Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/frontend/ParserAtom.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/frontend/ParserAtom.cpp@@ -66,9 +66,11 @@ MOZ_ASSERT(uint32_t(toWellKnownAtomId()) < uint32_t(WellKnownAtomId::Limit)); } else if (isLength1StaticParserString()) {- MOZ_ASSERT(size_t(toLength1StaticParserString()) < Length1StaticLimit);+ // always valid } else if (isLength2StaticParserString()) { MOZ_ASSERT(size_t(toLength2StaticParserString()) < Length2StaticLimit);+ } else if (isLength3StaticParserString()) {+ // always valid } else { MOZ_ASSERT(isNull()); }@@ -114,11 +116,11 @@ JSString* str; if (hasLatin1Chars()) {- str =- NewStringCopyN<CanGC>(cx, reinterpret_cast<const char*>(latin1Chars()),- length(), gc::TenuredHeap);+ str = NewStringCopyNDontDeflateNonStaticValidLength<CanGC>(+ cx, latin1Chars(), length(), gc::TenuredHeap); } else {- str = NewStringCopyN<CanGC>(cx, twoByteChars(), length(), gc::TenuredHeap);+ str = NewStringCopyNDontDeflateNonStaticValidLength<CanGC>(+ cx, twoByteChars(), length(), gc::TenuredHeap); } if (!str) { return nullptr;@@ -136,9 +138,11 @@ JSAtom* atom; if (hasLatin1Chars()) {- atom = AtomizeChars(cx, hash(), latin1Chars(), length());+ atom =+ AtomizeCharsNonStaticValidLength(cx, hash(), latin1Chars(), length()); } else {- atom = AtomizeChars(cx, hash(), twoByteChars(), length());+ atom =+ AtomizeCharsNonStaticValidLength(cx, hash(), twoByteChars(), length()); } if (!atom) { return nullptr;@@ -155,8 +159,9 @@ MOZ_ASSERT(!cx->zone()); MOZ_ASSERT(hasLatin1Chars());- JSAtom* atom =- PermanentlyAtomizeChars(cx, atomSet, hash(), latin1Chars(), length());+ MOZ_ASSERT(length() <= JSString::MAX_LENGTH);+ JSAtom* atom = PermanentlyAtomizeCharsNonStaticValidLength(+ cx, atomSet, hash(), latin1Chars(), length()); if (!atom) { return nullptr; }@@ -198,22 +203,25 @@ } if (index.isLength1StaticParserString()) {- char content[1];- getLength1Content(index.toLength1StaticParserString(), content); js::Fprinter out(stderr); out.put("\"");- out.putChar(content[0]);+ dumpCharsNoQuote(out, index.toLength1StaticParserString()); out.put("\"\n"); return; } if (index.isLength2StaticParserString()) {- char content[2];- getLength2Content(index.toLength2StaticParserString(), content); js::Fprinter out(stderr); out.put("\"");- out.putChar(content[0]);- out.putChar(content[1]);+ dumpCharsNoQuote(out, index.toLength2StaticParserString());+ out.put("\"\n");+ return;+ }++ if (index.isLength3StaticParserString()) {+ js::Fprinter out(stderr);+ out.put("\"");+ dumpCharsNoQuote(out, index.toLength3StaticParserString()); out.put("\"\n"); return; }@@ -242,6 +250,11 @@ if (index.isLength2StaticParserString()) { dumpCharsNoQuote(out, index.toLength2StaticParserString());+ return;+ }++ if (index.isLength3StaticParserString()) {+ dumpCharsNoQuote(out, index.toLength3StaticParserString()); return; }@@ -259,7 +272,7 @@ /* static */ void ParserAtomsTable::dumpCharsNoQuote(js::GenericPrinter& out, Length1StaticParserString index) {- char content[1];+ Latin1Char content[1]; getLength1Content(index, content); out.putChar(content[0]); }@@ -271,6 +284,16 @@ getLength2Content(index, content); out.putChar(content[0]); out.putChar(content[1]);+}++/* static */+void ParserAtomsTable::dumpCharsNoQuote(js::GenericPrinter& out,+ Length3StaticParserString index) {+ char content[3];+ getLength3Content(index, content);+ out.putChar(content[0]);+ out.putChar(content[1]);+ out.putChar(content[2]); } #endif@@ -471,13 +494,26 @@ return true; }+static inline bool IsLatin1(mozilla::Utf8Unit c1, mozilla::Utf8Unit c2) {+ auto u1 = c1.toUint8();+ auto u2 = c2.toUint8();++ // 0x80-0xBF+ if (u1 == 0xC2 && 0x80 <= u2 && u2 <= 0xBF) {+ return true;+ }++ // 0xC0-0xFF+ if (u1 == 0xC3 && 0x80 <= u2 && u2 <= 0xBF) {+ return true;+ }++ return false;+}+ TaggedParserAtomIndex ParserAtomsTable::internUtf8( JSContext* cx, const mozilla::Utf8Unit* utf8Ptr, uint32_t nbyte) {- // Check for tiny strings which are abundant in minified code.- // NOTE: The tiny atoms are all ASCII-only so we can directly look at the- // UTF-8 data without worrying about surrogates.- if (auto tiny = wellKnownTable_.lookupTinyIndex(- reinterpret_cast<const Latin1Char*>(utf8Ptr), nbyte)) {+ if (auto tiny = wellKnownTable_.lookupTinyIndexUTF8(utf8Ptr, nbyte)) { return tiny; }@@ -615,15 +651,28 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content);- return IsIdentifierASCII(content[0]);- }-- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);- return IsIdentifierASCII(content[0], content[1]);+ if (MOZ_UNLIKELY(content[0] > 127)) {+ return IsIdentifier(content, 1);+ }+ return IsIdentifierASCII(char(content[0]));+ }++ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ return IsIdentifierASCII(content[0], content[1]);+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+#ifdef DEBUG+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content);+ MOZ_ASSERT(!reinterpret_cast<const Latin1Char*>(+ IsIdentifier(reinterpret_cast<const Latin1Char*>(content), 3)));+#endif+ return false; } bool ParserAtomsTable::isPrivateName(TaggedParserAtomIndex index) const {@@ -673,16 +722,21 @@ return false; }- // Length-1/2 shouldn't be used for extented uncloned self-hosted+ // Length-1/2/3 shouldn't be used for extented uncloned self-hosted // function name, and this query shouldn't be used for them. #ifdef DEBUG if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content); MOZ_ASSERT(content[0] != ExtendedUnclonedSelfHostedFunctionNamePrefix);- } else {+ } else if (index.isLength2StaticParserString()) { char content[2]; getLength2Content(index.toLength2StaticParserString(), content);+ MOZ_ASSERT(content[0] != ExtendedUnclonedSelfHostedFunctionNamePrefix);+ } else {+ MOZ_ASSERT(index.isLength3StaticParserString());+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content); MOZ_ASSERT(content[0] != ExtendedUnclonedSelfHostedFunctionNamePrefix); } #endif@@ -710,7 +764,8 @@ !HasUnpairedSurrogate(name->twoByteRange()); }- // Well-known/length-1/length-2 are ASCII.+ // Well-known/length-2 are ASCII.+ // length-1 are Latin1. return true; }@@ -740,7 +795,7 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content); if (mozilla::IsAsciiDigit(content[0])) { *indexp = AsciiDigitToNumber(content[0]);@@ -749,18 +804,32 @@ return false; }- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);- // Leading '0' isn't allowed.- // See CheckStringIsIndex comment.- if (content[0] != '0' && mozilla::IsAsciiDigit(content[0]) &&- mozilla::IsAsciiDigit(content[1])) {- *indexp =- AsciiDigitToNumber(content[0]) * 10 + AsciiDigitToNumber(content[1]);- return true;- }- return false;+ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ // Leading '0' isn't allowed.+ // See CheckStringIsIndex comment.+ if (content[0] != '0' && mozilla::IsAsciiDigit(content[0]) &&+ mozilla::IsAsciiDigit(content[1])) {+ *indexp =+ AsciiDigitToNumber(content[0]) * 10 + AsciiDigitToNumber(content[1]);+ return true;+ }+ return false;+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+ *indexp = uint32_t(index.toLength3StaticParserString());+#ifdef DEBUG+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content);+ MOZ_ASSERT(uint32_t(AsciiDigitToNumber(content[0])) * 100 ++ uint32_t(AsciiDigitToNumber(content[1])) * 10 ++ uint32_t(AsciiDigitToNumber(content[2])) ==+ *indexp);+ MOZ_ASSERT(100 <= *indexp);+#endif+ return true; } bool ParserAtomsTable::isInstantiatedAsJSAtom(@@ -788,8 +857,12 @@ return 1; }- MOZ_ASSERT(index.isLength2StaticParserString());- return 2;+ if (index.isLength2StaticParserString()) {+ return 2;+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+ return 3; } bool ParserAtomsTable::toNumber(JSContext* cx, TaggedParserAtomIndex index,@@ -809,17 +882,31 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content);- return CharsToNumber(cx, reinterpret_cast<const Latin1Char*>(content), 1,+ return CharsToNumber(cx, content, 1, result);+ }++ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ return CharsToNumber(cx, reinterpret_cast<const Latin1Char*>(content), 2, result); }- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);- return CharsToNumber(cx, reinterpret_cast<const Latin1Char*>(content), 2,- result);+ MOZ_ASSERT(index.isLength3StaticParserString());+ *result = double(index.toLength3StaticParserString());+#ifdef DEBUG+ char content[3];+ double tmp;+ getLength3Content(index.toLength3StaticParserString(), content);+ if (!CharsToNumber(cx, reinterpret_cast<const Latin1Char*>(content), 3,+ &tmp)) {+ return false;+ }+ MOZ_ASSERT(tmp == *result);+#endif+ return true; } UniqueChars ParserAtomsTable::toNewUTF8CharsZ(@@ -843,20 +930,27 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content); return UniqueChars(+ JS::CharsToNewUTF8CharsZ(cx, mozilla::Range(content, 1)).c_str());+ }++ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ return UniqueChars( JS::CharsToNewUTF8CharsZ(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 1))+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2)) .c_str()); }- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);+ MOZ_ASSERT(index.isLength3StaticParserString());+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content); return UniqueChars( JS::CharsToNewUTF8CharsZ(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2))+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 3)) .c_str()); }@@ -890,17 +984,24 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content);+ return ToPrintableStringImpl(cx,+ mozilla::Range<const Latin1Char>(content, 1));+ }++ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content); return ToPrintableStringImpl(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 1));- }-- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2));+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content); return ToPrintableStringImpl(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2));+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 3)); } UniqueChars ParserAtomsTable::toQuotedString(@@ -922,18 +1023,25 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content); return ToPrintableStringImpl(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 1),+ cx, mozilla::Range<const Latin1Char>(content, 1), '\"');+ }++ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ return ToPrintableStringImpl(+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2), '\"'); }- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);+ MOZ_ASSERT(index.isLength3StaticParserString());+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content); return ToPrintableStringImpl(- cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 2),+ cx, mozilla::Range(reinterpret_cast<const Latin1Char*>(content), 3), '\"'); }@@ -967,9 +1075,14 @@ return cx->staticStrings().getUnit(ch); }- MOZ_ASSERT(index.isLength2StaticParserString());- size_t s = static_cast<size_t>(index.toLength2StaticParserString());- return cx->staticStrings().getLength2FromIndex(s);+ if (index.isLength2StaticParserString()) {+ size_t s = static_cast<size_t>(index.toLength2StaticParserString());+ return cx->staticStrings().getLength2FromIndex(s);+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+ uint32_t s = uint32_t(index.toLength3StaticParserString());+ return cx->staticStrings().getUint(s); } bool ParserAtomsTable::appendTo(StringBuffer& buffer,@@ -987,15 +1100,21 @@ } if (index.isLength1StaticParserString()) {- char content[1];+ Latin1Char content[1]; getLength1Content(index.toLength1StaticParserString(), content); return buffer.append(content[0]); }- MOZ_ASSERT(index.isLength2StaticParserString());- char content[2];- getLength2Content(index.toLength2StaticParserString(), content);- return buffer.append(content, 2);+ if (index.isLength2StaticParserString()) {+ char content[2];+ getLength2Content(index.toLength2StaticParserString(), content);+ return buffer.append(content, 2);+ }++ MOZ_ASSERT(index.isLength3StaticParserString());+ char content[3];+ getLength3Content(index.toLength3StaticParserString(), content);+ return buffer.append(content, 3); } bool InstantiateMarkedAtoms(JSContext* cx, const ParserAtomSpan& entries,@@ -1066,6 +1185,26 @@ return TaggedParserAtomIndex::null(); }+TaggedParserAtomIndex WellKnownParserAtoms::lookupTinyIndexUTF8(+ const mozilla::Utf8Unit* utf8Ptr, size_t nbyte) const {+ // Check for tiny strings which are abundant in minified code.+ if (nbyte == 2 && IsLatin1(utf8Ptr[0], utf8Ptr[1])) {+ // Special case the length-1 non-ASCII range.+ InflatedChar16Sequence<mozilla::Utf8Unit> seq(utf8Ptr, 2);+ char16_t u = seq.next();+ const Latin1Char c = u;+ MOZ_ASSERT(!seq.hasMore());+ auto tiny = lookupTinyIndex(&c, 1);+ MOZ_ASSERT(tiny);+ return tiny;+ }++ // NOTE: Other than length-1 non-ASCII range, the tiny atoms are all+ // ASCII-only so we can directly look at the UTF-8 data without+ // worrying about surrogates.+ return lookupTinyIndex(reinterpret_cast<const Latin1Char*>(utf8Ptr), nbyte);+}+ bool WellKnownParserAtoms::initSingle(JSContext* cx, const WellKnownAtomInfo& info, TaggedParserAtomIndex index) {
I'll analyze the code diff for security fixes following the specified format.
Vulnerability Existed: yes
Buffer Overflow/Incorrect Length Validation [js/src/frontend/ParserAtom.cpp] [Lines 66-71]
Old Code:
} else if (isLength1StaticParserString()) {
MOZ_ASSERT(size_t(toLength1StaticParserString()) < Length1StaticLimit);
} else if (isLength2StaticParserString()) {
MOZ_ASSERT(size_t(toLength2StaticParserString()) < Length2StaticLimit);
Fixed Code:
} else if (isLength1StaticParserString()) {
// always valid
} else if (isLength2StaticParserString()) {
MOZ_ASSERT(size_t(toLength2StaticParserString()) < Length2StaticLimit);
} else if (isLength3StaticParserString()) {
// always valid
}
Vulnerability Existed: yes
Insecure String Handling [js/src/frontend/ParserAtom.cpp] [Lines 114-119]
Old Code:
str =
NewStringCopyN<CanGC>(cx, reinterpret_cast<const char*>(latin1Chars()),
length(), gc::TenuredHeap);
Fixed Code:
str = NewStringCopyNDontDeflateNonStaticValidLength<CanGC>(
cx, latin1Chars(), length(), gc::TenuredHeap);
Vulnerability Existed: yes
Insecure String Handling [js/src/frontend/ParserAtom.cpp] [Lines 136-140]
Old Code:
atom = AtomizeChars(cx, hash(), latin1Chars(), length());
Fixed Code:
atom =
AtomizeCharsNonStaticValidLength(cx, hash(), latin1Chars(), length());
Vulnerability Existed: yes
Insecure String Handling [js/src/frontend/ParserAtom.cpp] [Lines 155-157]
Old Code:
JSAtom* atom =
PermanentlyAtomizeChars(cx, atomSet, hash(), latin1Chars(), length());
Fixed Code:
MOZ_ASSERT(length() <= JSString::MAX_LENGTH);
JSAtom* atom = PermanentlyAtomizeCharsNonStaticValidLength(
cx, atomSet, hash(), latin1Chars(), length());
Vulnerability Existed: yes
UTF-8 Validation Issue [js/src/frontend/ParserAtom.cpp] [Lines 471-485]
Old Code:
// NOTE: The tiny atoms are all ASCII-only so we can directly look at the
// UTF-8 data without worrying about surrogates.
Fixed Code:
if (nbyte == 2 && IsLatin1(utf8Ptr[0], utf8Ptr[1])) {
// Special case the length-1 non-ASCII range.
InflatedChar16Sequence<mozilla::Utf8Unit> seq(utf8Ptr, 2);
char16_t u = seq.next();
const Latin1Char c = u;
MOZ_ASSERT(!seq.hasMore());
auto tiny = lookupTinyIndex(&c, 1);
MOZ_ASSERT(tiny);
return tiny;
}
The changes indicate several security-related fixes:
1. Removed length validation assertions that could potentially be bypassed
2. Replaced insecure string handling functions with safer versions that include length validation
3. Added proper UTF-8 validation for non-ASCII characters
4. Added explicit length checks before string operations
5. Added support for length-3 static strings with proper validation
These changes appear to address potential buffer overflow and string handling vulnerabilities by:
- Adding proper bounds checking
- Using safer string handling functions
- Better UTF-8 validation
- More robust length validation
- Removal of potentially unsafe assumptions
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.2.dompointinit.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.2.dompointinit.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,15 +27,15 @@ ctx.fill(); // top-right corner-_assertPixel(offscreenCanvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255");+_assertPixel(canvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");+_assertPixel(canvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");+_assertPixel(canvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");+_assertPixel(canvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255"); // other corners-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
Here's my analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 27-35]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");
[etc...]
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");
[etc...]
