Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.globalalpha.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.globalalpha.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.globalAlpha = 0.1; ctx.clearRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");+_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes.
Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.globalalpha.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
The changes only involve:
1. Renaming the variable `offscreenCanvas` to `canvas`
2. Updating the references to this variable in the subsequent code
3. No functional changes to the security properties of the code
No security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/painting/ActiveLayerTracker.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/painting/ActiveLayerTracker.h@@ -35,8 +35,6 @@ * eCSSProperty_offset_path, eCSSProperty_offset_distance, * eCSSProperty_offset_rotate, eCSSProperty_offset_anchor, * eCSSProperty_opacity- * eCSSProperty_left, eCSSProperty_top,- * eCSSProperty_right, eCSSProperty_bottom * and use that information to guess whether style changes are animated. */@@ -48,12 +46,6 @@ */ static void NotifyRestyle(nsIFrame* aFrame, nsCSSPropertyID aProperty); /**- * Notify aFrame's left/top/right/bottom properties as having (maybe)- * changed due to a restyle, and therefore possibly wanting an active layer- * to render that style. Any such marking will time out after a short period.- */- static void NotifyOffsetRestyle(nsIFrame* aFrame);- /** * Mark aFrame as being known to have an animation of aProperty. * Any such marking will time out after a short period. * aNewValue and aDOMCSSDecl are used to determine whether the property's@@ -62,13 +54,6 @@ static void NotifyAnimated(nsIFrame* aFrame, nsCSSPropertyID aProperty, const nsACString& aNewValue, nsDOMCSSDeclaration* aDOMCSSDecl);- /**- * Notify aFrame as being known to have an animation of aProperty through an- * inline style modification during aScrollFrame's scroll event handler.- */- static void NotifyAnimatedFromScrollHandler(nsIFrame* aFrame,- nsCSSPropertyID aProperty,- nsIFrame* aScrollFrame); /** * Notify that a property in the inline style rule of aFrame's element * has been modified.@@ -94,17 +79,6 @@ */ static bool IsStyleAnimated(nsDisplayListBuilder* aBuilder, nsIFrame* aFrame, const nsCSSPropertyIDSet& aPropertySet);- /**- * Return true if any of aFrame's offset property styles should be considered- * as being animated for constructing active layers.- */- static bool IsOffsetStyleAnimated(nsIFrame* aFrame);- /**- * Return true if aFrame's background-position-x or background-position-y- * property is animated.- */- static bool IsBackgroundPositionAnimated(nsDisplayListBuilder* aBuilder,- nsIFrame* aFrame); /** * Return true if aFrame's transform-like property, * i.e. transform/translate/rotate/scale, is animated.@@ -135,28 +109,6 @@ * frame after the frame has been created. */ static void TransferActivityToFrame(nsIContent* aContent, nsIFrame* aFrame);-- /*- * We track modifications to the content of certain frames (i.e. canvas- * frames) and use that to make layering decisions.- */-- /**- * Mark aFrame's content as being active. This marking will time out after- * a short period.- */- static void NotifyContentChange(nsIFrame* aFrame);- /**- * Return true if this frame's content is still marked as active.- */- static bool IsContentActive(nsIFrame* aFrame);-- /**- * Called before and after a scroll event handler is executed, with the- * scrollframe or nullptr, respectively. This acts as a hint to treat- * inline style changes during the handler differently.- */- static void SetCurrentScrollHandlerFrame(nsIFrame* aFrame); }; } // namespace mozilla
Analyzing the provided code diff, here are the security-related findings: 1. Vulnerability Existed: not sure Potentially Removed Unused/Insecure Functions [File] [layout/painting/ActiveLayerTracker.h] [Lines 48-54, 62-66, 94-103, 135-150] [Old Code] Various functions related to offset properties, scroll handlers, and content changes were present [Fixed Code] These functions were removed in the newer version 2. Vulnerability Existed: not sure Potential Code Simplification/Security Hardening [File] [layout/painting/ActiveLayerTracker.h] [Lines 35-37] [Old Code] Included eCSSProperty_left, eCSSProperty_top, eCSSProperty_right, eCSSProperty_bottom in property list [Fixed Code] These properties were removed from the comment list Note: While this appears to be primarily a code cleanup/refactoring change rather than a direct security fix, removing unused functions and simplifying code can indirectly improve security by: 1. Reducing attack surface 2. Removing potentially buggy or untested code paths 3. Making the code easier to audit However, without more context about why these functions were removed or whether they had known vulnerabilities, we can't definitively state this was a security fix. The changes could also be related to performance optimization or architectural changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.conic.invalid.inputs.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.conic.invalid.inputs.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(TypeError, function() { ctx.createConicGradient(Infinity, 0, 1); }); assert_throws_js(TypeError, function() { ctx.createConicGradient(-Infinity, 0, 1); });
Here's my analysis of the provided code diff:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.conic.invalid.inputs.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
The changes appear to be purely cosmetic/refactoring in nature, renaming a variable from `offscreenCanvas` to `canvas`. There's no indication of any security vulnerability being fixed in this change. The test continues to perform the same validation checks for invalid inputs to createConicGradient.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.textBaseline = 'top'; ctx.textBaseline = 'bogus';
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.worker.js [Lines] 13-14
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The changes appear to be purely variable naming changes (from 'offscreenCanvas' to 'canvas')
- No security-related changes or fixes are evident in this diff
- The modification doesn't address any known vulnerability patterns
- The change seems to be for code consistency or readability rather than security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/services/settings/dumps/main/top-sites.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/services/settings/dumps/main/top-sites.json@@ -1,164 +1,38 @@ { "data": [ {- "url": "https://www.ebay.fr/?mkevt=1&mkcid=2&mkrid=709-162318-301183-6&keyword=conducive&crlp=318455056FR%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=218623",+ "url": "https://www.wikipedia.org/", "order": 0,- "title": "eBay",- "schema": 1625781622121,- "include_regions": [- "FR"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "8cbfd678-b014-4047-8039-881c9a4e6bd3",- "last_modified": 1625844592286- },- {- "url": "https://www.ebay.it/?mkevt=1&mkcid=2&mkrid=724-162318-411672-5&keyword=conducive&crlp=318422032IT%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=218025",- "order": 0,- "title": "eBay",- "schema": 1625590332081,- "include_regions": [- "IT"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "fc1ecd88-b91c-423b-a9eb-fbf65545ca76",- "last_modified": 1625844592281- },- {- "url": "https://yandex.com/?clid=2453500",- "order": 0,- "title": "Yandex",- "schema": 1624656907165,- "include_locales": [- "en-US",- "en-CA",- "en-GB"- ],+ "title": "Wikipedia",+ "schema": 1646585618139, "include_regions": [ "RU", "BY", "KZ",+ "UA",+ "UZ", "TR" ],- "sponsored_position": 1,- "include_experiments": [- "yandex-2021-1"- ],- "id": "91e008f0-3de8-4444-bbcc-859074315c08",- "last_modified": 1624657519691- },- {- "url": "https://yandex.ru/?clid=2453500",- "order": 0,- "title": "Яндекс",- "schema": 1624392813076,- "include_locales": [- "ru"- ],- "include_regions": [+ "id": "060ad5fe-40c3-490c-92bc-1ba5fc14a451",+ "last_modified": 1646597012924+ },+ {+ "url": "https://www.wikipedia.org/",+ "order": 30,+ "title": "Wikipedia",+ "schema": 1646445825860,+ "exclude_regions": [+ "GB",+ "CN", "RU", "BY", "KZ",+ "UA",+ "UZ", "TR" ],- "sponsored_position": 1,- "include_experiments": [- "yandex-2021-1"- ],- "send_attribution_request": false,- "id": "f16abe55-30be-4d53-b1ac-7ba1e16d17c6",- "last_modified": 1624657519687- },- {- "url": "https://yandex.by/?clid=2453500",- "order": 0,- "title": "Яндекс",- "schema": 1624656772350,- "include_locales": [- "be"- ],- "include_regions": [- "BY",- "RU",- "KZ",- "TR"- ],- "sponsored_position": 1,- "include_experiments": [- "yandex-2021-1"- ],- "send_attribution_request": false,- "id": "dbb0749e-1556-420f-8f3e-2e9d5b5efbee",- "last_modified": 1624657519683- },- {- "url": "https://yandex.kz/?clid=2453500",- "order": 0,- "title": "Яндекс",- "schema": 1624656814111,- "include_locales": [- "kk"- ],- "include_regions": [- "KZ",- "RU",- "BY",- "TR"- ],- "sponsored_position": 1,- "include_experiments": [- "yandex-2021-1"- ],- "send_attribution_request": false,- "id": "5863a53d-e0c3-4053-8332-1edf7f5b7797",- "last_modified": 1624657519679- },- {- "url": "https://yandex.com.tr/?clid=2453500",- "order": 0,- "title": "Yandex",- "schema": 1624656851535,- "include_locales": [- "tr"- ],- "include_regions": [- "TR",- "RU",- "BY",- "KZ"- ],- "sponsored_position": 1,- "include_experiments": [- "yandex-2021-1"- ],- "send_attribution_request": false,- "id": "dbbcd85e-6db4-44d5-9cc1-abad1fe1e557",- "last_modified": 1624657519676- },- {- "url": "https://www.amazon.ca/?tag=admpdesktopca-20&ref=pd_sl_a317866944CA%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1624370112441,- "include_regions": [- "CA"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.ca/?tag=admpdesktopca-20&ref=pd_sl_a317867036CA%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "f2fc4f42-d930-4c0c-acdc-1d29b56234d3",- "last_modified": 1624376393940+ "id": "c109ad2c-eae5-4b47-bac7-ac2eb9eb9aab",+ "last_modified": 1646597012919 }, { "url": "https://www.amazon.ca/",@@ -176,22 +50,6 @@ "last_modified": 1624376393938 }, {- "url": "https://www.amazon.es/?tag=admarketpl0c0-21&ref=pd_sl_a317866950ES%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1623872989071,- "include_regions": [- "ES"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "d69308b2-7a6e-49e9-bfae-77fbafcb1ce2",- "last_modified": 1623959042906- },- { "url": "https://www.amazon.com/", "order": 50, "title": "Amazon",@@ -205,105 +63,6 @@ ], "id": "354690ae-3d9d-4745-a82b-7ac43e4b3213", "last_modified": 1623959042903- },- {- "url": "https://www.etsy.com/ca?utm_source=admarketplace&utm_medium=cpc&utm_term=etsy_exact&utm_campaign=Search_CA_Nonbrand_AMP_Conducive&utm_ag=utmag&utm_custom1=318426293CA%YYYYMMDDHH%_&utm_content=amp_218221_14988193_creative_targetid_device_feeditemid_318426293CA&utm_custom2=218221",- "order": 0,- "title": "Etsy",- "schema": 1620923802877,- "include_regions": [- "CA"- ],- "sponsored_position": 1,- "include_experiments": [- "disabled"- ],- "send_attribution_request": true,- "id": "0171a7bd-6ddc-409b-b68f-dc5e9e5224d5",- "last_modified": 1621028626497- },- {- "url": "https://www.amazon.com.br/?tag=admarketbr-20&ref=pd_sl_a317866941BR%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1617895381812,- "include_regions": [- "BR"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "7e3ef99b-55d8-42f1-a8e9-7e696545cdbd",- "last_modified": 1619451115290- },- {- "url": "https://www.amazon.in/?tag=admpdesktopin-21&ref=pd_sl_a317866956IN%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1617982468842,- "include_regions": [- "IN"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "f99e66fc-88c2-4478-807e-7bb84e95c207",- "last_modified": 1619451115284- },- {- "url": "https://www.amazon.it/?tag=admarketpla0c-21&ref=pd_sl_a317866959IT%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1617982545531,- "include_regions": [- "IT"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "9ae71287-6c2a-4e69-9d4e-c42defd0df42",- "last_modified": 1619451115280- },- {- "url": "https://www.amazon.com.mx/?tag=admarketdskmx-20&ref=pd_sl_a317866962MX%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1617982697716,- "include_regions": [- "MX"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "send_attribution_request": true,- "id": "3413f2c2-7612-46ec-98b7-e529114e7240",- "last_modified": 1619451115271- },- {- "url": "https://yandex.ru/",- "order": 0,- "title": "Yandex",- "schema": 1618500265732,- "include_regions": [- "BY",- "KZ",- "RU",- "TR"- ],- "search_shortcut": true,- "exclude_experiments": [- "yandex-2021-1"- ],- "include_experiments": [],- "id": "49e408ae-41c9-400c-9d9a-b871e0ef8db4",- "last_modified": 1619451115264 }, { "url": "https://www.amazon.fr/",@@ -423,91 +182,6 @@ "last_modified": 1611838808375 }, {- "url": "https://www.ebay.com.au/?mkevt=1&mkcid=2&mkrid=7051608169736203&keyword=conducive&crlp=318353405AU%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=217349",- "order": 0,- "title": "eBay",- "schema": 1611316042640,- "include_regions": [- "AU"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.ebay.com.au/?mkevt=1&mkcid=2&mkrid=7051608169736203&keyword=conducive&crlp=318353406AU%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=217349",- "send_attribution_request": true,- "id": "998a610f-a1aa-4c89-b711-e642af665560",- "last_modified": 1611677652023- },- {- "url": "https://www.ebay.ca/?mkevt=1&mkcid=2&mkrid=7061608169858537&keyword=conducive&crlp=318370981CA%YYYYMMDDHH%&MT_ID=562786&geo_id=&device=Computers&cmpgn=217715",- "order": 0,- "title": "eBay",- "schema": 1611173713861,- "include_regions": [- "CA"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.ebay.ca/?mkevt=1&mkcid=2&mkrid=7061608169858537&keyword=conducive&crlp=318370982CA%YYYYMMDDHH%&MT_ID=562786&geo_id=&device=Computers&cmpgn=217715",- "send_attribution_request": true,- "id": "cda45b34-704c-4cb5-9a9a-426d8dd6b745",- "last_modified": 1611677652020- },- {- "url": "https://www.ebay.com/?mkevt=1&mkcid=2&mkrid=7111608169546898&keyword=conducive&crlp=318353411US%YYYYMMDDHH%&MT_ID=562786&geo_id=10232&device=Computers&cmpgn=216223",- "order": 0,- "title": "eBay",- "schema": 1610984980368,- "include_regions": [- "US"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.ebay.com/?mkevt=1&mkcid=2&mkrid=7111608169546898&keyword=conducive&crlp=318353412US%YYYYMMDDHH%&MT_ID=562786&geo_id=10232&device=Computers&cmpgn=216223",- "send_attribution_request": true,- "id": "0f88ad04-9af4-4a88-8211-aa02d5a0b288",- "last_modified": 1611076538711- },- {- "url": "https://www.ebay.co.uk/?mkevt=1&mkcid=2&mkrid=7101608169642080&keyword=conducive&crlp=318355819GB%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=216901",- "order": 0,- "title": "eBay",- "schema": 1610985000385,- "include_regions": [- "GB"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.ebay.co.uk/?mkevt=1&mkcid=2&mkrid=7101608169642080&keyword=conducive&crlp=318355820GB%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=216901",- "send_attribution_request": true,- "id": "63fab9a4-70d9-49d7-8b31-089867280316",- "last_modified": 1611076538707- },- {- "url": "https://www.ebay.de/?mkevt=1&mkcid=2&mkrid=7071608169806221&keyword=conducive&crlp=318367612DE%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=217719",- "order": 0,- "title": "eBay",- "schema": 1610826102114,- "include_regions": [- "DE"- ],- "sponsored_position": 2,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.ebay.de/?mkevt=1&mkcid=2&mkrid=7071608169806221&keyword=conducive&crlp=318367613DE%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=217719",- "send_attribution_request": true,- "id": "4efa52be-32c9-4ab9-807d-ca3cb3c8f340",- "last_modified": 1611076538696- },- { "url": "https://www.ebay.co.uk/", "order": 70, "title": "eBay",@@ -522,40 +196,6 @@ "last_modified": 1611076538693 }, {- "url": "https://www.amazon.com.au/?tag=admarketdeskt-22&ref=pd_sl_a318408405AU%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1608030031997,- "include_regions": [- "AU"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.com.au/?tag=admarketdeskt-22&ref=pd_sl_a318408406AU%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "fa9b04d5-5917-421b-a8a0-963722ad8d7f",- "last_modified": 