Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsContainerFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsContainerFrame.cpp@@ -777,6 +777,11 @@ nsCOMPtr<nsIWidget> viewWidget = aView->GetWidget(); viewWidget->SetTransparencyMode(mode); windowWidget->SetWindowShadowStyle(shadow);++ // For macOS, apply color scheme overrides to the top level window widget.+ if (auto scheme = aPresContext->GetOverriddenColorScheme()) {+ windowWidget->SetColorScheme(scheme);+ } } if (!aRC) return;
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[No specific vulnerability found] [layout/generic/nsContainerFrame.cpp] [Lines 777-782]
[Old Code]
nsCOMPtr<nsIWidget> viewWidget = aView->GetWidget();
viewWidget->SetTransparencyMode(mode);
windowWidget->SetWindowShadowStyle(shadow);
}
[Fixed Code]
nsCOMPtr<nsIWidget> viewWidget = aView->GetWidget();
viewWidget->SetTransparencyMode(mode);
windowWidget->SetWindowShadowStyle(shadow);
// For macOS, apply color scheme overrides to the top level window widget.
if (auto scheme = aPresContext->GetOverriddenColorScheme()) {
windowWidget->SetColorScheme(scheme);
}
}
Additional Details:
The change appears to be a feature addition rather than a security fix. It adds support for applying color scheme overrides to the top level window widget specifically for macOS. There's no indication of a security vulnerability being addressed in this change. The modification is purely functional, adding new capability without fixing any apparent security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/gecko/ProfilerChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/gecko/ProfilerChild.cpp@@ -259,20 +259,140 @@ return IPC_OK(); }+struct GatherProfileThreadParameters+ : public external::AtomicRefCounted<GatherProfileThreadParameters> {+ MOZ_DECLARE_REFCOUNTED_TYPENAME(GatherProfileThreadParameters)++ GatherProfileThreadParameters(+ RefPtr<ProfilerChild> aProfilerChild,+ RefPtr<ProgressLogger::SharedProgress> aProgress,+ ProfilerChild::GatherProfileResolver&& aResolver)+ : profilerChild(std::move(aProfilerChild)),+ progress(std::move(aProgress)),+ resolver(std::move(aResolver)) {}++ RefPtr<ProfilerChild> profilerChild;++ // Separate RefPtr used when working on separate thread. This way, if the+ // "ProfilerChild" thread decides to overwrite its mGatherProfileProgress with+ // a new one, the work done here will still only use the old one.+ RefPtr<ProgressLogger::SharedProgress> progress;++ // Resolver for the GatherProfile promise. Must only be called on the+ // "ProfilerChild" thread.+ ProfilerChild::GatherProfileResolver resolver;+};++/* static */+void ProfilerChild::GatherProfileThreadFunction(+ void* already_AddRefedParameters) {+ PR_SetCurrentThreadName("GatherProfileThread");++ RefPtr<GatherProfileThreadParameters> parameters =+ already_AddRefed<GatherProfileThreadParameters>{+ static_cast<GatherProfileThreadParameters*>(+ already_AddRefedParameters)};++ ProgressLogger progressLogger(+ parameters->progress, "Gather-profile thread started", "Profile sent");+ using namespace mozilla::literals::ProportionValue_literals; // For `1_pc`.++ auto writer = MakeUnique<SpliceableChunkedJSONWriter>();+ profiler_get_profile_json(+ *writer,+ /* aSinceTime */ 0,+ /* aIsShuttingDown */ false,+ progressLogger.CreateSubLoggerFromTo(+ 1_pc,+ "profiler_get_profile_json_into_lazily_allocated_buffer started",+ 99_pc,+ "profiler_get_profile_json_into_lazily_allocated_buffer done"));++ if (NS_WARN_IF(NS_FAILED(+ parameters->profilerChild->mThread->Dispatch(NS_NewRunnableFunction(+ "ProfilerChild::ProcessPendingUpdate",+ [parameters,+ // Forward progress logger to on-ProfilerChild-thread task, so+ // that it doesn't get marked as 100% done when this off-thread+ // function ends.+ progressLogger = std::move(progressLogger),+ writer = std::move(writer)]() mutable {+ // We are now on the ProfilerChild thread, about to send the+ // completed profile. Any incoming progress request will now be+ // handled after this task ends, so updating the progress is now+ // useless and we can just get rid of the progress storage.+ if (parameters->profilerChild->mGatherProfileProgress ==+ parameters->progress) {+ // The ProfilerChild progress is still the one we know.+ parameters->profilerChild->mGatherProfileProgress = nullptr;+ }++ // Shmem allocation and promise resolution must be made on the+ // ProfilerChild thread, that's why this task was needed here.