The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` throughout the test file. There are no security-related changes in this diff - it's just a refactoring for consistency or readability. The functionality remains exactly the same, just with a different variable name. No security vulnerabilities were addressed or introduced by these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.offset.negativeX.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.offset.negativeX.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -22,8 +22,8 @@ ctx.shadowColor = '#0f0'; ctx.shadowOffsetX = -50; ctx.fillRect(50, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-14, 22-23]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
Additional Details:
The changes appear to be purely variable renaming from "offscreenCanvas" to "canvas" throughout the file. There are no security-related changes or vulnerability fixes in this diff. The modification is likely for code consistency or readability purposes rather than addressing any security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.width.invalid.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.width.invalid.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.lineWidth = 1.5; _assertSame(ctx.lineWidth, 1.5, "ctx.lineWidth", "1.5");
Analyzing the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from 'offscreenCanvas' to 'canvas'
- No security-related changes or vulnerabilities are apparent in this diff
- The modification doesn't affect any security-sensitive operations or introduce/remove any security controls
- This seems to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/CountQueuingStrategy.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/CountQueuingStrategy.h@@ -10,6 +10,7 @@ #include "js/TypeDecls.h" #include "mozilla/Attributes.h" #include "mozilla/ErrorResult.h"+#include "mozilla/dom/BaseQueuingStrategy.h" #include "mozilla/dom/BindingDeclarations.h" #include "mozilla/dom/QueuingStrategyBinding.h" #include "nsCycleCollectionParticipant.h"@@ -19,43 +20,28 @@ namespace mozilla { namespace dom {-class Function;--} // namespace dom-} // namespace mozilla--namespace mozilla {-namespace dom {--class CountQueuingStrategy final : public nsISupports, public nsWrapperCache {+class CountQueuingStrategy final : public BaseQueuingStrategy,+ public nsWrapperCache { public:- NS_DECL_CYCLE_COLLECTING_ISUPPORTS- NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(CountQueuingStrategy)+ NS_DECL_ISUPPORTS_INHERITED+ NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED(CountQueuingStrategy,+ BaseQueuingStrategy) public: explicit CountQueuingStrategy(nsISupports* aGlobal, double aHighWaterMark)- : mGlobal(do_QueryInterface(aGlobal)), mHighWaterMark(aHighWaterMark) {}+ : BaseQueuingStrategy(aGlobal, aHighWaterMark) {} protected: ~CountQueuingStrategy() = default;- nsCOMPtr<nsIGlobalObject> mGlobal;- public:- nsIGlobalObject* GetParentObject() const;- JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override; static already_AddRefed<CountQueuingStrategy> Constructor( const GlobalObject& aGlobal, const QueuingStrategyInit& aInit);- double HighWaterMark() const { return mHighWaterMark; }- already_AddRefed<Function> GetSize(ErrorResult& aRv);-- private:- double mHighWaterMark = 0.0; }; } // namespace dom
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Inheritance Change] [dom/streams/CountQueuingStrategy.h] [Lines 19-43]
[Old Code]
class CountQueuingStrategy final : public nsISupports, public nsWrapperCache {
[Fixed Code]
class CountQueuingStrategy final : public BaseQueuingStrategy,
public nsWrapperCache {
2. Vulnerability Existed: not sure
[Memory Management Change] [dom/streams/CountQueuingStrategy.h] [Lines 22-24]
[Old Code]
NS_DECL_CYCLE_COLLECTING_ISUPPORTS
NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(CountQueuingStrategy)
[Fixed Code]
NS_DECL_ISUPPORTS_INHERITED
NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED(CountQueuingStrategy,
BaseQueuingStrategy)
3. Vulnerability Existed: not sure
[Field Removal] [dom/streams/CountQueuingStrategy.h] [Lines 30,43]
[Old Code]
: mGlobal(do_QueryInterface(aGlobal)), mHighWaterMark(aHighWaterMark) {}
private:
double mHighWaterMark = 0.0;
[Fixed Code]
: BaseQueuingStrategy(aGlobal, aHighWaterMark) {}
Notes:
- The changes primarily involve refactoring the class to inherit from BaseQueuingStrategy rather than nsISupports directly
- The memory management macros were updated to reflect the inheritance change
- No obvious security vulnerabilities were identified, but the changes could potentially affect memory management and object lifecycle
- The removal of direct field storage (mGlobal and mHighWaterMark) suggests these are now handled by the parent class
- Without seeing the BaseQueuingStrategy implementation, we can't be certain about all security implications
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/python/mozboot/mozboot/util.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/python/mozboot/mozboot/util.py@@ -5,6 +5,8 @@ from __future__ import absolute_import, print_function, unicode_literals import os++from pathlib import Path from mach.site import PythonVirtualenv from mach.util import get_state_dir@@ -20,11 +22,9 @@ def get_mach_virtualenv_root():- return os.path.join(- get_state_dir(specific_to_topsrcdir=True), "_virtualenvs", "mach"- )+ return Path(get_state_dir(specific_to_topsrcdir=True)) / "_virtualenvs" / "mach" def get_mach_virtualenv_binary(): root = get_mach_virtualenv_root()- return PythonVirtualenv(root).python_path+ return Path(PythonVirtualenv(str(root)).python_path)
Let me analyze the code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Path Traversal Vulnerability] [python/mozboot/mozboot/util.py] [Lines 20-22]
[Old Code]
return os.path.join(
get_state_dir(specific_to_topsrcdir=True), "_virtualenvs", "mach"
)
[Fixed Code]
return Path(get_state_dir(specific_to_topsrcdir=True)) / "_virtualenvs" / "mach"
Additional Details: The change from os.path.join to Path might help prevent path manipulation attacks, but without seeing how get_state_dir() works, it's hard to be certain. Path objects are generally more secure for path manipulation.
2. Vulnerability Existed: not sure
[Potential Path Resolution Vulnerability] [python/mozboot/mozboot/util.py] [Lines 25]
[Old Code]
return PythonVirtualenv(root).python_path
[Fixed Code]
return Path(PythonVirtualenv(str(root)).python_path)
Additional Details: The change to use Path() for the final return value might provide better path resolution security, but again, without seeing the PythonVirtualenv implementation, this is uncertain.
Note: While these changes appear to be security improvements by using more modern path handling, I can't identify any specific, named vulnerabilities that were definitely fixed. The changes seem more like proactive hardening than fixing known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/filesystem/compat/CallbackRunnables.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/filesystem/compat/CallbackRunnables.h@@ -73,11 +73,11 @@ void Run(); MOZ_CAN_RUN_SCRIPT- virtual void ResolvedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) override;+ virtual void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override;- virtual void RejectedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) override;+ virtual void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override; private: ~GetEntryHelper();
Based on the provided diff, here's the analysis:
Vulnerability Existed: not sure
[Potential Error Handling Improvement] [dom/filesystem/compat/CallbackRunnables.h] [Lines 73-78]
[Old Code]
virtual void ResolvedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue) override;
virtual void RejectedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue) override;
[Fixed Code]
virtual void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
virtual void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
Additional Details:
The change adds ErrorResult parameters to callback functions, which suggests improved error handling. While this isn't directly fixing a known vulnerability, it could potentially prevent unhandled errors or improve error reporting. Without more context about how these functions are used, we can't be certain if this was fixing a specific security issue. The change appears to be more about robustness than fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/serviceworkers/ServiceWorkerOp.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/serviceworkers/ServiceWorkerOp.cpp@@ -57,7 +57,6 @@ #include "mozilla/dom/ServiceWorkerBinding.h" #include "mozilla/dom/ServiceWorkerGlobalScopeBinding.h" #include "mozilla/dom/WorkerCommon.h"-#include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerRef.h" #include "mozilla/dom/WorkerScope.h" #include "mozilla/extensions/ExtensionBrowser.h"@@ -117,11 +116,13 @@ /** * PromiseNativeHandler interface */- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { RemovePromise(Resolved); }- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { RemovePromise(Rejected); }@@ -300,12 +301,16 @@ } nsresult Cancel() override {+ // We need to check first if cancel is permitted+ nsresult rv = WorkerRunnable::Cancel();+ NS_ENSURE_SUCCESS(rv, rv);+ MOZ_ASSERT(mOwner); mOwner->RejectAll(NS_ERROR_DOM_ABORT_ERR); mOwner = nullptr;- return WorkerRunnable::Cancel();+ return NS_OK; } RefPtr<ServiceWorkerOp> mOwner;@@ -1340,7 +1345,8 @@ } void FetchEventOp::ResolvedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(IsCurrentThreadRunningWorker()); MOZ_ASSERT(mRespondWithClosure); MOZ_ASSERT(!mRespondWithPromiseHolder.IsEmpty());@@ -1519,7 +1525,8 @@ } void FetchEventOp::RejectedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(IsCurrentThreadRunningWorker()); MOZ_ASSERT(mRespondWithClosure); MOZ_ASSERT(!mRespondWithPromiseHolder.IsEmpty());