1608239138396- },- {- "url": "https://www.amazon.fr/?tag=admarketpla00-21&ref=pd_sl_a317866953FR%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1608031563878,- "include_regions": [- "FR"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.fr/?tag=admarketpla00-21&ref=pd_sl_a317867039FR%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "4b14dda7-4d66-4add-855c-19dfb5b84ede",- "last_modified": 1608239138388- },- { "url": "https://www.ebay.de/", "order": 26, "title": "eBay",@@ -570,57 +210,6 @@ "last_modified": 1608239138349 }, {- "url": "https://www.amazon.de/?tag=admpdesktopde-21&ref=pd_sl_a8E0DFDAEAADZZ12%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1605021228258,- "include_regions": [- "DE"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.de/?tag=admpdesktopde-21&ref=pd_sl_aBB39B9165B5CF11%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "306a3851-b9ff-4b3a-a4aa-8f408fea4b68",- "last_modified": 1605024212690- },- {- "url": "https://www.amazon.co.uk/?tag=admpdesktopuk-21&ref=pd_sl_aF2E70068DAAZZ23%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1605021314971,- "include_regions": [- "GB"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.co.uk/?tag=admpdesktopuk-21&ref=pd_sl_a03A81C10121DA11%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "b841da27-9b4d-4660-813a-8ccbde98e022",- "last_modified": 1605024212686- },- {- "url": "https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_a77559ED8D65AA12%YYYYMMDDHH%",- "order": 0,- "title": "Amazon",- "schema": 1605021163110,- "include_regions": [- "US"- ],- "sponsored_position": 1,- "include_experiments": [- "ebay-2020-1"- ],- "url_urlbar_override": "https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_a3B05123160CA611%YYYYMMDDHH%",- "send_attribution_request": true,- "id": "e429f95f-42d5-4bdd-9109-726a8a2d055a",- "last_modified": 1605024212682- },- { "url": "https://www.reddit.com/", "order": 25, "title": "Reddit",@@ -729,26 +318,6 @@ "last_modified": 1599146777426 }, {- "url": "https://vk.com/",- "order": 5,- "schema": 1599056213323,- "include_regions": [- "RU"- ],- "id": "ac72a188-802a-447b-9a79-0a4835136240",- "last_modified": 1599146777420- },- {- "url": "https://ok.ru/",- "order": 11,- "schema": 1599056214142,- "include_regions": [- "RU"- ],- "id": "2db41cb5-c87b-4fef-9583-d2d3d85fa182",- "last_modified": 1599146777416- },- { "url": "https://www.avito.ru/", "order": 12, "schema": 1599056215077,@@ -815,18 +384,6 @@ ], "id": "19045f47-6dde-43a8-9511-3fc0c4555a09", "last_modified": 1599146777365- },- {- "url": "https://www.wikipedia.org/",- "order": 30,- "title": "Wikipedia",- "schema": 1599056608910,- "exclude_regions": [- "GB",- "CN"- ],- "id": "c109ad2c-eae5-4b47-bac7-ac2eb9eb9aab",- "last_modified": 1599146777355 }, { "url": "https://www.bbc.co.uk/",
Based on the provided diff, I'll analyze the changes for security fixes: 1. Vulnerability Existed: yes Tracking Parameters in URLs [services/settings/dumps/main/top-sites.json] [Multiple lines] [Old Code] Multiple entries with tracking parameters like: "url": "https://www.ebay.fr/?mkevt=1&mkcid=2&mkrid=709-162318-301183-6&keyword=conducive&crlp=318455056FR%YYYYMMDDHH%&MT_ID=562786&device=Computers&cmpgn=218623" [Fixed Code] Simplified URLs without tracking parameters: "url": "https://www.wikipedia.org/" 2. Vulnerability Existed: yes Overly Permissive Tracking [services/settings/dumps/main/top-sites.json] [Multiple lines] [Old Code] Entries with "send_attribution_request": true and extensive tracking parameters [Fixed Code] Removed tracking-related attributes and simplified entries 3. Vulnerability Existed: not sure Potential Referrer Leak [services/settings/dumps/main/top-sites.json] [Multiple lines] [Old Code] Entries with "url_urlbar_override" containing tracking parameters [Fixed Code] Removed these entries entirely The main security improvements appear to be: 1. Removal of tracking parameters from URLs 2. Removal of attribution/tracking-related fields 3. Simplification of the top sites list to use canonical URLs The changes suggest a move away from tracking users through URL parameters and attribution requests, which could previously have leaked sensitive browsing information. Note: While not a classic vulnerability, these changes improve privacy by reducing tracking capabilities that could have been abused for fingerprinting or other privacy-invasive practices.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/talos/talos/talos-powers/api.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/talos/talos/talos-powers/api.js@@ -8,9 +8,13 @@ "resource://gre/modules/ComponentUtils.jsm" ); XPCOMUtils.defineLazyModuleGetters(this, {+ AboutHomeStartupCache: "resource:///modules/BrowserGlue.jsm",+ AboutNewTab: "resource:///modules/AboutNewTab.jsm", BrowserWindowTracker: "resource:///modules/BrowserWindowTracker.jsm", OS: "resource://gre/modules/osfile.jsm", PerTestCoverageUtils: "resource://testing-common/PerTestCoverageUtils.jsm",+ SessionStore: "resource:///modules/sessionstore/SessionStore.jsm",+ setTimeout: "resource://gre/modules/Timer.jsm", }); XPCOMUtils.defineLazyServiceGetter(@@ -264,7 +268,10 @@ }, async forceQuit(messageData) {- if (messageData && messageData.waitForSafeBrowsing) {+ if (messageData && messageData.waitForStartupFinished) {+ // We can wait for various startup items here to complete during+ // the getInfo.html step for Talos so that subsequent runs don't+ // have to do things like re-request the SafeBrowsing list. let SafeBrowsing = ChromeUtils.import( "resource://gre/modules/SafeBrowsing.jsm", {}@@ -278,7 +285,35 @@ } catch (e) { // We don't care if things go wrong here - let's just shut down. }- }++ // We wait for the AboutNewTab's TopSitesFeed (and its "Contile"+ // integration, which shows the sponsored Top Sites) to finish+ // being enabled here. This is because it's possible for getInfo.html+ // to run so quickly that the feed will still be initializing, and+ // that would cause us to write a mostly empty cache to the+ // about:home startup cache on shutdown, which causes that test+ // to break periodically.+ AboutNewTab.onBrowserReady();+ // There aren't currently any easily observable notifications or+ // events to let us know when the feed is ready, so we'll just poll+ // for now.+ let pollForFeed = async function() {+ let foundFeed = AboutNewTab.activityStream.store.feeds.get(+ "feeds.system.topsites"+ );+ if (!foundFeed) {+ await new Promise(resolve => setTimeout(resolve, 500));+ return pollForFeed();+ }+ return foundFeed;+ };+ let feed = await pollForFeed();+ await feed._contile.refresh();+ await feed.refresh({ broadcast: true });+ await AboutHomeStartupCache.cacheNow();+ }++ await SessionStore.promiseAllWindowsRestored; // Check to see if the top-most browser window still needs to fire its // idle tasks notification. If so, we'll wait for it before shutting
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Race Condition] [testing/talos/talos/talos-powers/api.js] [Lines 264-285]
[Old Code]
```js
async forceQuit(messageData) {
if (messageData && messageData.waitForSafeBrowsing) {
let SafeBrowsing = ChromeUtils.import(
"resource://gre/modules/SafeBrowsing.jsm",
{}
);
try {
await SafeBrowsing.init();
await SafeBrowsing.updateLists();
} catch (e) {
// We don't care if things go wrong here - let's just shut down.
}
}
```
[Fixed Code]
```js
async forceQuit(messageData) {
if (messageData && messageData.waitForStartupFinished) {
// We can wait for various startup items here to complete during
// the getInfo.html step for Talos so that subsequent runs don't
// have to do things like re-request the SafeBrowsing list.
let SafeBrowsing = ChromeUtils.import(
"resource://gre/modules/SafeBrowsing.jsm",
{}
);
try {
await SafeBrowsing.init();
await SafeBrowsing.updateLists();
} catch (e) {
// We don't care if things go wrong here - let's just shut down.
}
```
Additional Details: The change adds more comprehensive startup completion checks, but it's unclear if this was fixing a specific security vulnerability or just improving reliability.
2. Vulnerability Existed: not sure
[Potential Resource Initialization Issue] [testing/talos/talos/talos-powers/api.js] [Lines 264-285]
[Old Code]
(Same as above)
[Fixed Code]
```js
// ... (same SafeBrowsing code as above) ...