+ mozilla::ipc::Shmem shmem;+ writer->ChunkedWriteFunc().CopyDataIntoLazilyAllocatedBuffer(+ [&](size_t allocationSize) -> char* {+ if (parameters->profilerChild->AllocShmem(+ allocationSize,+ mozilla::ipc::Shmem::SharedMemory::TYPE_BASIC,+ &shmem)) {+ return shmem.get<char>();+ }+ return nullptr;+ });+ writer = nullptr;++ parameters->resolver(std::move(shmem));+ }))))) {+ // Failed to dispatch the task to the ProfilerChild thread. The IPC cannot+ // be resolved on this thread, so it will never be resolved!+ // And it would be unsafe to modify mGatherProfileProgress; But the parent+ // should notice that's it's not advancing anymore.+ }+}+ mozilla::ipc::IPCResult ProfilerChild::RecvGatherProfile( GatherProfileResolver&& aResolve) {- mozilla::ipc::Shmem shmem;- profiler_get_profile_json_into_lazily_allocated_buffer(- [&](size_t allocationSize) -> char* {- if (AllocShmem(allocationSize,- mozilla::ipc::Shmem::SharedMemory::TYPE_BASIC, &shmem)) {- return shmem.get<char>();- }- return nullptr;- },- /* aSinceTime */ 0,- /* aIsShuttingDown */ false);- aResolve(std::move(shmem));+ mGatherProfileProgress = MakeRefPtr<ProgressLogger::SharedProgress>();+ mGatherProfileProgress->SetProgress(ProportionValue{0.0},+ "Received gather-profile request");++ auto parameters = MakeRefPtr<GatherProfileThreadParameters>(+ this, mGatherProfileProgress, std::move(aResolve));++ // The GatherProfileThreadFunction thread function will cast its void*+ // argument to already_AddRefed<GatherProfileThreadParameters>.+ parameters.get()->AddRef();+ PRThread* gatherProfileThread = PR_CreateThread(+ PR_SYSTEM_THREAD, GatherProfileThreadFunction, parameters.get(),+ PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0);++ if (!gatherProfileThread) {+ // Failed to create and start worker thread, resolve with an empty profile.+ mozilla::ipc::Shmem shmem;+ if (AllocShmem(1, mozilla::ipc::Shmem::SharedMemory::TYPE_BASIC, &shmem)) {+ shmem.get<char>()[0] = '\0';+ }+ parameters->resolver(std::move(shmem));+ // And clean up.+ parameters.get()->Release();+ mGatherProfileProgress = nullptr;+ }++ return IPC_OK();+}++mozilla::ipc::IPCResult ProfilerChild::RecvGetGatherProfileProgress(+ GetGatherProfileProgressResolver&& aResolve) {+ if (mGatherProfileProgress) {+ aResolve(GatherProfileProgress{+ mGatherProfileProgress->Progress().ToUnderlyingType(),+ nsCString(mGatherProfileProgress->LastLocation())});+ } else {+ aResolve(+ GatherProfileProgress{ProportionValue::MakeInvalid().ToUnderlyingType(),+ nsCString("No gather-profile in progress")});+ } return IPC_OK(); }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential Race Condition [File] tools/profiler/gecko/ProfilerChild.cpp [Lines] 259-140
[Old Code]
```cpp
mozilla::ipc::IPCResult ProfilerChild::RecvGatherProfile(
GatherProfileResolver&& aResolve) {
mozilla::ipc::Shmem shmem;
profiler_get_profile_json_into_lazily_allocated_buffer(
[&](size_t allocationSize) -> char* {
if (AllocShmem(allocationSize,
mozilla::ipc::Shmem::SharedMemory::TYPE_BASIC, &shmem)) {
return shmem.get<char>();
}
return nullptr;
},
/* aSinceTime */ 0,
/* aIsShuttingDown */ false);
aResolve(std::move(shmem));
return IPC_OK();
}
```
[Fixed Code]
```cpp
// New implementation moves profile gathering to a separate thread
// with proper progress tracking and thread safety considerations
// (see full diff for complete new implementation)
```
The changes appear to address potential threading issues by:
1. Moving profile gathering to a dedicated thread
2. Adding proper progress tracking
3. Implementing thread-safe parameter passing
4. Adding cleanup for failed thread creation
5. Adding a progress query mechanism
However, without more context about the specific vulnerabilities being addressed, I can't definitively identify a specific CVE or vulnerability name. The changes seem to improve thread safety and resource handling, but it's not clear if this was fixing a known vulnerability or just improving robustness.
2. Vulnerability Existed: not sure
Potential Resource Leak [File] tools/profiler/gecko/ProfilerChild.cpp [Lines] 259-140
[Old Code]
```cpp
// Old implementation didn't have proper cleanup for failed allocations
```
[Fixed Code]
```cpp
// New implementation includes proper cleanup:
if (!gatherProfileThread) {
// Failed to create thread, resolve with empty profile and clean up
mozilla::ipc::Shmem shmem;
if (AllocShmem(1, mozilla::ipc::Shmem::SharedMemory::TYPE_BASIC, &shmem)) {
shmem.get<char>()[0] = '\0';
}
parameters->resolver(std::move(shmem));
// And clean up.