Let me analyze the code diff for security fixes following the specified format:
1. Vulnerability Existed: not sure
[Potential Error Handling Improvement] [dom/serviceworkers/ServiceWorkerOp.cpp] [Lines 117-126]
[Old Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {
RemovePromise(Resolved);
}
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {
RemovePromise(Rejected);
}
[Fixed Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override {
RemovePromise(Resolved);
}
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override {
RemovePromise(Rejected);
}
2. Vulnerability Existed: yes
[Race Condition in Cancellation] [dom/serviceworkers/ServiceWorkerOp.cpp] [Lines 300-310]
[Old Code]
nsresult Cancel() override {
MOZ_ASSERT(mOwner);
mOwner->RejectAll(NS_ERROR_DOM_ABORT_ERR);
mOwner = nullptr;
return WorkerRunnable::Cancel();
}
[Fixed Code]
nsresult Cancel() override {
// We need to check first if cancel is permitted
nsresult rv = WorkerRunnable::Cancel();
NS_ENSURE_SUCCESS(rv, rv);
MOZ_ASSERT(mOwner);
mOwner->RejectAll(NS_ERROR_DOM_ABORT_ERR);
mOwner = nullptr;
return NS_OK;
}
3. Vulnerability Existed: not sure
[Error Handling Improvement] [dom/serviceworkers/ServiceWorkerOp.cpp] [Lines 1340-1346, 1519-1526]
[Old Code]
void FetchEventOp::ResolvedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue)
void FetchEventOp::RejectedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue)
[Fixed Code]
void FetchEventOp::ResolvedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue,
ErrorResult& aRv)
void FetchEventOp::RejectedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue,
ErrorResult& aRv)
The most significant security fix appears to be in the Cancel() method, where the order of operations was changed to first check if cancellation is permitted before performing other operations. This could prevent race conditions where operations might continue after cancellation. The other changes appear to be adding error handling parameters to callback functions, which improves error propagation but may not directly address security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/nsNSSCertificate.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/nsNSSCertificate.cpp@@ -55,95 +55,77 @@ extern LazyLogModule gPIPNSSLog;-// This is being stored in an uint32_t that can otherwise-// only take values from nsIX509Cert's list of cert types.-// As nsIX509Cert is frozen, we choose a value not contained-// in the list to mean not yet initialized.-#define CERT_TYPE_NOT_YET_INITIALIZED (1 << 30)- NS_IMPL_ISUPPORTS(nsNSSCertificate, nsIX509Cert, nsISerializable, nsIClassInfo)-/*static*/-nsNSSCertificate* nsNSSCertificate::Create(CERTCertificate* cert) {- if (cert)- return new nsNSSCertificate(cert);- else- return new nsNSSCertificate();-}--nsNSSCertificate* nsNSSCertificate::ConstructFromDER(char* certDER,- int derLen) {- nsNSSCertificate* newObject = nsNSSCertificate::Create();- if (newObject && !newObject->InitFromDER(certDER, derLen)) {- delete newObject;- newObject = nullptr;- }-- return newObject;-}--bool nsNSSCertificate::InitFromDER(char* certDER, int derLen) {- if (!certDER || !derLen) return false;-- CERTCertificate* aCert = CERT_DecodeCertFromPackage(certDER, derLen);-- if (!aCert) {-#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED- if (XRE_GetProcessType() == GeckoProcessType_Content) {- MOZ_CRASH_UNSAFE_PRINTF("CERT_DecodeCertFromPackage failed in child: %d",- PR_GetError());- }-#endif- return false;- }-- if (!aCert->dbhandle) {- aCert->dbhandle = CERT_GetDefaultCertDB();- }-- mCert.reset(aCert);- return true;-}+nsNSSCertificate::nsNSSCertificate() : mCert("nsNSSCertificate::mCert") {} nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert)- : mCert(nullptr), mCertType(CERT_TYPE_NOT_YET_INITIALIZED) {+ : mCert("nsNSSCertificate::mCert") { if (cert) {- mCert.reset(CERT_DupCertificate(cert));- }-}--nsNSSCertificate::nsNSSCertificate()- : mCert(nullptr), mCertType(CERT_TYPE_NOT_YET_INITIALIZED) {}--static uint32_t getCertType(CERTCertificate* cert) {- nsNSSCertTrust trust(cert->trust);+ mDER.AppendElements(cert->derCert.data, cert->derCert.len);+ auto lock = mCert.Lock();+ auto& maybeCert = lock.ref();+ maybeCert.emplace(UniqueCERTCertificate(CERT_DupCertificate(cert)));+ }+}++nsNSSCertificate::nsNSSCertificate(nsTArray<uint8_t>&& der)+ : mDER(std::move(der)), mCert("nsNSSCertificate::mCert") {}++UniqueCERTCertificate nsNSSCertificate::GetOrInstantiateCert() {+ auto lock = mCert.Lock();+ auto& maybeCert = lock.ref();+ if (maybeCert.isSome()) {+ return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get()));+ }+ SECItem derItem = {siBuffer, mDER.Elements(),+ static_cast<unsigned int>(mDER.Length())};+ UniqueCERTCertificate cert(CERT_NewTempCertificate(+ CERT_GetDefaultCertDB(), &derItem, nullptr, false, true));+ if (!cert) {+ return nullptr;+ }+ maybeCert.emplace(std::move(cert));++ return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get()));+}++nsresult nsNSSCertificate::GetCertType(uint32_t* aCertType) {+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ CERTCertTrust certTrust{0, 0, 0};+ // If there is no stored trust information, CERT_GetCertTrust will return+ // SECFailure. This isn't a failure. In this case, all trust bits will remain+ // unset.+ Unused << CERT_GetCertTrust(cert.get(), &certTrust);+ nsNSSCertTrust trust(&certTrust); if (cert->nickname && trust.HasAnyUser()) {- return nsIX509Cert::USER_CERT;+ *aCertType = nsIX509Cert::USER_CERT;+ return NS_OK; } if (trust.HasAnyCA()) {- return nsIX509Cert::CA_CERT;+ *aCertType = nsIX509Cert::CA_CERT;+ return NS_OK; } if (trust.HasPeer(true, false)) {- return nsIX509Cert::SERVER_CERT;+ *aCertType = nsIX509Cert::SERVER_CERT;+ return NS_OK; } if (trust.HasPeer(false, true) && cert->emailAddr) {- return nsIX509Cert::EMAIL_CERT;- }- if (CERT_IsCACert(cert, nullptr)) {- return nsIX509Cert::CA_CERT;+ *aCertType = nsIX509Cert::EMAIL_CERT;+ return NS_OK;+ }+ if (CERT_IsCACert(cert.get(), nullptr)) {+ *aCertType = nsIX509Cert::CA_CERT;+ return NS_OK; } if (cert->emailAddr) {- return nsIX509Cert::EMAIL_CERT;- }- return nsIX509Cert::UNKNOWN_CERT;-}--nsresult nsNSSCertificate::GetCertType(uint32_t* aCertType) {- if (mCertType == CERT_TYPE_NOT_YET_INITIALIZED) {- // only determine cert type once and cache it- mCertType = getCertType(mCert.get());- }- *aCertType = mCertType;+ *aCertType = nsIX509Cert::EMAIL_CERT;+ return NS_OK;+ }+ *aCertType = nsIX509Cert::UNKNOWN_CERT; return NS_OK; }@@ -152,7 +134,7 @@ NS_ENSURE_ARG(aIsBuiltInRoot); pkix::Input certInput;- pkix::Result rv = certInput.Init(mCert->derCert.data, mCert->derCert.len);+ pkix::Result rv = certInput.Init(mDER.Elements(), mDER.Length()); if (rv != pkix::Result::Success) { return NS_ERROR_FAILURE; }@@ -169,7 +151,7 @@ static_assert(sizeof(uint32_t) == 4, "type size consistency check"); pkix::Input certInput;- pkix::Result result = certInput.Init(mCert->derCert.data, mCert->derCert.len);+ pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length()); if (result != pkix::Result::Success) { return NS_ERROR_INVALID_ARG; }@@ -213,14 +195,14 @@ nsNSSCertificate::GetDisplayName(nsAString& aDisplayName) { aDisplayName.Truncate();- MOZ_ASSERT(mCert, "mCert should not be null in GetDisplayName");- if (!mCert) {- return NS_ERROR_FAILURE;- }-- UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));- UniquePORTString organizationalUnitName(CERT_GetOrgUnitName(&mCert->subject));- UniquePORTString organizationName(CERT_GetOrgName(&mCert->subject));+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }++ UniquePORTString commonName(CERT_GetCommonName(&cert->subject));+ UniquePORTString organizationalUnitName(CERT_GetOrgUnitName(&cert->subject));+ UniquePORTString organizationName(CERT_GetOrgName(&cert->subject)); bool isBuiltInRoot; nsresult rv = GetIsBuiltInRoot(&isBuiltInRoot);@@ -241,7 +223,7 @@ // (the subject really shouldn't be empty), an empty string is returned. nsAutoCString builtInRootNickname; if (isBuiltInRoot) {- nsAutoCString fullNickname(mCert->nickname);+ nsAutoCString fullNickname(cert->nickname); int32_t index = fullNickname.Find(":"); if (index != kNotFound) { // Substring will gracefully handle the case where index is the last@@ -251,10 +233,12 @@ Substring(fullNickname, AssertedCast<uint32_t>(index + 1)); } }- const char* nameOptions[] = {- builtInRootNickname.get(), commonName.get(),- organizationalUnitName.get(), organizationName.get(),- mCert->subjectName, mCert->emailAddr};+ const char* nameOptions[] = {builtInRootNickname.get(),+ commonName.get(),+ organizationalUnitName.get(),+ organizationName.get(),+ cert->subjectName,+ cert->emailAddr}; for (auto nameOption : nameOptions) { if (nameOption) {@@ -271,8 +255,12 @@ NS_IMETHODIMP nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress) {- if (mCert->emailAddr) {- CopyUTF8toUTF16(MakeStringSpan(mCert->emailAddr), aEmailAddress);+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ if (cert->emailAddr) {+ CopyUTF8toUTF16(MakeStringSpan(cert->emailAddr), aEmailAddress); } else { GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress); }@@ -281,16 +269,20 @@ NS_IMETHODIMP nsNSSCertificate::GetEmailAddresses(nsTArray<nsString>& aAddresses) {+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ } uint32_t length = 0;- for (const char* aAddr = CERT_GetFirstEmailAddress(mCert.get()); aAddr;- aAddr = CERT_GetNextEmailAddress(mCert.get(), aAddr)) {+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { ++(length); } aAddresses.SetCapacity(length);- for (const char* aAddr = CERT_GetFirstEmailAddress(mCert.get()); aAddr;- aAddr = CERT_GetNextEmailAddress(mCert.get(), aAddr)) {+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { CopyASCIItoUTF16(MakeStringSpan(aAddr), *aAddresses.AppendElement()); }@@ -303,8 +295,12 @@ NS_ENSURE_ARG(result); *result = false;- for (const char* aAddr = CERT_GetFirstEmailAddress(mCert.get()); aAddr;- aAddr = CERT_GetNextEmailAddress(mCert.get(), aAddr)) {+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr;+ aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { nsAutoString certAddr; LossyUTF8ToUTF16(aAddr, strlen(aAddr), certAddr); ToLowerCase(certAddr);@@ -324,11 +320,13 @@ NS_IMETHODIMP nsNSSCertificate::GetCommonName(nsAString& aCommonName) { aCommonName.Truncate();- if (mCert) {- UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));- if (commonName) {- LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString commonName(CERT_GetCommonName(&cert->subject));+ if (commonName) {+ LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName); } return NS_OK; }@@ -336,12 +334,14 @@ NS_IMETHODIMP nsNSSCertificate::GetOrganization(nsAString& aOrganization) { aOrganization.Truncate();- if (mCert) {- UniquePORTString organization(CERT_GetOrgName(&mCert->subject));- if (organization) {- LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),- aOrganization);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString organization(CERT_GetOrgName(&cert->subject));+ if (organization) {+ LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),+ aOrganization); } return NS_OK; }@@ -349,11 +349,13 @@ NS_IMETHODIMP nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName) { aCommonName.Truncate();- if (mCert) {- UniquePORTString commonName(CERT_GetCommonName(&mCert->issuer));- if (commonName) {- LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString commonName(CERT_GetCommonName(&cert->issuer));+ if (commonName) {+ LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName); } return NS_OK; }@@ -361,12 +363,14 @@ NS_IMETHODIMP nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization) { aOrganization.Truncate();- if (mCert) {- UniquePORTString organization(CERT_GetOrgName(&mCert->issuer));- if (organization) {- LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),- aOrganization);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString organization(CERT_GetOrgName(&cert->issuer));+ if (organization) {+ LossyUTF8ToUTF16(organization.get(), strlen(organization.get()),+ aOrganization); } return NS_OK; }@@ -374,12 +378,14 @@ NS_IMETHODIMP nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit) { aOrganizationUnit.Truncate();- if (mCert) {- UniquePORTString organizationUnit(CERT_GetOrgUnitName(&mCert->issuer));- if (organizationUnit) {- LossyUTF8ToUTF16(organizationUnit.get(), strlen(organizationUnit.get()),- aOrganizationUnit);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString organizationUnit(CERT_GetOrgUnitName(&cert->issuer));+ if (organizationUnit) {+ LossyUTF8ToUTF16(organizationUnit.get(), strlen(organizationUnit.get()),+ aOrganizationUnit); } return NS_OK; }@@ -387,12 +393,13 @@ NS_IMETHODIMP nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit) { aOrganizationalUnit.Truncate();- if (mCert) {- UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject));- if (orgunit) {- LossyUTF8ToUTF16(orgunit.get(), strlen(orgunit.get()),- aOrganizationalUnit);- }+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ UniquePORTString orgunit(CERT_GetOrgUnitName(&cert->subject));+ if (orgunit) {+ LossyUTF8ToUTF16(orgunit.get(), strlen(orgunit.get()), aOrganizationalUnit); } return NS_OK; }@@ -400,8 +407,12 @@ NS_IMETHODIMP nsNSSCertificate::GetSubjectName(nsAString& _subjectName) { _subjectName.Truncate();- if (mCert->subjectName) {- LossyUTF8ToUTF16(mCert->subjectName, strlen(mCert->subjectName),+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ if (cert->subjectName) {+ LossyUTF8ToUTF16(cert->subjectName, strlen(cert->subjectName), _subjectName); } return NS_OK;@@ -410,8 +421,12 @@ NS_IMETHODIMP nsNSSCertificate::GetIssuerName(nsAString& _issuerName) { _issuerName.Truncate();- if (mCert->issuerName) {- LossyUTF8ToUTF16(mCert->issuerName, strlen(mCert->issuerName), _issuerName);+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ }+ if (cert->issuerName) {+ LossyUTF8ToUTF16(cert->issuerName, strlen(cert->issuerName), _issuerName); } return NS_OK; }@@ -419,8 +434,12 @@ NS_IMETHODIMP nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber) { _serialNumber.Truncate();+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) {+ return NS_ERROR_FAILURE;+ } UniquePORTString tmpstr(- CERT_Hexify(&mCert->serialNumber, true /* use colon delimiters */));+ CERT_Hexify(&cert->serialNumber, true /* use colon delimiters */)); if (tmpstr) { _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get()); return NS_OK;@@ -432,8 +451,8 @@ SECOidTag aHashAlg) { aFingerprint.Truncate(); nsTArray<uint8_t> digestArray;- nsresult rv = Digest::DigestBuf(aHashAlg, mCert->derCert.data,- mCert->derCert.len, digestArray);+ nsresult rv =+ Digest::DigestBuf(aHashAlg, mDER.Elements(), mDER.Length(), digestArray); if (NS_FAILED(rv)) { return rv; }@@ -462,8 +481,8 @@ NS_IMETHODIMP nsNSSCertificate::GetTokenName(nsAString& aTokenName) {- MOZ_ASSERT(mCert);- if (!mCert) {+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ if (!cert) { return NS_ERROR_FAILURE; } UniquePK11SlotInfo internalSlot(PK11_GetInternalSlot());@@ -471,7 +490,7 @@ return NS_ERROR_FAILURE; } nsCOMPtr<nsIPK11Token> token(- new nsPK11Token(mCert->slot ? mCert->slot : internalSlot.get()));+ new nsPK11Token(cert->slot ? cert->slot : internalSlot.get())); nsAutoCString tmp; nsresult rv = token->GetTokenName(tmp); if (NS_FAILED(rv)) {@@ -487,7 +506,7 @@ aSha256SPKIDigest.Truncate(); pkix::Input certInput;- pkix::Result result = certInput.Init(mCert->derCert.data, mCert->derCert.len);+ pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length()); if (result != pkix::Result::Success) { return NS_ERROR_INVALID_ARG; }@@ -506,7 +525,7 @@ return rv; } rv = Base64Encode(nsDependentCSubstring(- BitwiseCast<char*, uint8_t*>(digestArray.Elements()),+ reinterpret_cast<const char*>(digestArray.Elements()), digestArray.Length()), aSha256SPKIDigest); if (NS_WARN_IF(NS_FAILED(rv))) {@@ -517,40 +536,32 @@ NS_IMETHODIMP nsNSSCertificate::GetRawDER(nsTArray<uint8_t>& aArray) {- if (mCert) {- aArray.SetLength(mCert->derCert.len);- memcpy(aArray.Elements(), mCert->derCert.data, mCert->derCert.len);- return NS_OK;- }- return NS_ERROR_FAILURE;+ aArray.SetLength(mDER.Length());+ memcpy(aArray.Elements(), mDER.Elements(), mDER.Length());+ return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetBase64DERString(nsACString& base64DERString) { nsDependentCSubstring derString(- reinterpret_cast<const char*>(mCert->derCert.data), mCert->derCert.len);-+ reinterpret_cast<const char*>(mDER.Elements()), mDER.Length()); nsresult rv = Base64Encode(derString, base64DERString);-- if (NS_FAILED(rv)) {- return rv;- }-+ if (NS_FAILED(rv)) {+ return rv;+ } return NS_OK; } CERTCertificate* nsNSSCertificate::GetCert() {- return (mCert) ? CERT_DupCertificate(mCert.get()) : nullptr;+ UniqueCERTCertificate cert(GetOrInstantiateCert());+ return cert.release(); // caller takes ownership } NS_IMETHODIMP nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity) { NS_ENSURE_ARG(aValidity);- if (!mCert) {- return NS_ERROR_FAILURE;- } pkix::Input certInput;- pkix::Result rv = certInput.Init(mCert->derCert.data, mCert->derCert.len);+ pkix::Result rv = certInput.Init(mDER.Elements(), mDER.Length()); if (rv != pkix::Success) { return NS_ERROR_FAILURE; }@@ -559,118 +570,31 @@ return NS_OK; }-NS_IMETHODIMP-nsNSSCertificate::Equals(nsIX509Cert* other, bool* result) {- NS_ENSURE_ARG(other);- NS_ENSURE_ARG(result);-- UniqueCERTCertificate cert(other->GetCert());- *result = (mCert.get() == cert.get());- return NS_OK;-}--namespace mozilla {--// TODO(bug 1036065): It seems like we only construct CERTCertLists for the-// purpose of constructing nsNSSCertLists, so maybe we should change this-// function to output an nsNSSCertList instead.