AboutNewTab.onBrowserReady();
let pollForFeed = async function() {
let foundFeed = AboutNewTab.activityStream.store.feeds.get(
"feeds.system.topsites"
);
if (!foundFeed) {
await new Promise(resolve => setTimeout(resolve, 500));
return pollForFeed();
}
return foundFeed;
};
let feed = await pollForFeed();
await feed._contile.refresh();
await feed.refresh({ broadcast: true });
await AboutHomeStartupCache.cacheNow();
```
Additional Details: The addition of feed initialization and caching checks might prevent race conditions or incomplete state issues, but it's not clearly a security fix.
3. Vulnerability Existed: not sure
[Potential Session State Issue] [testing/talos/talos/talos-powers/api.js] [Lines 264-285]
[Old Code]
(Same as initial code)
[Fixed Code]
```js
await SessionStore.promiseAllWindowsRestored;
```
Additional Details: The addition of waiting for all windows to be restored might prevent state corruption issues, but this appears more like a reliability improvement than a security fix.
Note: While there are several changes that improve the robustness of the shutdown sequence, none of them clearly address known security vulnerabilities. The changes appear to be more focused on improving test reliability and preventing race conditions during shutdown sequences.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.bevel.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.bevel.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -53,16 +53,16 @@ ctx.lineTo(90+tol, 20); ctx.lineTo(80, 10-tol); ctx.fill();-_assertPixel(offscreenCanvas, 34,16, 0,255,0,255, "34,16", "0,255,0,255");-_assertPixel(offscreenCanvas, 34,15, 0,255,0,255, "34,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 35,15, 0,255,0,255, "35,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 36,15, 0,255,0,255, "36,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 36,14, 0,255,0,255, "36,14", "0,255,0,255");-_assertPixel(offscreenCanvas, 84,16, 0,255,0,255, "84,16", "0,255,0,255");-_assertPixel(offscreenCanvas, 84,15, 0,255,0,255, "84,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 85,15, 0,255,0,255, "85,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 86,15, 0,255,0,255, "86,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 86,14, 0,255,0,255, "86,14", "0,255,0,255");+_assertPixel(canvas, 34,16, 0,255,0,255, "34,16", "0,255,0,255");+_assertPixel(canvas, 34,15, 0,255,0,255, "34,15", "0,255,0,255");+_assertPixel(canvas, 35,15, 0,255,0,255, "35,15", "0,255,0,255");+_assertPixel(canvas, 36,15, 0,255,0,255, "36,15", "0,255,0,255");+_assertPixel(canvas, 36,14, 0,255,0,255, "36,14", "0,255,0,255");+_assertPixel(canvas, 84,16, 0,255,0,255, "84,16", "0,255,0,255");+_assertPixel(canvas, 84,15, 0,255,0,255, "84,15", "0,255,0,255");+_assertPixel(canvas, 85,15, 0,255,0,255, "85,15", "0,255,0,255");+_assertPixel(canvas, 86,15, 0,255,0,255, "86,15", "0,255,0,255");+_assertPixel(canvas, 86,14, 0,255,0,255, "86,14", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` and all subsequent references were updated accordingly.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.bevel.html
Lines: 17-53
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d');
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d');
The changes are simply variable renaming and don't appear to address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.textAlign.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.textAlign.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.textAlign = "right"; metrics = ctx.measureText('hello');
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are visible in this change
- The functionality remains exactly the same, only the variable name is more concise
- This is likely a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/warp/src/filters/ws.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/warp/src/filters/ws.rs@@ -102,6 +102,14 @@ self.config .get_or_insert_with(WebSocketConfig::default) .max_message_size = Some(max);+ self+ }++ /// Set the maximum frame size (defaults to 16 megabytes)+ pub fn max_frame_size(mut self, max: usize) -> Self {+ self.config+ .get_or_insert_with(|| WebSocketConfig::default())+ .max_frame_size = Some(max); self } }
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Denial of Service through WebSocket Frame Size Limitation] [third_party/rust/warp/src/filters/ws.rs] [Lines 102-111]
[Old Code]
(No previous frame size limitation setting existed)
[Fixed Code]
```rust
/// Set the maximum frame size (defaults to 16 megabytes)
pub fn max_frame_size(mut self, max: usize) -> Self {
self.config
.get_or_insert_with(|| WebSocketConfig::default())
.max_frame_size = Some(max);
self
}
```
Additional Details:
The diff shows the addition of a `max_frame_size` configuration option for WebSocket connections. While not explicitly fixing a known vulnerability, this change helps prevent potential denial of service attacks by allowing applications to limit the maximum frame size in WebSocket communications. Without frame size limits, an attacker could potentially send very large frames that consume excessive memory/resources. The default value of 16MB is a reasonable protection measure.
Note: This appears to be a proactive security enhancement rather than a fix for a specific known vulnerability. The change improves the robustness of the WebSocket implementation against potential abuse.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/font-access/resources/window-tests-enumeration.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/font-access/resources/window-tests-enumeration.js@@ -10,14 +10,14 @@ font_access_test(async t => { const fonts =- await navigator.fonts.query({persistentAccess: true, ...test});+ await navigator.fonts.query(test); assert_fonts_exist(fonts, getEnumerationTestSet()); }, `query(): standard fonts returned for input: ${inputAsString}`); } font_access_test(async t => {- const fonts = await navigator.fonts.query({persistentAccess: true});+ const fonts = await navigator.fonts.query(); // The following tests that fonts are sorted. Postscript names are expected to // be encoded in a subset of the ASCII character set. // See: https://docs.microsoft.com/en-us/typography/opentype/spec/name@@ -38,7 +38,6 @@ font_access_test(async t => { const test = {- persistentAccess: true, select: [getEnumerationTestSet()[0].postscriptName] }; const fonts = await navigator.fonts.query(test);@@ -69,8 +68,7 @@ for (const test of non_ascii_input) { font_access_test(async t => {- const fonts =- await navigator.fonts.query({persistentAccess: true, ...test});+ const fonts = await navigator.fonts.query(test); assert_equals( fonts.length, 0, `There should be no results. Instead got: ${JSON.stringify(fonts)}`);
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Leak] [File: window-tests-enumeration.js] [Lines: 10, 38, 69]
[Old Code]
`await navigator.fonts.query({persistentAccess: true, ...test})`
[Fixed Code]
`await navigator.fonts.query(test)`
Additional Details:
The removal of `persistentAccess: true` parameter might indicate a security fix related to persistent font access permissions. Without more context, it's unclear if this was an actual vulnerability, but persistent access could potentially lead to information leakage if not properly controlled.
2. Vulnerability Existed: not sure
[Potential Over-Permission] [File: window-tests-enumeration.js] [Lines: 17]
[Old Code]
`const fonts = await navigator.fonts.query({persistentAccess: true})`
[Fixed Code]
`const fonts = await navigator.fonts.query()`
Additional Details:
The removal of persistent access flag in the default query might indicate a security improvement to prevent unnecessary persistent access to font enumeration data.
3. Vulnerability Existed: not sure
[Potential Permission Scope Reduction] [File: window-tests-enumeration.js] [Lines: 38]
[Old Code]
`const test = { persistentAccess: true, select: [...] }`
[Fixed Code]
`const test = { select: [...] }`
Additional Details:
The consistent removal of persistentAccess across all test cases suggests a deliberate security decision to limit font access scope, though the exact vulnerability being addressed isn't clear from the diff alone.