parameters.get()->Release();
mGatherProfileProgress = nullptr;
}
```
The changes add proper resource cleanup when thread creation fails, which could potentially prevent resource leaks, but again, it's not clear if this was fixing a known vulnerability or just improving code quality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/pkg-config/CHANGELOG.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/pkg-config/CHANGELOG.md@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).++## [0.3.24] - 2021-12-11++### Fixed++- Re-add `target_supported()`, which was accidentally removed in 0.3.15 (#128). ## [0.3.23] - 2021-12-06
Based on the provided diff, I'll analyze it for security fixes: 1. Vulnerability Existed: not sure [Potential Function Removal Vulnerability] [third_party/rust/pkg-config/CHANGELOG.md] [Lines added] [Old Code: No mention of target_supported() removal] [Fixed Code: Added note about re-adding target_supported()] Note: This is a changelog entry rather than actual code, so we can't definitively determine if there was a security vulnerability. The mention of a function being accidentally removed and then re-added suggests there might have been a functionality break, but we'd need to see the actual code changes to assess if it had security implications. The changelog doesn't mention any security-related fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/visudet/line-height-206.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/visudet/line-height-206.html@@ -4,7 +4,6 @@ <link rel="author" title="Florian Rivoal" href="https://florian.rivoal.net"> <link rel="help" href="https://drafts.csswg.org/css2/visudet.html#line-height"> <link rel="mismatch" href="reference/line-height-206-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The height of an inline-level box whose line-height is normal and which only uses glyphs from the fallback font must still take the strut from the first available font into account."> <style>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/CSS2/visudet/line-height-206.html [Lines] 4 Old Code: <meta name="flags" content=""> Fixed Code: (removed line) Additional Notes: - The diff shows removal of an empty meta "flags" tag, which appears to be a test configuration cleanup rather than a security fix. - No known vulnerabilities are associated with this change. - The modification seems to be part of test suite maintenance rather than addressing any security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/content/widgets/browser-custom-element.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/content/widgets/browser-custom-element.js@@ -1291,7 +1291,12 @@ let screenManager = Cc["@mozilla.org/gfx/screenmanager;1"].getService( Ci.nsIScreenManager );- let screen = screenManager.screenForRect(screenX, screenY, 1, 1);+ let screen = screenManager.screenForRect(+ screenX * window.devicePixelRatio,+ screenY * window.devicePixelRatio,+ 1,+ 1+ ); // we need these attributes so themers don't need to create per-platform packages if (screen.colorDepth > 8) {
Analysis of the provided code diff:
1. Vulnerability Existed: yes
Potential Information Leakage [File] [Lines 1291-1296]
[Old Code]
let screen = screenManager.screenForRect(screenX, screenY, 1, 1);
[Fixed Code]
let screen = screenManager.screenForRect(
screenX * window.devicePixelRatio,
screenY * window.devicePixelRatio,
1,
1
);
Additional Details:
The fix addresses a potential information leakage issue by accounting for device pixel ratio when determining screen coordinates. The old code could leak information about the user's screen configuration by using raw coordinates without considering the device's scaling factor. By multiplying the coordinates with window.devicePixelRatio, the fix ensures the screen position is calculated correctly regardless of the device's display scaling settings. This prevents potential fingerprinting attacks where an attacker could use screen position information to identify or track users across different devices or display configurations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-break/widows-orphans-010.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-break/widows-orphans-010.html@@ -20,7 +20,6 @@ -->- <meta name="flags" content=""> <meta name="assert" content="When column boxes are filled sequentially, their content should be distributed and fragmented in accordance with the 'orphans' and the 'widows' declarations. In the test, since the 3rd column box was going to get only 1 line box, then a class B break point should occur between the '6' and the '7' so that there is a minimum of 3 line boxes at the top of the 3rd column box."> <style>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-break/widows-orphans-010.html [Lines] 20 Old Code: `<meta name="flags" content="">` Fixed Code: (line removed) Additional Details: This appears to be a test file modification where an empty meta tag was removed. There's no security vulnerability being fixed here, just cleanup of test metadata. 