-SECStatus ConstructCERTCertListFromReversedDERArray(- const mozilla::pkix::DERArray& certArray,- /*out*/ UniqueCERTCertList& certList) {- certList = UniqueCERTCertList(CERT_NewCertList());- if (!certList) {- return SECFailure;- }-- CERTCertDBHandle* certDB(CERT_GetDefaultCertDB()); // non-owning-- size_t numCerts = certArray.GetLength();- for (size_t i = 0; i < numCerts; ++i) {- SECItem certDER(UnsafeMapInputToSECItem(*certArray.GetDER(i)));- UniqueCERTCertificate cert(- CERT_NewTempCertificate(certDB, &certDER, nullptr, false, true));- if (!cert) {- return SECFailure;- }- // certArray is ordered with the root first, but we want the resulting- // certList to have the root last.- if (CERT_AddCertToListHead(certList.get(), cert.get()) != SECSuccess) {- return SECFailure;- }- Unused << cert.release(); // cert is now owned by certList.- }-- return SECSuccess;-}--} // namespace mozilla--nsresult nsNSSCertificate::GetIntermediatesAsDER(- /* in */ const nsTArray<RefPtr<nsIX509Cert>>& aCertList,- /* out */ nsTArray<nsTArray<uint8_t>>& aIntermediates) {- if (aCertList.Length() <= 1) {- return NS_ERROR_INVALID_ARG;- }-- if (!aIntermediates.IsEmpty()) {- return NS_ERROR_INVALID_ARG;- }-- for (size_t i = 1; i < aCertList.Length() - 1; ++i) {- const auto& cert = aCertList[i];- aIntermediates.AppendElement();- nsTArray<uint8_t>& certBytes = aIntermediates.LastElement();- nsresult rv = cert->GetRawDER(certBytes);- if (NS_FAILED(rv)) {- return NS_ERROR_FAILURE;- }- }-- return NS_OK;-}--nsresult nsNSSCertificate::GetRootCertificate(- /* in */ const nsTArray<RefPtr<nsIX509Cert>>& aCertList,- /* out */ nsCOMPtr<nsIX509Cert>& aRoot) {- if (aRoot) {- return NS_ERROR_UNEXPECTED;- }- // If the list is empty, leave aRoot empty.- if (aCertList.IsEmpty()) {- return NS_ERROR_FAILURE;- }-- nsCOMPtr<nsIX509Cert> cert(aCertList.LastElement());- aRoot = cert;- if (!aRoot) {- return NS_ERROR_OUT_OF_MEMORY;- }- return NS_OK;-}- // NB: Any updates (except disk-only fields) must be kept in sync with // |SerializeToIPC|. NS_IMETHODIMP nsNSSCertificate::Write(nsIObjectOutputStream* aStream) {- NS_ENSURE_STATE(mCert); // This field used to be the cached EV status, but it is no longer necessary. nsresult rv = aStream->Write32(0); if (NS_FAILED(rv)) { return rv; }- rv = aStream->Write32(mCert->derCert.len);- if (NS_FAILED(rv)) {- return rv;- }- return aStream->WriteBytes(- AsBytes(Span(mCert->derCert.data, mCert->derCert.len)));+ rv = aStream->Write32(mDER.Length());+ if (NS_FAILED(rv)) {+ return rv;+ }+ return aStream->WriteBytes(Span(mDER)); } // NB: Any updates (except disk-only fields) must be kept in sync with // |DeserializeFromIPC|. NS_IMETHODIMP nsNSSCertificate::Read(nsIObjectInputStream* aStream) {- NS_ENSURE_STATE(!mCert);+ auto lock = mCert.Lock();+ auto& maybeCert = lock.ref();+ if (!mDER.IsEmpty() || maybeCert.isSome()) {+ return NS_ERROR_ALREADY_INITIALIZED;+ } // This field is no longer used. uint32_t unusedCachedEVStatus;@@ -685,35 +609,32 @@ return rv; }- nsCString str;- rv = aStream->ReadBytes(len, getter_Copies(str));- if (NS_FAILED(rv)) {- return rv;- }-- if (!InitFromDER(const_cast<char*>(str.get()), len)) {- return NS_ERROR_UNEXPECTED;- }-+ rv = aStream->ReadByteArray(len, mDER);+ if (NS_FAILED(rv)) {+ return rv;+ } return NS_OK; } void nsNSSCertificate::SerializeToIPC(IPC::Message* aMsg) {- bool hasCert = static_cast<bool>(mCert);+ bool hasCert = !mDER.IsEmpty(); WriteParam(aMsg, hasCert); if (!hasCert) { return; }- const nsDependentCSubstring certBytes(- reinterpret_cast<char*>(mCert->derCert.data), mCert->derCert.len);-- WriteParam(aMsg, certBytes);+ WriteParam(aMsg, mDER); } bool nsNSSCertificate::DeserializeFromIPC(const IPC::Message* aMsg, PickleIterator* aIter) {+ auto lock = mCert.Lock();+ auto& maybeCert = lock.ref();+ if (!mDER.IsEmpty() || maybeCert.isSome()) {+ return false;+ }+ bool hasCert = false; if (!ReadParam(aMsg, aIter, &hasCert)) { return false;@@ -723,18 +644,10 @@ return true; }- nsCString derBytes;- if (!ReadParam(aMsg, aIter, &derBytes)) {+ if (!ReadParam(aMsg, aIter, &mDER)) { return false; }-- if (derBytes.Length() == 0) {- return false;- }-- // NSS accepts a |char*| here, but doesn't modify the contents of the array- // and casts it back to an |unsigned char*|.- return InitFromDER(const_cast<char*>(derBytes.get()), derBytes.Length());+ return true; } NS_IMETHODIMP
Based on the provided code diff, I'll analyze it for security fixes following the required format:
1. Vulnerability Existed: yes
Memory Safety Issue [security/manager/ssl/nsNSSCertificate.cpp] [Lines 55-77]
[Old Code]
nsNSSCertificate* nsNSSCertificate::ConstructFromDER(char* certDER, int derLen) {
nsNSSCertificate* newObject = nsNSSCertificate::Create();
if (newObject && !newObject->InitFromDER(certDER, derLen)) {
delete newObject;
newObject = nullptr;
}
return newObject;
}
[Fixed Code]
(Removed in favor of new constructor pattern using nsTArray<uint8_t>)
2. Vulnerability Existed: yes
Potential Null Pointer Dereference [security/manager/ssl/nsNSSCertificate.cpp] [Throughout file]
[Old Code]
(Direct access to mCert throughout file without null checks)
[Fixed Code]
(Replaced with GetOrInstantiateCert() pattern that includes proper null checks)
3. Vulnerability Existed: yes
Thread Safety Issue [security/manager/ssl/nsNSSCertificate.cpp] [Throughout file]
[Old Code]
(Direct access to mCert member variable)
[Fixed Code]
(Added thread-safe access via mCert.Lock() pattern)
4. Vulnerability Existed: yes
Certificate Validation Issue [security/manager/ssl/nsNSSCertificate.cpp] [Lines 86-134]
[Old Code]
static uint32_t getCertType(CERTCertificate* cert) {
nsNSSCertTrust trust(cert->trust);
...
}
[Fixed Code]
nsresult nsNSSCertificate::GetCertType(uint32_t* aCertType) {
UniqueCERTCertificate cert(GetOrInstantiateCert());
if (!cert) {
return NS_ERROR_FAILURE;
}
CERTCertTrust certTrust{0, 0, 0};
Unused << CERT_GetCertTrust(cert.get(), &certTrust);
nsNSSCertTrust trust(&certTrust);
...
}
The changes appear to address several security concerns:
1. Memory safety by removing raw pointer handling of DER data
2. Thread safety through proper locking mechanisms
3. Null pointer protection through consistent checks
4. More robust certificate type validation
5. Better encapsulation of certificate data handling
The new implementation uses safer patterns like:
- nsTArray for memory management
- Lock guards for thread safety
- Consistent error checking
- Proper ownership semantics with UniquePtr
- More robust certificate trust handling
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.pattern.copy.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.pattern.copy.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -33,7 +33,7 @@ createImageBitmap(response).then(bitmap => { ctx.fillStyle = ctx.createPattern(bitmap, 'no-repeat'); ctx.fillRect(0, 50, 100, 50);- _assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+ _assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); }, t_fail); }).then(t_pass, t_fail);
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.pattern.copy.worker.js [Lines] 13-33
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas') and don't indicate any security fixes. The functionality remains the same, just with a different variable name. There are no apparent security vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/tables/nsTableCellFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/tables/nsTableCellFrame.cpp@@ -340,8 +340,9 @@ bool aRebuildDisplayItems) { nsIFrame::InvalidateFrame(aDisplayItemKey, aRebuildDisplayItems); if (GetTableFrame()->IsBorderCollapse()) {+ const bool rebuild = StaticPrefs::layout_display_list_retain_sc(); GetParent()->InvalidateFrameWithRect(InkOverflowRect() + GetPosition(),- aDisplayItemKey, false);+ aDisplayItemKey, rebuild); } }@@ -354,7 +355,7 @@ // we get an inactive layer created and this is computed // within FrameLayerBuilder GetParent()->InvalidateFrameWithRect(aRect + GetPosition(), aDisplayItemKey,- false);+ aRebuildDisplayItems); } bool nsTableCellFrame::ShouldPaintBordersAndBackgrounds() const {
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Invalidation Issue] [layout/tables/nsTableCellFrame.cpp] [Lines 340-345]
[Old Code]
```cpp
GetParent()->InvalidateFrameWithRect(InkOverflowRect() + GetPosition(),
aDisplayItemKey, false);
```
[Fixed Code]
```cpp
const bool rebuild = StaticPrefs::layout_display_list_retain_sc();
GetParent()->InvalidateFrameWithRect(InkOverflowRect() + GetPosition(),
aDisplayItemKey, rebuild);
```
Additional Details: The change introduces a preference-based control for display list rebuilding, but it's unclear if this was fixing a specific security vulnerability or just improving functionality.
2. Vulnerability Existed: not sure
[Potential Invalidation Issue] [layout/tables/nsTableCellFrame.cpp] [Lines 354-355]
[Old Code]
```cpp
GetParent()->InvalidateFrameWithRect(aRect + GetPosition(), aDisplayItemKey,
false);
```
[Fixed Code]
```cpp
GetParent()->InvalidateFrameWithRect(aRect + GetPosition(), aDisplayItemKey,
aRebuildDisplayItems);
```
Additional Details: The change makes the rebuild behavior consistent with the calling function's parameter, but it's unclear if this was fixing a security vulnerability or just a logical inconsistency.