Note: The changes appear to be consistently removing the `persistentAccess` parameter throughout the test file, which suggests this was a deliberate security-related change. However, without additional context about the Font Access API's security model, I can't definitively identify a specific vulnerability being fixed. The changes could be related to permission scope reduction or preventing potential information leaks through persistent font access.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/x86/MacroAssembler-x86.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/x86/MacroAssembler-x86.cpp@@ -79,7 +79,7 @@ } void MacroAssemblerX86::vpPatchOpSimd128(- const SimdConstant& v, FloatRegister reg,+ const SimdConstant& v, FloatRegister src, FloatRegister dest, void (X86Encoding::BaseAssemblerX86::*op)( const void* address, X86Encoding::XMMRegisterID srcId, X86Encoding::XMMRegisterID destId)) {@@ -87,12 +87,12 @@ if (!val) { return; }- (masm.*op)(nullptr, reg.encoding(), reg.encoding());+ (masm.*op)(nullptr, src.encoding(), dest.encoding()); propagateOOM(val->uses.append(CodeOffset(masm.size()))); } void MacroAssemblerX86::vpPatchOpSimd128(- const SimdConstant& v, FloatRegister reg,+ const SimdConstant& v, FloatRegister src, FloatRegister dest, size_t (X86Encoding::BaseAssemblerX86::*op)( const void* address, X86Encoding::XMMRegisterID srcId, X86Encoding::XMMRegisterID destId)) {@@ -101,318 +101,324 @@ return; } size_t patchOffsetFromEnd =- (masm.*op)(nullptr, reg.encoding(), reg.encoding());+ (masm.*op)(nullptr, src.encoding(), dest.encoding()); propagateOOM(val->uses.append(CodeOffset(masm.size() - patchOffsetFromEnd))); }-void MacroAssemblerX86::vpaddbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddb_mr);-}--void MacroAssemblerX86::vpaddwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddw_mr);-}--void MacroAssemblerX86::vpadddSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddd_mr);-}--void MacroAssemblerX86::vpaddqSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddq_mr);-}--void MacroAssemblerX86::vpsubbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubb_mr);-}--void MacroAssemblerX86::vpsubwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubw_mr);-}--void MacroAssemblerX86::vpsubdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubd_mr);-}--void MacroAssemblerX86::vpsubqSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubq_mr);-}--void MacroAssemblerX86::vpmullwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmullw_mr);-}--void MacroAssemblerX86::vpmulldSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmulld_mr);-}--void MacroAssemblerX86::vpaddsbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddsb_mr);+void MacroAssemblerX86::vpaddbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddb_mr);+}++void MacroAssemblerX86::vpaddwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddw_mr);+}++void MacroAssemblerX86::vpadddSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddd_mr);+}++void MacroAssemblerX86::vpaddqSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddq_mr);+}++void MacroAssemblerX86::vpsubbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubb_mr);+}++void MacroAssemblerX86::vpsubwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubw_mr);+}++void MacroAssemblerX86::vpsubdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubd_mr);+}++void MacroAssemblerX86::vpsubqSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubq_mr);+}++void MacroAssemblerX86::vpmullwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmullw_mr);+}++void MacroAssemblerX86::vpmulldSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmulld_mr);+}++void MacroAssemblerX86::vpaddsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddsb_mr); } void MacroAssemblerX86::vpaddusbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddusb_mr);-}--void MacroAssemblerX86::vpaddswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddsw_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddusb_mr);+}++void MacroAssemblerX86::vpaddswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddsw_mr); } void MacroAssemblerX86::vpadduswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpaddusw_mr);-}--void MacroAssemblerX86::vpsubsbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubsb_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpaddusw_mr);+}++void MacroAssemblerX86::vpsubsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubsb_mr); } void MacroAssemblerX86::vpsubusbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubusb_mr);-}--void MacroAssemblerX86::vpsubswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubsw_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubusb_mr);+}++void MacroAssemblerX86::vpsubswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubsw_mr); } void MacroAssemblerX86::vpsubuswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpsubusw_mr);-}--void MacroAssemblerX86::vpminsbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminsb_mr);-}--void MacroAssemblerX86::vpminubSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminub_mr);-}--void MacroAssemblerX86::vpminswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminsw_mr);-}--void MacroAssemblerX86::vpminuwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminuw_mr);-}--void MacroAssemblerX86::vpminsdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminsd_mr);-}--void MacroAssemblerX86::vpminudSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpminud_mr);-}--void MacroAssemblerX86::vpmaxsbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxsb_mr);-}--void MacroAssemblerX86::vpmaxubSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxub_mr);-}--void MacroAssemblerX86::vpmaxswSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxsw_mr);-}--void MacroAssemblerX86::vpmaxuwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxuw_mr);-}--void MacroAssemblerX86::vpmaxsdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxsd_mr);-}--void MacroAssemblerX86::vpmaxudSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaxud_mr);-}--void MacroAssemblerX86::vpandSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpand_mr);-}--void MacroAssemblerX86::vpxorSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpxor_mr);-}--void MacroAssemblerX86::vporSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpor_mr);-}--void MacroAssemblerX86::vaddpsSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vaddps_mr);-}--void MacroAssemblerX86::vaddpdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vaddpd_mr);-}--void MacroAssemblerX86::vsubpsSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vsubps_mr);-}--void MacroAssemblerX86::vsubpdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vsubpd_mr);-}--void MacroAssemblerX86::vdivpsSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vdivps_mr);-}--void MacroAssemblerX86::vdivpdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vdivpd_mr);-}--void MacroAssemblerX86::vmulpsSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vmulps_mr);-}--void MacroAssemblerX86::vmulpdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vmulpd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpsubusw_mr);+}++void MacroAssemblerX86::vpminsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminsb_mr);+}++void MacroAssemblerX86::vpminubSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminub_mr);+}++void MacroAssemblerX86::vpminswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminsw_mr);+}++void MacroAssemblerX86::vpminuwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminuw_mr);+}++void MacroAssemblerX86::vpminsdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminsd_mr);+}++void MacroAssemblerX86::vpminudSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpminud_mr);+}++void MacroAssemblerX86::vpmaxsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxsb_mr);+}++void MacroAssemblerX86::vpmaxubSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxub_mr);+}++void MacroAssemblerX86::vpmaxswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxsw_mr);+}++void MacroAssemblerX86::vpmaxuwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxuw_mr);+}++void MacroAssemblerX86::vpmaxsdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxsd_mr);+}++void MacroAssemblerX86::vpmaxudSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaxud_mr);+}++void MacroAssemblerX86::vpandSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpand_mr);+}++void MacroAssemblerX86::vpxorSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpxor_mr);+}++void MacroAssemblerX86::vporSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpor_mr);+}++void MacroAssemblerX86::vaddpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vaddps_mr);+}++void MacroAssemblerX86::vaddpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vaddpd_mr);+}++void MacroAssemblerX86::vsubpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vsubps_mr);+}++void MacroAssemblerX86::vsubpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vsubpd_mr);+}++void MacroAssemblerX86::vdivpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vdivps_mr);+}++void MacroAssemblerX86::vdivpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vdivpd_mr);+}++void MacroAssemblerX86::vmulpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vmulps_mr);+}++void MacroAssemblerX86::vmulpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vmulpd_mr); } void MacroAssemblerX86::vpacksswbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpacksswb_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpacksswb_mr); } void MacroAssemblerX86::vpackuswbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpackuswb_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpackuswb_mr); } void MacroAssemblerX86::vpackssdwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpackssdw_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpackssdw_mr); } void MacroAssemblerX86::vpackusdwSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpackusdw_mr);-}--void MacroAssemblerX86::vpshufbSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpshufb_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpackusdw_mr);+}++void MacroAssemblerX86::vpshufbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpshufb_mr); } void