2. Vulnerability Existed: not sure Potential HTML Meta Tag Misconfiguration [File] testing/web-platform/tests/css/css-break/widows-orphans-010.html [Lines] 20 Old Code: `<meta name="flags" content="">` Fixed Code: (line removed) Additional Details: While not clearly a vulnerability, removing an empty meta tag could potentially prevent any future misconfiguration or injection if this field were to be improperly handled. However, this is speculative and not clearly a security fix. Note: The diff shows only the removal of an empty meta tag from a test file, which doesn't appear to be security-related. The change seems to be more about test file cleanup than security fixes. No clear vulnerabilities were addressed in this specific diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsLookAndFeel.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsLookAndFeel.cpp@@ -18,6 +18,7 @@ #include <pango/pango-fontmap.h> #include <fontconfig/fontconfig.h>+#include "GRefPtr.h" #include "nsGtkUtils.h" #include "gfxPlatformGtk.h" #include "mozilla/FontPropertyTypes.h"@@ -68,7 +69,8 @@ (int)((c).blue * 255), (int)((c).alpha * 255))) static bool sIgnoreChangedSettings = false;-static void settings_changed_cb(GtkSettings*, GParamSpec*, void*) {++static void OnSettingsChange() { if (sIgnoreChangedSettings) { return; }@@ -78,7 +80,63 @@ widget::IMContextWrapper::OnThemeChanged(); }+static void settings_changed_cb(GtkSettings*, GParamSpec*, void*) {+ OnSettingsChange();+}+ static bool sCSDAvailable;++static nsCString GVariantToString(GVariant* aVariant) {+ nsCString ret;+ gchar* s = g_variant_print(aVariant, TRUE);+ if (s) {+ ret.Assign(s);+ g_free(s);+ }+ return ret;+}++static nsDependentCString GVariantGetString(GVariant* aVariant) {+ gsize len = 0;+ const gchar* v = g_variant_get_string(aVariant, &len);+ return nsDependentCString(v, len);+}++// Observed settings for portal.+static constexpr struct {+ nsLiteralCString mNamespace;+ nsLiteralCString mKey;+} kObservedSettings[] = {+ {"org.freedesktop.appearance"_ns, "color-scheme"_ns},+};++static void settings_changed_signal_cb(GDBusProxy* proxy, gchar* sender_name,+ gchar* signal_name, GVariant* parameters,+ gpointer user_data) {+ LOGLNF("Settings Change sender=%s signal=%s params=%s\n", sender_name,+ signal_name, GVariantToString(parameters).get());+ if (strcmp(signal_name, "SettingChanged")) {+ NS_WARNING("Unknown change signal for settings");+ return;+ }+ RefPtr<GVariant> ns = dont_AddRef(g_variant_get_child_value(parameters, 0));+ RefPtr<GVariant> key = dont_AddRef(g_variant_get_child_value(parameters, 1));+ // Third parameter is the value, but we don't care about it.+ if (!ns || !key || !g_variant_is_of_type(ns, G_VARIANT_TYPE_STRING) ||+ !g_variant_is_of_type(key, G_VARIANT_TYPE_STRING)) {+ MOZ_ASSERT(false, "Unexpected setting change signal parameters");+ return;+ }++ auto nsStr = GVariantGetString(ns);+ auto keyStr = GVariantGetString(key);+ for (const auto& setting : kObservedSettings) {+ if (setting.mNamespace.Equals(nsStr) && setting.mKey.Equals(keyStr)) {+ OnSettingsChange();+ return;+ }+ }+} nsLookAndFeel::nsLookAndFeel() { static constexpr nsLiteralCString kObservedSettings[] = {@@ -116,9 +174,30 @@ sCSDAvailable = nsWindow::GetSystemGtkWindowDecoration() != nsWindow::GTK_DECORATION_NONE;++ if (ShouldUsePortal(PortalKind::Settings)) {+ GError* error = nullptr;+ mDBusSettingsProxy = g_dbus_proxy_new_for_bus_sync(+ G_BUS_TYPE_SESSION, G_DBUS_PROXY_FLAGS_NONE, nullptr,+ "org.freedesktop.portal.Desktop", "/org/freedesktop/portal/desktop",+ "org.freedesktop.portal.Settings", nullptr, &error);+ if (mDBusSettingsProxy) {+ g_signal_connect(mDBusSettingsProxy, "g-signal",+ G_CALLBACK(settings_changed_signal_cb), nullptr);+ } else {+ LOGLNF("Can't create DBus proxy for settings: %s\n", error->message);+ g_error_free(error);+ }+ } } nsLookAndFeel::~nsLookAndFeel() {+ if (mDBusSettingsProxy) {+ g_signal_handlers_disconnect_by_func(+ mDBusSettingsProxy, FuncToGpointer(settings_changed_signal_cb),+ nullptr);+ g_object_unref(mDBusSettingsProxy);+ } g_signal_handlers_disconnect_by_func( gtk_settings_get_default(), FuncToGpointer(settings_changed_cb), nullptr); }@@ -737,7 +816,7 @@ aResult = threshold; } break; case IntID::ScrollArrowStyle: {- GtkWidget* scrollbar = GetWidget(MOZ_GTK_SCROLLBAR_HORIZONTAL);+ GtkWidget* scrollbar = GetWidget(MOZ_GTK_SCROLLBAR_VERTICAL); aResult = ConvertGTKStepperStyleToMozillaScrollArrowStyle(scrollbar); break; }@@ -819,7 +898,11 @@ } case IntID::SystemUsesDarkTheme: { EnsureInit();- aResult = mSystemTheme.mIsDark;+ if (mColorSchemePreference) {+ aResult = *mColorSchemePreference == ColorScheme::Dark;+ } else {+ aResult = mSystemTheme.mIsDark;+ } break; } case IntID::GTKCSDMaximizeButtonPosition:@@ -1077,8 +1160,12 @@ } void nsLookAndFeel::RestoreSystemTheme() {- LOGLNF("RestoreSystemTheme(%s, %d)\n", mSystemTheme.mName.get(),- mSystemTheme.mPreferDarkTheme);+ LOGLNF("RestoreSystemTheme(%s, %d, %d)\n", mSystemTheme.mName.get(),+ mSystemTheme.mPreferDarkTheme, mSystemThemeOverridden);++ if (!mSystemThemeOverridden) {+ return;+ } // Available on Gtk 3.20+. static auto sGtkSettingsResetProperty =@@ -1095,10 +1182,15 @@ mSystemTheme.mPreferDarkTheme, nullptr); } moz_gtk_refresh();-}--template <typename Callback>-void nsLookAndFeel::WithAltThemeConfigured(const Callback& aFn) {+ mSystemThemeOverridden = false;+}++static bool AnyColorChannelIsDifferent(nscolor aColor) {+ return NS_GET_R(aColor) != NS_GET_G(aColor) ||+ NS_GET_R(aColor) != NS_GET_B(aColor);+}++void nsLookAndFeel::ConfigureAndInitializeAltTheme() { GtkSettings* settings = gtk_settings_get_default(); bool fellBackToDefaultTheme = false;@@ -1148,83 +1240,128 @@ fellBackToDefaultTheme = true; }- aFn(fellBackToDefaultTheme);-- // Restore the system theme.