Note: While these changes appear to be related to display list invalidation behavior, I cannot definitively identify them as security fixes without more context about potential attack vectors they might be addressing. The changes could be related to performance optimizations or correctness fixes rather than security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/selectors/breakpoints.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/selectors/breakpoints.js@@ -3,6 +3,60 @@ * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */ import { createSelector } from "reselect";++import { isGeneratedId } from "devtools-source-map";+import { makeBreakpointId } from "../utils/breakpoint";++// This method is only used from the main test helper+export function getBreakpointsMap(state) {+ return state.breakpoints.breakpoints;+}++export const getBreakpointsList = createSelector(+ state => state.breakpoints.breakpoints,+ breakpoints => Object.values(breakpoints)+);++export function getBreakpointCount(state) {+ return getBreakpointsList(state).length;+}++export function getBreakpoint(state, location) {+ if (!location) {+ return undefined;+ }++ const breakpoints = getBreakpointsMap(state);+ return breakpoints[makeBreakpointId(location)];+}++export function getBreakpointsDisabled(state) {+ const breakpoints = getBreakpointsList(state);+ return breakpoints.every(breakpoint => breakpoint.disabled);+}++export function getBreakpointsForSource(state, sourceId, line) {+ if (!sourceId) {+ return [];+ }++ const isGeneratedSource = isGeneratedId(sourceId);+ const breakpoints = getBreakpointsList(state);+ return breakpoints.filter(bp => {+ const location = isGeneratedSource ? bp.generatedLocation : bp.location;+ return location.sourceId === sourceId && (!line || line == location.line);+ });+}++export function getHiddenBreakpoint(state) {+ const breakpoints = getBreakpointsList(state);+ return breakpoints.find(bp => bp.options.hidden);+}++export function hasLogpoint(state, location) {+ const breakpoint = getBreakpoint(state, location);+ return breakpoint?.options.logValue;+} export function getXHRBreakpoints(state) { return state.breakpoints.xhrBreakpoints;@@ -19,8 +73,3 @@ return !emptyBp.disabled; } );--export const getBreakpointsList = createSelector(- state => state.breakpoints.breakpoints,- breakpoints => Object.values(breakpoints)-);
I'll analyze the code diff for security fixes following the specified format. The diff shows a significant addition of new functionality rather than a direct security fix, but I'll examine it carefully.
1. Vulnerability Existed: no
No specific vulnerability found [devtools/client/debugger/src/selectors/breakpoints.js] [Lines 3-60]
[Old Code: Only basic selector functions]
[Fixed Code: Added multiple new selector functions for breakpoint management]
2. Vulnerability Existed: not sure
Potential Type Confusion vulnerability [devtools/client/debugger/src/selectors/breakpoints.js] [Lines 36-39]
[Old Code: N/A (new code)]
[Fixed Code: `return breakpoints.filter(bp => {
const location = isGeneratedSource ? bp.generatedLocation : bp.location;
return location.sourceId === sourceId && (!line || line == location.line);
});`]
Note: The use of `==` instead of `===` for line comparison might be intentional but could potentially cause type confusion issues.
3. Vulnerability Existed: no
No vulnerability in moved code [devtools/client/debugger/src/selectors/breakpoints.js] [Lines 73]
[Old Code: `export const getBreakpointsList = createSelector(...)` at bottom of file]
[Fixed Code: Moved to top of file with other breakpoint-related selectors]
The changes appear to be primarily organizational and functional additions rather than security fixes. The most notable potential concern is the use of loose equality (`==`) in line comparison, but this might be intentional behavior. No clear security vulnerabilities were introduced or fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/InterceptedHttpChannel.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/InterceptedHttpChannel.cpp@@ -25,7 +25,8 @@ nsIInterceptedChannel, nsICacheInfoChannel, nsIAsyncVerifyRedirectCallback, nsIRequestObserver, nsIStreamListener, nsIThreadRetargetableRequest,- nsIThreadRetargetableStreamListener)+ nsIThreadRetargetableStreamListener,+ nsIClassOfService) InterceptedHttpChannel::InterceptedHttpChannel( PRTime aCreationTime, const TimeStamp& aCreationTimestamp,@@ -99,7 +100,8 @@ profiler_add_network_marker( mURI, requestMethod, mPriority, mChannelId, NetworkLoadType::LOAD_START, mChannelCreationTimestamp, mLastStatusReported, 0, kCacheUnknown,- mLoadInfo->GetInnerWindowID());+ mLoadInfo->GetInnerWindowID(),+ mLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0); } // If an error occurs in this file we must ensure mListener callbacks are@@ -518,11 +520,12 @@ uint64_t size = 0; GetEncodedBodySize(&size);- profiler_add_network_marker(mURI, requestMethod, priority, mChannelId,- NetworkLoadType::LOAD_CANCEL,- mLastStatusReported, TimeStamp::Now(), size,- kCacheUnknown, mLoadInfo->GetInnerWindowID(),- &mTransactionTimings, std::move(mSource));+ profiler_add_network_marker(+ mURI, requestMethod, priority, mChannelId, NetworkLoadType::LOAD_CANCEL,+ mLastStatusReported, TimeStamp::Now(), size, kCacheUnknown,+ mLoadInfo->GetInnerWindowID(),+ mLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0,+ &mTransactionTimings, std::move(mSource)); } MOZ_DIAGNOSTIC_ASSERT(NS_FAILED(aStatus));@@ -693,13 +696,14 @@ RefPtr<HttpBaseChannel> newBaseChannel = do_QueryObject(newChannel); MOZ_ASSERT(newBaseChannel, "The redirect channel should be a base channel.");- profiler_add_network_marker(mURI, requestMethod, priority, mChannelId,- NetworkLoadType::LOAD_REDIRECT,- mLastStatusReported, TimeStamp::Now(), size,- kCacheUnknown, mLoadInfo->GetInnerWindowID(),- &mTransactionTimings, std::move(mSource),- Some(nsDependentCString(contentType.get())),- mURI, flags, newBaseChannel->ChannelId());+ profiler_add_network_marker(+ mURI, requestMethod, priority, mChannelId,+ NetworkLoadType::LOAD_REDIRECT, mLastStatusReported, TimeStamp::Now(),+ size, kCacheUnknown, mLoadInfo->GetInnerWindowID(),+ mLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0,+ &mTransactionTimings, std::move(mSource),+ Some(nsDependentCString(contentType.get())), mURI, flags,+ newBaseChannel->ChannelId()); } rv = SetupReplacementChannel(mURI, newChannel, true, flags);@@ -1061,7 +1065,9 @@ profiler_add_network_marker( mURI, requestMethod, priority, mChannelId, NetworkLoadType::LOAD_STOP, mLastStatusReported, TimeStamp::Now(), size, kCacheUnknown,- mLoadInfo->GetInnerWindowID(), &mTransactionTimings, std::move(mSource),+ mLoadInfo->GetInnerWindowID(),+ mLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0,+ &mTransactionTimings, std::move(mSource), Some(nsDependentCString(contentType.get()))); }
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Information Leak] [netwerk/protocol/http/InterceptedHttpChannel.cpp] [Lines 25, 99, 518, 693, 1061] [Old Code] Various calls to `profiler_add_network_marker` without private browsing flag [Fixed Code] Added `mLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0` parameter to all `profiler_add_network_marker` calls 2. Vulnerability Existed: not sure [Interface Addition] [netwerk/protocol/http/InterceptedHttpChannel.cpp] [Line 25] [Old Code] `nsIThreadRetargetableStreamListener)` [Fixed Code] Added `nsIClassOfService` interface to inheritance list The main change appears to be adding private browsing status information to network profiling markers, which could be related to preventing information leaks in private browsing mode. However, without more context about how this profiling data is used, it's hard to definitively classify this as a security fix. The interface addition might be related to service prioritization but doesn't appear to be a direct security fix. Both changes appear to be related to improving privacy/security, but we can't be certain they are fixing specific vulnerabilities without more context about the threat model.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/2d/PathSkia.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/2d/PathSkia.cpp@@ -175,6 +175,26 @@ return aTransform.TransformBounds(bounds); }+Rect PathSkia::GetFastBounds(const Matrix& aTransform,+ const StrokeOptions* aStrokeOptions) const {+ if (!mPath.isFinite()) {+ return Rect();+ }+ SkRect bounds = mPath.getBounds();+ if (aStrokeOptions) {+ // If the path is stroked, ensure that the bounds are inflated by any+ // relevant options such as line width. Avoid using dash path effects+ // for performance and to ensure computeFastStrokeBounds succeeds.+ SkPaint paint;+ if (!StrokeOptionsToPaint(paint, *aStrokeOptions, false)) {+ return Rect();+ }+ SkRect outBounds = SkRect::MakeEmpty();+ bounds = paint.computeFastStrokeBounds(bounds, &outBounds);+ }+ return aTransform.TransformBounds(SkRectToRect(bounds));+}+ void PathSkia::StreamToSink(PathSink* aSink) const { SkPath::RawIter iter(mPath);
I'll analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
Potential Integer Overflow or Bounds Calculation Issue [gfx/2d/PathSkia.cpp] [Lines 175+]
[Old Code]
(No previous implementation of GetFastBounds)
[Fixed Code]
Rect PathSkia::GetFastBounds(const Matrix& aTransform,
const StrokeOptions* aStrokeOptions) const {
if (!mPath.isFinite()) {
return Rect();
}
SkRect bounds = mPath.getBounds();
if (aStrokeOptions) {
SkPaint paint;
if (!StrokeOptionsToPaint(paint, *aStrokeOptions, false)) {
return Rect();
}
SkRect outBounds = SkRect::MakeEmpty();
bounds = paint.computeFastStrokeBounds(bounds, &outBounds);
}
return aTransform.TransformBounds(SkRectToRect(bounds));
}
Additional Details:
1. This appears to be a new function added rather than a modification of existing code
2. The function handles path bounds calculations which could potentially be vulnerable to:
- Integer overflows in bounds calculations
- Memory corruption if bounds are improperly calculated
3. The checks for finite paths and proper stroke options conversion suggest defensive programming
4. Without seeing the actual vulnerability being fixed, it's hard to be certain, but this could be related to graphics security issues
Note: Since this is new code rather than a modification, it might represent a security hardening measure rather than a direct fix for a known vulnerability. The careful bounds checking and finite path verification suggest it's addressing potential security concerns in path handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.image.source-in.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.image.source-in.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -36,8 +36,8 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 40, 40, 10, 10, 40, 50, 10, 10);- _assertPixelApprox(offscreenCanvas, 15,15, 0,0,0,0, "15,15", "0,0,0,0", 5);- _assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+ _assertPixelApprox(canvas, 15,15, 0,0,0,0, "15,15", "0,0,0,0", 5);+ _assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-related modifications.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.image.source-in.html] [17-18,36-37]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 15,15, 0,0,0,0, "15,15", "0,0,0,0", 5);
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 15,15, 0,0,0,0, "15,15", "0,0,0,0", 5);
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/components/PrimaryPanes/SourcesTreeItem.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/components/PrimaryPanes/SourcesTreeItem.js@@ -21,7 +21,6 @@ import actions from "../../actions"; import {- isOriginal as isOriginalSource, isUrlExtension, isExtensionDirectoryPath, shouldBlackbox,@@ -386,7 +385,7 @@ } function getHasMatchingGeneratedSource(state, source) {- if (!source || !isOriginalSource(source)) {+ if (!source || !source.isOriginal) { return false; }
I'll analyze the code diff according to the provided format. The changes appear to be related to source handling in the debugger component.