MacroAssemblerX86::vptestSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vptest_mr);+ FloatRegister lhs) {+ vpPatchOpSimd128(v, lhs, &X86Encoding::BaseAssemblerX86::vptest_mr); } void MacroAssemblerX86::vpmaddwdSimd128(const SimdConstant& v,- FloatRegister srcDest) {- vpPatchOpSimd128(v, srcDest, &X86Encoding::BaseAssemblerX86::vpmaddwd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpmaddwd_mr); } void MacroAssemblerX86::vpcmpeqbSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpeqb_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpeqb_mr); } void MacroAssemblerX86::vpcmpgtbSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpgtb_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpgtb_mr); } void MacroAssemblerX86::vpcmpeqwSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpeqw_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpeqw_mr); } void MacroAssemblerX86::vpcmpgtwSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpgtw_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpgtw_mr); } void MacroAssemblerX86::vpcmpeqdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpeqd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpeqd_mr); } void MacroAssemblerX86::vpcmpgtdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vpcmpgtd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vpcmpgtd_mr); } void MacroAssemblerX86::vcmpeqpsSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpeqps_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpeqps_mr); } void MacroAssemblerX86::vcmpneqpsSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpneqps_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpneqps_mr); } void MacroAssemblerX86::vcmpltpsSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpltps_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpltps_mr); } void MacroAssemblerX86::vcmplepsSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpleps_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpleps_mr); } void MacroAssemblerX86::vcmpeqpdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpeqpd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpeqpd_mr); } void MacroAssemblerX86::vcmpneqpdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpneqpd_mr);+ FloatRegister lhs,+ FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpneqpd_mr); } void MacroAssemblerX86::vcmpltpdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmpltpd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmpltpd_mr); } void MacroAssemblerX86::vcmplepdSimd128(const SimdConstant& v,- FloatRegister src) {- vpPatchOpSimd128(v, src, &X86Encoding::BaseAssemblerX86::vcmplepd_mr);+ FloatRegister lhs, FloatRegister dest) {+ vpPatchOpSimd128(v, lhs, dest, &X86Encoding::BaseAssemblerX86::vcmplepd_mr); } void MacroAssemblerX86::finish() {@@ -952,9 +958,14 @@ MOZ_ASSERT_IF( access.isZeroExtendSimd128Load(), access.type() == Scalar::Float32 || access.type() == Scalar::Float64);- MOZ_ASSERT_IF(access.isSplatSimd128Load(), access.type() == Scalar::Float64);+ MOZ_ASSERT_IF(+ access.isSplatSimd128Load(),+ access.type() == Scalar::Uint8 || access.type() == Scalar::Uint16 ||+ access.type() == Scalar::Float32 || access.type() == Scalar::Float64); MOZ_ASSERT_IF(access.isWidenSimd128Load(), access.type() == Scalar::Float64);+ // NOTE: the generated code must match the assembly code in gen_load in+ // GenerateAtomicOperations.py memoryBarrierBefore(access.sync()); append(access, size());@@ -963,21 +974,33 @@ movsbl(srcAddr, out.gpr()); break; case Scalar::Uint8:- movzbl(srcAddr, out.gpr());+ if (access.isSplatSimd128Load()) {+ vbroadcastb(srcAddr, out.fpu());+ } else {+ movzbl(srcAddr, out.gpr());+ } break; case Scalar::Int16: movswl(srcAddr, out.gpr()); break; case Scalar::Uint16:- movzwl(srcAddr, out.gpr());+ if (access.isSplatSimd128Load()) {+ vbroadcastw(srcAddr, out.fpu());+ } else {+ movzwl(srcAddr, out.gpr());+ } break; case Scalar::Int32: case Scalar::Uint32: movl(srcAddr, out.gpr()); break; case Scalar::Float32:- // vmovss does the right thing also for access.isZeroExtendSimd128Load()- vmovss(srcAddr, out.fpu());+ if (access.isSplatSimd128Load()) {+ vbroadcastss(srcAddr, out.fpu());+ } else {+ // vmovss does the right thing also for access.isZeroExtendSimd128Load()+ vmovss(srcAddr, out.fpu());+ } break; case Scalar::Float64: if (access.isSplatSimd128Load()) {@@ -1106,6 +1129,8 @@ MOZ_ASSERT(dstAddr.kind() == Operand::MEM_REG_DISP || dstAddr.kind() == Operand::MEM_SCALE);+ // NOTE: the generated code must match the assembly code in gen_store in+ // GenerateAtomicOperations.py memoryBarrierBefore(access.sync()); append(access, size());@@ -1202,6 +1227,8 @@ MOZ_ASSERT(replacement.high == ecx); MOZ_ASSERT(replacement.low == ebx);+ // NOTE: the generated code must match the assembly code in gen_cmpxchg in+ // GenerateAtomicOperations.py if (access) { masm.append(*access, masm.size()); }
Based on the provided code diff, I'll analyze it for security fixes following the requested format:
1. First vulnerability analysis:
Vulnerability Existed: not sure
Potential Register Handling Issue [File] js/src/jit/x86/MacroAssembler-x86.cpp [Lines 79-101]
[Old Code]
void MacroAssemblerX86::vpPatchOpSimd128(
const SimdConstant& v, FloatRegister reg,
void (X86Encoding::BaseAssemblerX86::*op)(
const void* address, X86Encoding::XMMRegisterID srcId,
X86Encoding::XMMRegisterID destId)) {
[Fixed Code]
void MacroAssemblerX86::vpPatchOpSimd128(
const SimdConstant& v, FloatRegister src, FloatRegister dest,
void (X86Encoding::BaseAssemblerX86::*op)(
const void* address, X86Encoding::XMMRegisterID srcId,
X86Encoding::XMMRegisterID destId)) {
2. Second vulnerability analysis:
Vulnerability Existed: not sure
Potential SIMD Operation Safety [File] js/src/jit/x86/MacroAssembler-x86.cpp [Lines 952-960]
[Old Code]
MOZ_ASSERT_IF(access.isSplatSimd128Load(), access.type() == Scalar::Float64);
[Fixed Code]
MOZ_ASSERT_IF(
access.isSplatSimd128Load(),
access.type() == Scalar::Uint8 || access.type() == Scalar::Uint16 ||
access.type() == Scalar::Float32 || access.type() == Scalar::Float64);
3. Third vulnerability analysis:
Vulnerability Existed: not sure
Potential Memory Access Pattern [File] js/src/jit/x86/MacroAssembler-x86.cpp [Lines 974-1000]
[Old Code]
case Scalar::Uint8:
movzbl(srcAddr, out.gpr());
break;
[Fixed Code]
case Scalar::Uint8:
if (access.isSplatSimd128Load()) {
vbroadcastb(srcAddr, out.fpu());
} else {
movzbl(srcAddr, out.gpr());
}
break;
The changes appear to be primarily about:
1. Separating source and destination registers in SIMD operations
2. Expanding supported types for splat operations
3. Adding special handling for SIMD load operations
While these changes improve code correctness and functionality, I cannot definitively identify any specific security vulnerabilities being fixed. The modifications seem more focused on enhancing functionality and ensuring proper register handling rather than patching security holes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/uriloader/exthandler/tests/mochitest/browser_local_files_open_doesnt_duplicate.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/uriloader/exthandler/tests/mochitest/browser_local_files_open_doesnt_duplicate.js@@ -26,7 +26,8 @@ let handlerApp = Cc[ "@mozilla.org/uriloader/local-handler-app;1" ].createInstance(Ci.nsILocalHandlerApp);- handlerApp.executable = Services.dirsvc.get("XCurProcD", Ci.nsIFile);+ handlerApp.executable = Services.dirsvc.get("TmpD", Ci.nsIFile);+ handlerApp.executable.append("foopydoo.exe"); mimeInfo.possibleApplicationHandlers.appendElement(handlerApp); mimeInfo.preferredApplicationHandler = handlerApp; }@@ -51,7 +52,10 @@ let dialogWindowPromise = BrowserTestUtils.domWindowOpenedAndLoaded(); let openedFile = getChromeDir(getResolvedURI(gTestPath)); openedFile.append("file_pdf_binary_octet_stream.pdf");- let loadingTab = BrowserTestUtils.addTab(gBrowser, openedFile.path);+ let expectedPath = openedFile.isSymlink()+ ? openedFile.target+ : openedFile.path;+ let loadingTab = BrowserTestUtils.addTab(gBrowser, expectedPath); let dialogWindow = await dialogWindowPromise; is(@@ -70,10 +74,10 @@ let [, openedPath] = await openingPromise; is( openedPath,- openedFile.path,+ expectedPath, "Should have opened file directly (not created a copy)." );- if (openedPath != openedFile.path) {+ if (openedPath != expectedPath) { await IOUtils.setPermissions(openedPath, 0o666); await IOUtils.remove(openedPath); }@@ -98,15 +102,18 @@ let openedFile = getChromeDir(getResolvedURI(gTestPath)); openedFile.append("file_pdf_binary_octet_stream.pdf");- let loadingTab = BrowserTestUtils.addTab(gBrowser, openedFile.path);+ let expectedPath = openedFile.isSymlink()+ ? openedFile.target+ : openedFile.path;+ let loadingTab = BrowserTestUtils.addTab(gBrowser, expectedPath); let [, openedPath] = await openingPromise; is( openedPath,- openedFile.path,+ expectedPath, "Should have opened file directly (not created a copy)." );- if (openedPath != openedFile.path) {+ if (openedPath != expectedPath) { await IOUtils.setPermissions(openedPath, 0o666); await IOUtils.remove(openedPath); }
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Insecure Executable Path Handling [uriloader/exthandler/tests/mochitest/browser_local_files_open_doesnt_duplicate.js] [Lines 26-28]
Old Code:
handlerApp.executable = Services.dirsvc.get("XCurProcD", Ci.nsIFile);
Fixed Code:
handlerApp.executable = Services.dirsvc.get("TmpD", Ci.nsIFile);
handlerApp.executable.append("foopydoo.exe");
2. Vulnerability Existed: yes
Symlink Handling Vulnerability [uriloader/exthandler/tests/mochitest/browser_local_files_open_doesnt_duplicate.js] [Lines 51-54, 70-74, 98-102]
Old Code:
let loadingTab = BrowserTestUtils.addTab(gBrowser, openedFile.path);
...
openedPath != openedFile.path
Fixed Code:
let expectedPath = openedFile.isSymlink() ? openedFile.target : openedFile.path;
let loadingTab = BrowserTestUtils.addTab(gBrowser, expectedPath);
...
openedPath != expectedPath
Additional Details:
1. The first fix addresses a potential security issue where the executable was being set to the current process directory ("XCurProcD"), which could be dangerous if malicious files were placed there. The fix changes it to use a temporary directory and a specific dummy executable name.
