change rather than a security fix - No known vulnerabilities are associated with empty meta flags tags - The change is part of test file maintenance in Firefox's web platform tests
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-010.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-010.html@@ -16,7 +16,7 @@ } </style> <p>Test passes if there is a filled green square and <strong>no red</strong>.</p>-<div style="width: 100px; height: 100px; columns: 5; column-gap: 0; column-fill: auto; background: red;">+<div style="width: 100px; height: 100px; columns: 5; column-gap: 0; column-fill: auto; position: relative; background: red;"> <div id="flex"> <div style="position: relative;"> <div style="contain: size; width: 10px; height: 80px;"></div>@@ -27,17 +27,17 @@ <div style="contain: size; width: 10px; height: 70px;"></div> <div style="contain: size; width: 10px; height: 40px;"></div> </div>- <div style="position: relative;">+ <div> <div style="contain: size; width: 10px; height: 40px;"></div> <div style="contain: size; width: 10px; height: 80px;"></div>- <div style="position: absolute; width: 10px; height: 50px; background: green;"></div> </div> <div style="position: relative;"> <div style="contain: size; width: 10px; height: 80px;"></div> <div style="contain: size; width: 10px; height: 30px;"></div>- <div style="position: absolute; top: -60px; width: 10px; height: 60px; background: green;"></div>+ <div style="position: absolute; width: 10px; height: 50px; background: green;"></div> </div> <div style="height: 100px; width: 20px;"></div>- <div style="height: 70px; width: 20px;"></div>+ <div style="height: 20px; width: 20px;"></div> </div>+ <div style="position: absolute; width: 20px; height: 60px; background: green; top: 40px; left: 20px;"></div> </div>
After analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential CSS Positioning Issue] [testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-010.html] [Lines 16, 27-28, 35]
[Old Code]
```html
<div style="width: 100px; height: 100px; columns: 5; column-gap: 0; column-fill: auto; background: red;">
...
<div style="position: relative;">
<div style="contain: size; width: 10px; height: 40px;"></div>
<div style="contain: size; width: 10px; height: 80px;"></div>
<div style="position: absolute; width: 10px; height: 50px; background: green;"></div>
</div>
```
[Fixed Code]
```html
<div style="width: 100px; height: 100px; columns: 5; column-gap: 0; column-fill: auto; position: relative; background: red;">
...
<div>
<div style="contain: size; width: 10px; height: 40px;"></div>
<div style="contain: size; width: 10px; height: 80px;"></div>
</div>
```
Additional Details: The changes involve modifications to absolute positioning and containment, which could potentially affect security if these properties were being used to bypass security boundaries or create overlay attacks. However, this appears to be a layout test case.
2. Vulnerability Existed: not sure
[Potential Layout Manipulation] [testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-010.html] [Lines 37, 39]
[Old Code]
```html
<div style="height: 70px; width: 20px;"></div>
```
[Fixed Code]
```html
<div style="height: 20px; width: 20px;"></div>
<div style="position: absolute; width: 20px; height: 60px; background: green; top: 40px; left: 20px;"></div>
```
Additional Details: The changes in element dimensions and addition of an absolutely positioned element could potentially be related to fixing layout issues that might have security implications in certain contexts, though this appears to be primarily a visual test case.
Note: The changes appear to be primarily related to layout testing rather than direct security fixes. The modifications involve CSS positioning and dimensions adjustments in what seems to be a visual test case for flexbox fragmentation behavior. No clear security vulnerabilities are evident from the diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.