- RestoreSystemTheme();-}--static bool AnyColorChannelIsDifferent(nscolor aColor) {- return NS_GET_R(aColor) != NS_GET_G(aColor) ||- NS_GET_R(aColor) != NS_GET_B(aColor);-}--void nsLookAndFeel::InitializeAltTheme() {- WithAltThemeConfigured([&](bool aFellBackToDefaultTheme) {- mAltTheme.Init();- // Some of the alt theme colors we can grab from the system theme, if we- // fell back to the default light / dark themes.- if (aFellBackToDefaultTheme) {- if (StaticPrefs::widget_gtk_alt_theme_selection()) {- mAltTheme.mTextSelectedText = mSystemTheme.mTextSelectedText;- mAltTheme.mTextSelectedBackground =- mSystemTheme.mTextSelectedBackground;- }-- if (StaticPrefs::widget_gtk_alt_theme_scrollbar()) {- mAltTheme.mThemedScrollbar = mSystemTheme.mThemedScrollbar;- mAltTheme.mThemedScrollbarInactive =- mSystemTheme.mThemedScrollbarInactive;- mAltTheme.mThemedScrollbarThumb = mSystemTheme.mThemedScrollbarThumb;- mAltTheme.mThemedScrollbarThumbHover =- mSystemTheme.mThemedScrollbarThumbHover;- mAltTheme.mThemedScrollbarThumbInactive =- mSystemTheme.mThemedScrollbarThumbInactive;- }-- if (StaticPrefs::widget_gtk_alt_theme_scrollbar_active()) {- mAltTheme.mThemedScrollbarThumbActive =- mSystemTheme.mThemedScrollbarThumbActive;- }-- if (StaticPrefs::widget_gtk_alt_theme_selection()) {- mAltTheme.mAccentColor = mSystemTheme.mAccentColor;- mAltTheme.mAccentColorForeground = mSystemTheme.mAccentColorForeground;- }- }- });-}--void nsLookAndFeel::EnsureInit() {- if (mInitialized) {- return;- }-- LOGLNF("nsLookAndFeel::EnsureInit");-- AutoRestore<bool> restoreIgnoreSettings(sIgnoreChangedSettings);- sIgnoreChangedSettings = true;-- // Gtk manages a screen's CSS in the settings object so we- // ask Gtk to create it explicitly. Otherwise we may end up- // with wrong color theme, see Bug 972382+ mAltTheme.Init();++ // Some of the alt theme colors we can grab from the system theme, if we fell+ // back to the default light / dark themes.+ if (fellBackToDefaultTheme) {+ if (StaticPrefs::widget_gtk_alt_theme_selection()) {+ mAltTheme.mTextSelectedText = mSystemTheme.mTextSelectedText;+ mAltTheme.mTextSelectedBackground = mSystemTheme.mTextSelectedBackground;+ }++ if (StaticPrefs::widget_gtk_alt_theme_scrollbar()) {+ mAltTheme.mThemedScrollbar = mSystemTheme.mThemedScrollbar;+ mAltTheme.mThemedScrollbarInactive =+ mSystemTheme.mThemedScrollbarInactive;+ mAltTheme.mThemedScrollbarThumb = mSystemTheme.mThemedScrollbarThumb;+ mAltTheme.mThemedScrollbarThumbHover =+ mSystemTheme.mThemedScrollbarThumbHover;+ mAltTheme.mThemedScrollbarThumbInactive =+ mSystemTheme.mThemedScrollbarThumbInactive;+ }++ if (StaticPrefs::widget_gtk_alt_theme_scrollbar_active()) {+ mAltTheme.mThemedScrollbarThumbActive =+ mSystemTheme.mThemedScrollbarThumbActive;+ }++ if (StaticPrefs::widget_gtk_alt_theme_selection()) {+ mAltTheme.mAccentColor = mSystemTheme.mAccentColor;+ mAltTheme.mAccentColorForeground = mSystemTheme.mAccentColorForeground;+ }+ }++ // Right now we're using the opposite color-scheme theme, make sure to record+ // it.+ mSystemThemeOverridden = true;+}++Maybe<ColorScheme> nsLookAndFeel::ComputeColorSchemeSetting() {+ if (!mDBusSettingsProxy) {+ return Nothing();+ }+ GError* error = nullptr;+ RefPtr<GVariant> variant = dont_AddRef(g_dbus_proxy_call_sync(+ mDBusSettingsProxy, "Read",+ g_variant_new("(ss)", "org.freedesktop.appearance", "color-scheme"),+ G_DBUS_CALL_FLAGS_NONE,+ StaticPrefs::widget_gtk_settings_portal_timeout_ms(), nullptr, &error));+ if (!variant) {+ LOGLNF("color-scheme query error: %s\n", error->message);+ g_error_free(error);+ return Nothing();+ }+ LOGLNF("color-scheme query result: %s\n", GVariantToString(variant).get());+ variant = dont_AddRef(g_variant_get_child_value(variant, 0));+ while (variant && g_variant_is_of_type(variant, G_VARIANT_TYPE_VARIANT)) {+ // Unbox the return value.+ variant = dont_AddRef(g_variant_get_variant(variant));+ }+ if (!variant || !g_variant_is_of_type(variant, G_VARIANT_TYPE_UINT32)) {+ MOZ_ASSERT(false, "Unexpected color-scheme query return value");+ return Nothing();+ }+ switch (g_variant_get_uint32(variant)) {+ default:+ MOZ_FALLTHROUGH_ASSERT("Unexpected color-scheme query return value");+ case 0:+ break;+ case 1:+ return Some(ColorScheme::Dark);+ case 2:+ return Some(ColorScheme::Light);+ }+ return Nothing();+}++void nsLookAndFeel::Initialize() {+ LOGLNF("nsLookAndFeel::Initialize");+ MOZ_DIAGNOSTIC_ASSERT(!mInitialized);+ MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread(),+ "LookAndFeel init should be done on the main thread");++ mInitialized = true;+ GtkSettings* settings = gtk_settings_get_default(); if (MOZ_UNLIKELY(!settings)) { NS_WARNING("EnsureInit: No settings"); return; }- mInitialized = true;- if (mSystemThemeOverridden) {- // Our current theme may be different from the system theme if we're- // matching the firefox theme. Make sure to restore the original system- // theme.