2. The second set of changes improves security by properly handling symbolic links when opening files. The original code didn't account for symlinks, which could lead to security issues when dealing with file paths. The new code checks for symlinks and uses the target path if one exists.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/jsapi/RTCStatsIdGenerator.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/jsapi/RTCStatsIdGenerator.h@@ -25,9 +25,8 @@ RTCStatsIdGenerator(); NS_INLINE_DECL_THREADSAFE_REFCOUNTING(RTCStatsIdGenerator);- void RewriteIds(- const nsTArray<UniquePtr<dom::RTCStatsCollection>>& aFromStats,- dom::RTCStatsCollection* aIntoReport);+ void RewriteIds(nsTArray<UniquePtr<dom::RTCStatsCollection>> aFromStats,+ dom::RTCStatsCollection* aIntoReport); private: virtual ~RTCStatsIdGenerator(){};
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
[Potential Parameter Passing Issue] [dom/media/webrtc/jsapi/RTCStatsIdGenerator.h] [Lines 25-28]
[Old Code]
void RewriteIds(
const nsTArray<UniquePtr<dom::RTCStatsCollection>>& aFromStats,
dom::RTCStatsCollection* aIntoReport);
[Fixed Code]
void RewriteIds(nsTArray<UniquePtr<dom::RTCStatsCollection>> aFromStats,
dom::RTCStatsCollection* aIntoReport);
Additional Details:
The change involves modifying how the first parameter is passed to RewriteIds. The old version used a const reference to an array of unique pointers, while the new version passes the array by value. This could potentially be related to thread safety or ownership issues, but without more context about how this function is used, it's difficult to determine if this was an actual security vulnerability or just a code improvement. The change might be related to ensuring proper ownership transfer of the UniquePtr elements, but we can't be certain this was fixing a security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/windowwatcher/nsWindowWatcher.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/windowwatcher/nsWindowWatcher.cpp@@ -1034,6 +1034,8 @@ SANDBOX_PROPAGATES_TO_AUXILIARY_BROWSING_CONTEXTS) { MOZ_ASSERT(windowIsNew, "Should only get here for new windows"); MOZ_ALWAYS_SUCCEEDS(newBC->SetSandboxFlags(activeDocsSandboxFlags));+ MOZ_ALWAYS_SUCCEEDS(+ newBC->SetInitialSandboxFlags(newBC->GetSandboxFlags())); } RefPtr<nsGlobalWindowOuter> win(
Here's the analysis of the provided code diff:
Vulnerability Existed: yes
Sandbox Flag Propagation Issue [toolkit/components/windowwatcher/nsWindowWatcher.cpp] [Lines 1034-1038]
[Old Code]
MOZ_ASSERT(windowIsNew, "Should only get here for new windows");
MOZ_ALWAYS_SUCCEEDS(newBC->SetSandboxFlags(activeDocsSandboxFlags));
[Fixed Code]
MOZ_ASSERT(windowIsNew, "Should only get here for new windows");
MOZ_ALWAYS_SUCCEEDS(newBC->SetSandboxFlags(activeDocsSandboxFlags));
MOZ_ALWAYS_SUCCEEDS(
newBC->SetInitialSandboxFlags(newBC->GetSandboxFlags()));
Additional Details:
The fix adds a call to SetInitialSandboxFlags() to properly propagate sandbox flags to new browsing contexts. Without this, the initial sandbox flags might not be properly set for new windows, potentially leading to security bypasses where content could escape sandbox restrictions. This appears to be a fix for proper sandbox inheritance in new browsing contexts.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-transport/src/streams.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-transport/src/streams.rs@@ -467,6 +467,13 @@ .remote() .get_integer(tparams::INITIAL_MAX_DATA), );++ if self.local_stream_limits[StreamType::BiDi].available() > 0 {+ self.events.send_stream_creatable(StreamType::BiDi);+ }+ if self.local_stream_limits[StreamType::UniDi].available() > 0 {+ self.events.send_stream_creatable(StreamType::UniDi);+ } } pub fn handle_max_streams(&mut self, stream_type: StreamType, maximum_streams: u64) {
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: not sure
Potential Missing Event Notification [File] third_party/rust/neqo-transport/src/streams.rs [Lines] 467-474
[Old Code]
self.flow_mgr
.borrow_mut()
.set_max_data(
self.remote_params
.remote()
.get_integer(tparams::INITIAL_MAX_DATA),
);
[Fixed Code]
self.flow_mgr
.borrow_mut()
.set_max_data(
self.remote_params
.remote()
.get_integer(tparams::INITIAL_MAX_DATA),
);
if self.local_stream_limits[StreamType::BiDi].available() > 0 {
self.events.send_stream_creatable(StreamType::BiDi);
}
if self.local_stream_limits[StreamType::UniDi].available() > 0 {
self.events.send_stream_creatable(StreamType::UniDi);
}
The change adds event notifications when stream limits are available. While this doesn't appear to fix a specific known vulnerability, it could potentially address:
1. A race condition where stream creation wasn't properly signaled when limits became available
2. A missing notification that could lead to stalled connections
3. A potential deadlock situation where streams weren't being created despite available capacity
However, without more context about the specific security issue being addressed, I can't definitively identify a named vulnerability. The change appears to improve the robustness of stream creation notifications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/public/Initialization.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/public/Initialization.h@@ -144,6 +144,15 @@ SelfHostedCache cache = nullptr, SelfHostedWriter writer = nullptr);+/*+ * Permanently disable the JIT backend for this process. This disables the JS+ * Baseline Interpreter, JIT compilers, regular expression JIT and support for+ * WebAssembly.+ *+ * If called, this *must* be called before JS_Init.+ */+JS_PUBLIC_API void DisableJitBackend();+ } // namespace JS /**@@ -165,4 +174,13 @@ */ extern JS_PUBLIC_API void JS_ShutDown(void);+#if defined(ENABLE_WASM_SIMD) && \+ (defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_X86))+namespace JS {+// Enable support for AVX instructions in the JIT/Wasm backend on x86/x64+// platforms. Must be called before JS_Init*.+void SetAVXEnabled();+} // namespace JS+#endif+ #endif /* js_Initialization_h */
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential JIT-related vulnerabilities] [js/public/Initialization.h] [Lines 144-152]
[Old Code]
(No previous code existed for DisableJitBackend)
[Fixed Code]
```
JS_PUBLIC_API void DisableJitBackend();
```
Additional Details: The addition of DisableJitBackend() suggests potential security concerns with JIT compilation, though no specific vulnerability is mentioned. This could be related to various JIT spray or JIT-related memory corruption vulnerabilities.
2. Vulnerability Existed: not sure
[Potential SIMD/AVX-related vulnerabilities] [js/public/Initialization.h] [Lines 174-181]
[Old Code]
(No previous code existed for SetAVXEnabled)
[Fixed Code]
```
#if defined(ENABLE_WASM_SIMD) && \
(defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_X86))
namespace JS {
// Enable support for AVX instructions in the JIT/Wasm backend on x86/x64
// platforms. Must be called before JS_Init*.
void SetAVXEnabled();
} // namespace JS
#endif
```
Additional Details: The addition of AVX control suggests potential security concerns with SIMD/AVX instructions in the JIT/Wasm backend, possibly related to side-channel attacks or instruction-specific vulnerabilities.