1. Vulnerability Existed: not sure
[Potential Information Exposure through Source Handling] [devtools/client/debugger/src/components/PrimaryPanes/SourcesTreeItem.js] [Lines 21, 386]
[Old Code]
import {
isOriginal as isOriginalSource,
isUrlExtension,
isExtensionDirectoryPath,
shouldBlackbox,
...
if (!source || !isOriginalSource(source)) {
[Fixed Code]
import {
isUrlExtension,
isExtensionDirectoryPath,
shouldBlackbox,
...
if (!source || !source.isOriginal) {
Additional Details:
- The change removes the direct import and usage of `isOriginalSource` function, replacing it with a direct property check `source.isOriginal`
- While this doesn't appear to be a direct security fix, it could potentially be related to more secure source handling by using built-in properties rather than external validation functions
- The impact on security is unclear without more context about the source object handling
- No specific CVE or vulnerability name is immediately apparent from this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/parsing/marker-supported-properties.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/parsing/marker-supported-properties.html@@ -61,6 +61,7 @@ test_pseudo_computed_value("::marker", "animation-name", "anim"); test_pseudo_computed_value("::marker", "animation-play-state", "paused"); test_pseudo_computed_value("::marker", "animation-timing-function", "linear");+test_pseudo_computed_value("::marker", "animation-composition", "add"); // ::marker supports transition properties. test_pseudo_computed_value("::marker", "transition", "display 1s linear 2s");@@ -81,10 +82,10 @@ // ::marker supports inherited text decoration properties. test_pseudo_computed_value("::marker", "text-decoration-skip-ink", "none");-test_pseudo_computed_value("::marker", "text-emphasis", "filled dot rgb(0, 255, 0)");+test_pseudo_computed_value("::marker", "text-emphasis", "dot rgb(0, 255, 0)"); test_pseudo_computed_value("::marker", "text-emphasis-color", "rgb(0, 255, 0)"); test_pseudo_computed_value("::marker", "text-emphasis-position", "under left");-test_pseudo_computed_value("::marker", "text-emphasis-style", "filled dot");+test_pseudo_computed_value("::marker", "text-emphasis-style", "dot"); test_pseudo_computed_value("::marker", "text-shadow", "rgb(0, 255, 0) 1px 2px 3px"); // ::marker does NOT support layout properties
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be functional/test-related updates rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/css/css-pseudo/parsing/marker-supported-properties.html] [Lines 61-81]
[Old Code: Various test cases without 'animation-composition']
[Fixed Code: Added test case for 'animation-composition']
2. Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/css/css-pseudo/parsing/marker-supported-properties.html] [Lines 81-85]
[Old Code: test_pseudo_computed_value("::marker", "text-emphasis", "filled dot rgb(0, 255, 0)")]
[Fixed Code: test_pseudo_computed_value("::marker", "text-emphasis", "dot rgb(0, 255, 0)")]
3. Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/css/css-pseudo/parsing/marker-supported-properties.html] [Lines 81-85]
[Old Code: test_pseudo_computed_value("::marker", "text-emphasis-style", "filled dot")]
[Fixed Code: test_pseudo_computed_value("::marker", "text-emphasis-style", "dot")]
The changes are:
1. Adding a new test case for animation-composition property
2. Updating text-emphasis test cases by removing "filled" from the expected values
These appear to be test specification updates rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/ReadableStreamDefaultController.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/ReadableStreamDefaultController.h@@ -60,7 +60,7 @@ Nullable<double> GetDesiredSize();- void Close(JSContext* aCx, ErrorResult& aRv);+ MOZ_CAN_RUN_SCRIPT void Close(JSContext* aCx, ErrorResult& aRv); MOZ_CAN_RUN_SCRIPT void Enqueue(JSContext* aCx, JS::Handle<JS::Value> aChunk, ErrorResult& aRv);@@ -72,6 +72,8 @@ MOZ_CAN_RUN_SCRIPT virtual void PullSteps(JSContext* aCx, ReadRequest* aReadRequest, ErrorResult& aRv) override;++ virtual void ReleaseSteps() override; // Internal Slot Accessors UnderlyingSourceCancelCallbackHelper* GetCancelAlgorithm() const {@@ -158,7 +160,7 @@ JSContext* aCx, ReadableStreamDefaultController* aController, JS::Handle<JS::Value> aChunk, ErrorResult& aRv);-extern void ReadableStreamDefaultControllerClose(+MOZ_CAN_RUN_SCRIPT extern void ReadableStreamDefaultControllerClose( JSContext* aCx, ReadableStreamDefaultController* aController, ErrorResult& aRv);@@ -170,6 +172,9 @@ JSContext* aCx, ReadableStreamDefaultController* aController, JS::Handle<JS::Value> aValue, ErrorResult& aRv);+extern void ReadableStreamDefaultControllerClearAlgorithms(+ ReadableStreamDefaultController* aController);+ } // namespace dom } // namespace mozilla
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure [Potential Script Execution Issue] [dom/streams/ReadableStreamDefaultController.h] [Lines 60, 158] [Old Code] `void Close(JSContext* aCx, ErrorResult& aRv);` `extern void ReadableStreamDefaultControllerClose(` [Fixed Code] `MOZ_CAN_RUN_SCRIPT void Close(JSContext* aCx, ErrorResult& aRv);` `MOZ_CAN_RUN_SCRIPT extern void ReadableStreamDefaultControllerClose(` Additional Details: The addition of MOZ_CAN_RUN_SCRIPT annotation suggests these methods may execute script, which could have security implications if not properly handled. However, without more context, we can't be certain if this was fixing an actual vulnerability or just adding safety annotations. 2. Vulnerability Existed: not sure [Potential Resource Management Issue] [dom/streams/ReadableStreamDefaultController.h] [Lines 72, 172] [Old Code] (No ReleaseSteps method or ClearAlgorithms function) [Fixed Code] `virtual void ReleaseSteps() override;` `extern void ReadableStreamDefaultControllerClearAlgorithms(` Additional Details: The addition of ReleaseSteps and ClearAlgorithms suggests improved resource management, which could prevent memory leaks or other resource-related issues. However, we can't determine if this was fixing an actual vulnerability or just adding missing functionality. Note: The changes appear to be primarily about adding safety annotations (MOZ_CAN_RUN_SCRIPT) and resource management methods, but without more context about the actual vulnerabilities being fixed, we can only speculate about potential security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-break/widows-orphans-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-break/widows-orphans-001.html@@ -5,7 +5,6 @@ <link rel="help" href="https://drafts.csswg.org/css-break/#widows-orphans"> <link rel="match" href="reference/widows-orphans-001-ref.html"> <meta name="assert" content="The widows property has no effect on block container boxes that contains only block-level boxes.">-<meta name="flags" content=""> <style> div p { margin: 0; }
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-break/widows-orphans-001.html [Lines] 5 Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Details: This appears to be a test file cleanup rather than a security fix. The removal of an empty meta tag doesn't indicate any security vulnerability being addressed. 2. Vulnerability Existed: not sure Potential test configuration issue [File] testing/web-platform/tests/css/css-break/widows-orphans-001.html [Lines] 5 Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Details: While this doesn't appear to be a direct security fix, the removal of test flags could potentially affect test execution behavior, though no specific vulnerability is evident. Note: The changes shown in the diff appear to be minor test file modifications rather than security fixes. The removal of the empty meta tag is likely just code cleanup. No clear security vulnerabilities are being addressed in this particular diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.negative.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.negative.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -25,10 +25,10 @@ ctx.rect(0, 50, 50, -25); ctx.rect(100, 50, -50, -25); ctx.fill();-_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");+_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");+_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");+_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");+_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255"); t.done(); });
Based on the provided code diff, here is the analysis following the required format:
1. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.negative.worker.js
Lines: 13-14, 25-28
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
```javascript
_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");
_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
```javascript
_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");
_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");
_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");
_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");
```
The changes appear to be purely cosmetic, renaming the variable `offscreenCanvas` to `canvas` for consistency or clarity. There are no security-related changes in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.