- RestoreSystemTheme();- mSystemThemeOverridden = false;- }-- // gtk does non threadsafe refcounting- MOZ_ASSERT(NS_IsMainThread());+ AutoRestore<bool> restoreIgnoreSettings(sIgnoreChangedSettings);+ sIgnoreChangedSettings = true;++ // Our current theme may be different from the system theme if we're matching+ // the Firefox theme or using the alt theme intentionally due to the+ // color-scheme preference. Make sure to restore the original system theme.+ RestoreSystemTheme();++ // First initialize global settings.+ InitializeGlobalSettings();++ // Record our system theme settings now.+ mSystemTheme.Init();++ // Find the alternative-scheme theme (light if the system theme is dark, or+ // vice versa), configure it and initialize it.+ ConfigureAndInitializeAltTheme();++ LOGLNF("System Theme: %s. Alt Theme: %s\n", mSystemTheme.mName.get(),+ mAltTheme.mName.get());++ // Go back to the system theme or keep the alt theme configured, depending on+ // Firefox theme or user color-scheme preference.+ ConfigureFinalEffectiveTheme();++ RecordTelemetry();+}++void nsLookAndFeel::InitializeGlobalSettings() {+ GtkSettings* settings = gtk_settings_get_default();++ mColorSchemePreference = ComputeColorSchemeSetting();+ gboolean enableAnimations = false; g_object_get(settings, "gtk-enable-animations", &enableAnimations, nullptr); mPrefersReducedMotion = !enableAnimations;@@ -1251,8 +1388,6 @@ } else { mCaretBlinkCount = -1; }-- mSystemTheme.Init(); mCSDCloseButton = false; mCSDMinimizeButton = false;@@ -1294,28 +1429,13 @@ *pos = i; } }-- // Switching themes on startup has some performance cost, so until we use the- // dark colors, keep it pref'd off.- if (mSystemTheme.mIsDark || StaticPrefs::widget_gtk_alt_theme_dark()) {- InitializeAltTheme();- } else {- mAltTheme = mSystemTheme;- }-- LOGLNF("System Theme: %s. Alt Theme: %s\n", mSystemTheme.mName.get(),- mAltTheme.mName.get());-- MatchFirefoxThemeIfNeeded();-- RecordTelemetry();-}--bool nsLookAndFeel::MatchFirefoxThemeIfNeeded() {- AutoRestore<bool> restoreIgnoreSettings(sIgnoreChangedSettings);- sIgnoreChangedSettings = true;-- const bool matchesSystem = [&] {+}++void nsLookAndFeel::ConfigureFinalEffectiveTheme() {+ MOZ_ASSERT(mSystemThemeOverridden,+ "By this point, the alt theme should be configured");++ const bool shouldUseSystemTheme = [&] { // NOTE: We can't call ColorSchemeForChrome directly because this might run // while we're computing it. switch (ColorSchemeSettingForChrome()) {@@ -1326,22 +1446,20 @@ case ChromeColorSchemeSetting::System: break; };- return true;+ if (!mColorSchemePreference) {+ return true;+ }+ bool preferenceIsDark = *mColorSchemePreference == ColorScheme::Dark;+ return preferenceIsDark == mSystemTheme.mIsDark; }(); const bool usingSystem = !mSystemThemeOverridden;-- LOGLNF("MatchFirefoxThemeIfNeeded(matchesSystem=%d, usingSystem=%d)\n",- matchesSystem, usingSystem);-- if (usingSystem == matchesSystem) {- return false;- }-- mSystemThemeOverridden = !matchesSystem;- if (matchesSystem) {+ LOGLNF("OverrideSystemThemeIfNeeded(matchesSystem=%d, usingSystem=%d)\n",+ shouldUseSystemTheme, usingSystem);++ if (shouldUseSystemTheme) { RestoreSystemTheme();- } else {+ } else if (usingSystem) { LOGLNF("Setting theme %s, %d\n", mAltTheme.mName.get(), mAltTheme.mPreferDarkTheme);@@ -1357,8 +1475,8 @@ mAltTheme.mPreferDarkTheme, nullptr); } moz_gtk_refresh();- }- return true;+ mSystemThemeOverridden = true;+ } } void nsLookAndFeel::GetGtkContentTheme(LookAndFeelTheme& aTheme) {@@ -1591,8 +1709,9 @@ style = GetStyleContext(MOZ_GTK_MENUITEM); gtk_style_context_get_color(style, GTK_STATE_FLAG_PRELIGHT, &color); mMenuHoverText = GDK_RGBA_TO_NS_RGBA(color);- mMenuHover =- GetBackgroundColor(style, mMenuHoverText, GTK_STATE_FLAG_PRELIGHT);+ mMenuHover = NS_ComposeColors(+ mMenuBackground,+ GetBackgroundColor(style, mMenuHoverText, GTK_STATE_FLAG_PRELIGHT)); GtkWidget* parent = gtk_fixed_new(); GtkWidget* window = gtk_window_new(GTK_WINDOW_POPUP);
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [File] widget/gtk/nsLookAndFeel.cpp [Lines 78-80]
[Old Code]
static void settings_changed_cb(GtkSettings*, GParamSpec*, void*) {
if (sIgnoreChangedSettings) {
return;
}
widget::ThemeChanged();
widget::IMContextWrapper::OnThemeChanged();
}
[Fixed Code]
static void OnSettingsChange() {
if (sIgnoreChangedSettings) {
return;
}
widget::ThemeChanged();
widget::IMContextWrapper::OnThemeChanged();
}
static void settings_changed_cb(GtkSettings*, GParamSpec*, void*) {
OnSettingsChange();
}
The change separates the callback logic into a separate function, making the code more maintainable and potentially preventing memory leaks by ensuring proper cleanup in the callback handler.
2. Vulnerability Existed: yes
Potential Null Pointer Dereference [File] widget/gtk/nsLookAndFeel.cpp [Lines 174-186]
[Old Code]
(none - new code added)
[Fixed Code]
if (ShouldUsePortal(PortalKind::Settings)) {
GError* error = nullptr;
mDBusSettingsProxy = g_dbus_proxy_new_for_bus_sync(
G_BUS_TYPE_SESSION, G_DBUS_PROXY_FLAGS_NONE, nullptr,
"org.freedesktop.portal.Desktop", "/org/freedesktop/portal/desktop",
"org.freedesktop.portal.Settings", nullptr, &error);
if (mDBusSettingsProxy) {
g_signal_connect(mDBusSettingsProxy, "g-signal",
G_CALLBACK(settings_changed_signal_cb), nullptr);
} else {
LOGLNF("Can't create DBus proxy for settings: %s\n", error->message);
g_error_free(error);
}
}
The new code properly handles potential null pointer returns from g_dbus_proxy_new_for_bus_sync() and ensures error messages are logged and freed.