Note: While these changes appear to be security-related (adding controls for potentially dangerous features), the diff doesn't provide enough context to identify specific vulnerabilities that were fixed. The changes are more likely preventive measures rather than fixes for specific known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-border-box-border-radius-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-border-box-border-radius-002.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#shapes-from-box-values"> <link rel="match" href="reference/shape-outside-border-box-border-radius-002-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the left float shape defined by the border-box and border-radius value."> <style> .container {
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found in this diff. The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications. Additional Details: The diff shows a minor HTML cleanup change where an empty `<meta name="flags" content="">` tag was removed. This appears to be a test file modification rather than a security fix. The change doesn't affect any security-related functionality or introduce any security improvements. The modification is likely related to test configuration cleanup rather than addressing any vulnerability. Since no actual code changes affecting security were made, and no vulnerabilities were addressed, the answer is "no" for vulnerability existence.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/test/general/download_page.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/test/general/download_page.html@@ -45,6 +45,14 @@ download="download_page_4.txt" id="link17">Download "download_page_4.txt"</a></li> <li><a href="redirect_download.sjs?attachment=none" download="download_page_4.txt" id="link18">Download "download_page_4.txt"</a></li>+ <li><a href="download_with_content_disposition_header.sjs?inline;attachment=none"+ download="download_page_4.txt" id="link19">Download "download_page_4.txt"</a></li>+ <li><a href="download_with_content_disposition_header.sjs?invalid=none"+ download="download_page_4.txt" id="link20">Download "download_page_4.txt"</a></li>+ <li><a href="download_with_content_disposition_header.sjs?inline;attachment=download_page_4.txt"+ download="download_page_4.txt" id="link21">Download "download_page_4.txt"</a></li>+ <li><a href="download_with_content_disposition_header.sjs?invalid=download_page_4.txt"+ download="download_page_4.txt" id="link22">Download "download_page_4.txt"</a></li> </ul> <div id="unload-flag">Okay</div>
Analyzing the provided code diff, here are the potential security issues identified: 1. Vulnerability Existed: not sure [Content-Disposition Header Injection] [browser/base/content/test/general/download_page.html] [Lines added] [Old Code] No previous test cases for Content-Disposition headers [Fixed Code] Added test cases for various Content-Disposition header scenarios including inline, attachment, and invalid parameters 2. Vulnerability Existed: not sure [Download Filename Spoofing] [browser/base/content/test/general/download_page.html] [Lines added] [Old Code] No test cases for filename handling with Content-Disposition headers [Fixed Code] Added test cases that combine download attribute with Content-Disposition header filename specifications Additional Notes: - The diff adds test cases for handling Content-Disposition headers in downloads, which suggests potential security concerns around: 1) How browsers handle conflicting filename specifications (download attribute vs Content-Disposition header) 2) Potential header injection vulnerabilities 3) Filename spoofing possibilities - Without seeing the actual server-side implementation (download_with_content_disposition_header.sjs), we can't be certain if these were fixing actual vulnerabilities or just adding test coverage - The test cases cover both valid and invalid Content-Disposition header scenarios, suggesting a focus on security edge cases
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/performance-new/test/browser/browser_devtools-record-capture.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/performance-new/test/browser/browser_devtools-record-capture.js@@ -8,6 +8,14 @@ const FRONTEND_BASE_PATH = "/browser/devtools/client/performance-new/test/browser/fake-frontend.html"; const FRONTEND_BASE_URL = FRONTEND_BASE_HOST + FRONTEND_BASE_PATH;++add_setup(async function setup() {+ // The active tab view isn't enabled in all configurations. Let's make sure+ // it's enabled in these tests.+ SpecialPowers.pushPrefEnv({+ set: [["devtools.performance.recording.active-tab-view.enabled", true]],+ });+}); add_task(async function test() { info(@@ -57,6 +65,62 @@ getRecordingState, }); });+});++add_task(async function test_in_private_window() {+ info("Test that DevTools can capture profiles in a private window.");++ // This test assumes that the Web Developer preset is set by default, which is+ // not the case on Nightly and custom builds.+ BackgroundJSM.changePreset(+ "aboutprofiling",+ "web-developer",+ Services.profiler.GetFeatures()+ );++ await setProfilerFrontendUrl(FRONTEND_BASE_HOST, FRONTEND_BASE_PATH);++ info("Open a private window.");+ const privateWindow = await BrowserTestUtils.openNewBrowserWindow({+ private: true,+ });++ await withDevToolsPanel(async document => {+ const getRecordingState = setupGetRecordingState(document);++ // The initial state of the profiler UI is racy, as it calls out to the PerfFront+ // to get the status of the profiler. This can race with the initialization of+ // the test. Most of the the time the result is "not-yet-known", but rarely+ // the PerfFront will win this race. Allow for both outcomes of the race in this+ // test.+ ok(+ getRecordingState() === "not-yet-known" ||+ getRecordingState() === "available-to-record",+ "The component starts out in an unknown state or is already available to record."+ );++ // First check for "firefox-platform" preset which will have no "view" query+ // string because this is where our traditional "full" view opens up.+ // Note that this utility will check for a new tab in the main non-private+ // window, which is exactly what we want here.+ await setPresetCaptureAndAssertUrl({+ document,+ preset: "firefox-platform",+ expectedUrl: FRONTEND_BASE_URL,+ getRecordingState,+ });++ // Now, let's check for "web-developer" preset. This will open up the frontend+ // with "active-tab" view query string. Frontend will understand and open the active tab view for it.+ await setPresetCaptureAndAssertUrl({+ document,+ preset: "web-developer",+ expectedUrl: FRONTEND_BASE_URL + "?view=active-tab&implementation=js",+ getRecordingState,+ });+ }, privateWindow);++ await BrowserTestUtils.closeWindow(privateWindow); }); async function setPresetCaptureAndAssertUrl({
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be test-related modifications and additions. Here's my analysis: 1. Vulnerability Existed: no No security vulnerability found [File] devtools/client/performance-new/test/browser/browser_devtools-record-capture.js [Lines] 8-14, 57-125 [Old Code] (No old code for these specific changes as they are new test additions) [Fixed Code] The changes add: 1. A setup function to enable active tab view 2. A new test case for private window functionality 2. Vulnerability Existed: no No security vulnerability found [File] devtools/client/performance-new/test/browser/browser_devtools-record-capture.js [Lines] 65-125 [Old Code] (No old code as this is a completely new test case) [Fixed Code] Added new test case 'test_in_private_window' to verify DevTools profile capture in private windows The changes appear to be: 1. Adding test setup configuration 2. Adding new test cases for private browsing functionality 3. No security-related fixes or vulnerability patches are evident in this diff The modifications are focused on test coverage and functionality verification rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/docs/contributor/tests/writing-tests.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/docs/contributor/tests/writing-tests.md@@ -120,7 +120,7 @@ One of the direct consequences of E10S on tests is that you cannot retrieve and manipulate objects from the content page as you'd do without E10S.-So when creating a new test, if this test needs to access the content page in any way, you can use [the message manager](https://developer.mozilla.org/en-US/docs/The_message_manager) to communicate with a script loaded in the content process to do things for you instead of accessing objects in the page directly.+So when creating a new test, if this test needs to access the content page in any way, you can use [the message manager or JSActors](https://firefox-source-docs.mozilla.org/dom/ipc/jsactors.html) to communicate with a script loaded in the content process to do things for you instead of accessing objects in the page directly. You can use the helper `ContentTask.spawn()` for this. See [this list of DevTools tests that use that helper for examples](https://searchfox.org/mozilla-central/search?q=ContentTask.spawn%28&path=devtools%2Fclient).
After analyzing the provided code diff, here's my assessment: Vulnerability Existed: no No security vulnerability found [File] devtools/docs/contributor/tests/writing-tests.md [Lines] 120 [Old Code] So when creating a new test, if this test needs to access the content page in any way, you can use [the message manager](https://developer.mozilla.org/en-US/docs/The_message_manager) to communicate with a script loaded in the content process to do things for you instead of accessing objects in the page directly. [Fixed Code] So when creating a new test, if this test needs to access the content page in any way, you can use [the message manager or JSActors](https://firefox-source-docs.mozilla.org/dom/ipc/jsactors.html) to communicate with a script loaded in the content process to do things for you instead of accessing objects in the page directly. This appears to be a documentation update that adds JSActors as an alternative to message manager for inter-process communication, but doesn't indicate any security vulnerability being fixed. The change is primarily about improving documentation and adding more options for test writers.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.