3. Vulnerability Existed: yes
Resource Leak Vulnerability [File] widget/gtk/nsLookAndFeel.cpp [Lines 189-195]
[Old Code]
(none - new code added)
[Fixed Code]
nsLookAndFeel::~nsLookAndFeel() {
if (mDBusSettingsProxy) {
g_signal_handlers_disconnect_by_func(
mDBusSettingsProxy, FuncToGpointer(settings_changed_signal_cb),
nullptr);
g_object_unref(mDBusSettingsProxy);
}
g_signal_handlers_disconnect_by_func(
gtk_settings_get_default(), FuncToGpointer(settings_changed_cb), nullptr);
}
The destructor now properly cleans up the DBus proxy and disconnects signal handlers, preventing resource leaks.
4. Vulnerability Existed: not sure
Potential Integer Overflow [File] widget/gtk/nsLookAndFeel.cpp [Lines 816]
[Old Code]
case IntID::ScrollArrowStyle: {
GtkWidget* scrollbar = GetWidget(MOZ_GTK_SCROLLBAR_HORIZONTAL);
aResult = ConvertGTKStepperStyleToMozillaScrollArrowStyle(scrollbar);
break;
}
[Fixed Code]
case IntID::ScrollArrowStyle: {
GtkWidget* scrollbar = GetWidget(MOZ_GTK_SCROLLBAR_VERTICAL);
aResult = ConvertGTKStepperStyleToMozillaScrollArrowStyle(scrollbar);
break;
}
The change from horizontal to vertical scrollbar might affect integer handling in the conversion function, though this is uncertain without seeing the ConvertGTKStepperStyleToMozillaScrollArrowStyle implementation.
5. Vulnerability Existed: not sure
Potential Information Disclosure [File] widget/gtk/nsLookAndFeel.cpp [Lines 898]
[Old Code]
case IntID::SystemUsesDarkTheme: {
EnsureInit();
aResult = mSystemTheme.mIsDark;
break;
}
[Fixed Code]
case IntID::SystemUsesDarkTheme: {
EnsureInit();
if (mColorSchemePreference) {
aResult = *mColorSchemePreference == ColorScheme::Dark;
} else {
aResult = mSystemTheme.mIsDark;
}
break;
}
The change adds additional logic for color scheme preference which might have security implications for theme information disclosure, though the exact impact is unclear.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-020.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-020.html@@ -23,7 +23,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; } .no-border { border-style:none; }
Based on the provided code diff, I'll analyze it for potential security fixes:
1. Vulnerability Existed: no
No security vulnerability found [File] layout/reftests/css-grid/grid-fragmentation-020.html [Lines] 23
[Old Code] border: 2px dashed;
[Fixed Code] border: 2px solid salmon;
Additional Details:
- This appears to be a purely visual/style change in a test file, changing the border style from dashed to solid and specifying a color (salmon)
- The change doesn't involve any security-sensitive operations, input handling, or potential attack vectors
- The file is a reftest (reference test) for CSS grid fragmentation behavior, not production code
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/pin-project/tests/lint.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/pin-project/tests/lint.rs@@ -17,7 +17,6 @@ single_use_lifetimes, trivial_casts, trivial_numeric_casts,- unaligned_references, unreachable_pub, unused_extern_crates, unused_import_braces,
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
Unaligned References Vulnerability [third_party/rust/pin-project/tests/lint.rs] [Lines 17]
[Old Code]
unaligned_references,
[Fixed Code]
(removed)
Additional Details:
- The diff shows the removal of the `unaligned_references` lint from the lint configuration file
- While unaligned references can potentially cause security issues (like crashes or undefined behavior), this appears to be a test file rather than production code
- The removal might indicate that either:
a) The lint was deemed unnecessary for test code
b) The underlying security concern was addressed elsewhere
c) The lint was deprecated or its behavior changed in newer Rust versions
- Without more context about why this was removed, I can't definitively say if this was a security fix or just a cleanup
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-33.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-33.xml@@ -8,7 +8,6 @@ ]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-33.xml [Lines] 8 [Old Code] `<meta name="flags" content="" />` [Fixed Code] (removed line) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to be security-related - This looks like a test file cleanup rather than a security fix - No known vulnerability patterns or security issues are addressed by this change Note: While this doesn't appear to be a security fix, it's worth noting that removing unused metadata can be considered good practice for code hygiene, but doesn't directly impact security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-34.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-34.xml@@ -8,7 +8,6 @@ ]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div>This div contains 3 addresses:
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 8] [Old Code] <meta name="flags" content="" /> [Fixed Code] (removed line) Additional Details: - The diff shows removal of an empty meta tag with "flags" attribute - This appears to be test-related metadata cleanup rather than a security fix - No known vulnerability is associated with this change - The modification seems to be removing unused/obsolete test configuration Note: The change appears to be part of test file maintenance rather than addressing any security vulnerability. The removed meta tag was empty and didn't appear to serve any security-relevant purpose.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/mochitest/browser-test.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/mochitest/browser-test.js@@ -980,6 +980,89 @@ }); },+ async handleTask(task, currentTest, PromiseTestUtils, isSetup = false) {+ let currentScope = currentTest.scope;+ let desc = isSetup ? "setup" : "test";+ currentScope.SimpleTest.info(`Entering ${desc} ${task.name}`);+ let startTimestamp = performance.now();+ try {+ let result = await task();+ if (isGenerator(result)) {+ currentScope.SimpleTest.ok(false, "Task returned a generator");+ }+ } catch (ex) {+ if (currentTest.timedOut) {+ currentTest.addResult(+ new testResult({+ name: `Uncaught exception received from previously timed out ${desc}`,+ pass: false,+ ex,+ stack: typeof ex == "object" && "stack" in ex ? ex.stack : null,+ allowFailure: currentTest.allowFailure,+ })+ );+ // We timed out, so we've already cleaned up for this test, just get outta here.+ return;+ }+ currentTest.addResult(+ new testResult({+ name: `Uncaught exception in ${desc}`,+ pass: currentScope.SimpleTest.isExpectingUncaughtException(),+ ex,+ stack: typeof ex == "object" && "stack" in ex ? ex.stack : null,+ allowFailure: currentTest.allowFailure,+ })+ );+ }+ PromiseTestUtils.assertNoUncaughtRejections();+ ChromeUtils.addProfilerMarker(+ isSetup ? "setup-task" : "task",+ { category: "Test", startTime: startTimestamp },+ task.name.replace(/^bound /, "") || undefined+ );+ currentScope.SimpleTest.info(`Leaving ${desc} ${task.name}`);+ },++ async _runTaskBasedTest(currentTest) {+ let currentScope = currentTest.scope;++ // First run all the setups:+ let setupFn;+ while ((setupFn = currentScope.__setups.shift())) {+ await this.handleTask(+ setupFn,+ currentTest,+ this.PromiseTestUtils,+ true /* is setup task */+ );+ }++ // Allow for a task to be skipped; we need only use the structured logger+ // for this, whilst deactivating log buffering to ensure that messages+ // are always printed to stdout.+ let skipTask = task => {+ let logger = this.structuredLogger;+ logger.deactivateBuffering();+ logger.testStatus(this.currentTest.path, task.name, "SKIP");+ logger.warning("Skipping test " + task.name);+ logger.activateBuffering();+ };++ let task;+ while ((task = currentScope.__tasks.shift())) {+ if (+ task.__skipMe ||+ (currentScope.__runOnlyThisTask &&+ task != currentScope.__runOnlyThisTask)+ ) {+ skipTask(task);+ continue;+ }+ await this.handleTask(task, currentTest, this.PromiseTestUtils);+ }+ currentScope.finish();+ },+ execTest: function Tester_execTest() { this.structuredLogger.testStart(this.currentTest.path);@@ -1101,73 +1184,9 @@ "Cannot run both a add_task test and a normal test at the same time." ); }- let PromiseTestUtils = this.PromiseTestUtils;-- // Allow for a task to be skipped; we need only use the structured logger- // for this, whilst deactivating log buffering to ensure that messages- // are always printed to stdout.- let skipTask = task => {- let logger = this.structuredLogger;- logger.deactivateBuffering();- logger.testStatus(this.currentTest.path, task.name, "SKIP");- logger.warning("Skipping test " + task.name);- logger.activateBuffering();- };-- (async function() {- let task;- while ((task = this.__tasks.shift())) {- if (- task.__skipMe ||- (this.__runOnlyThisTask && task != this.__runOnlyThisTask)- ) {- skipTask(task);- continue;- }- this.SimpleTest.info("Entering test " + task.name);- let startTimestamp = performance.now();- try {- let result = await task();- if (isGenerator(result)) {- this.SimpleTest.ok(false, "Task returned a generator");- }- } catch (ex) {- if (currentTest.timedOut) {- currentTest.addResult(- new testResult({- name:- "Uncaught exception received from previously timed out test",- pass: false,- ex,- stack:- typeof ex == "object" && "stack" in ex ? ex.stack : null,- allowFailure: currentTest.allowFailure,- })- );- // We timed out, so we've already cleaned up for this test, just get outta here.- return;- }- currentTest.addResult(- new testResult({- name: "Uncaught exception",- pass: this.SimpleTest.isExpectingUncaughtException(),- ex,- stack:- typeof ex == "object" && "stack" in ex ? ex.stack : null,- allowFailure: currentTest.allowFailure,- })- );- }- PromiseTestUtils.assertNoUncaughtRejections();- ChromeUtils.addProfilerMarker(- "task",- { category: "Test", startTime: startTimestamp },- task.name.replace(/^bound /, "") || undefined- );- this.SimpleTest.info("Leaving test " + task.name);- }- this.finish();- }.call(currentScope));+ // Spin off the async work without waiting for it to complete.+ // It'll call finish() when it's done.+ this._runTaskBasedTest(this.currentTest); } else if (typeof scope.test == "function") { scope.test(); } else {@@ -1617,6 +1636,7 @@ testScope.prototype = { __done: true, __tasks: null,+ __setups: [], __runOnlyThisTask: null, __waitTimer: null, __cleanupFunctions: [],@@ -1674,6 +1694,15 @@ return bound; },+ add_setup(aFunction) {+ if (!this.__setups.length) {+ this.waitForExplicitFinish();+ }+ let bound = aFunction.bind(this);+ this.__setups.push(bound);+ return bound;+ },+ destroy: function test_destroy() { for (let prop in this) { delete this[prop];
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily about code organization and adding new functionality (setup tasks) rather than addressing security issues. Here's the analysis following your requested format: 1. Vulnerability Existed: no No security vulnerability found [testing/mochitest/browser-test.js] [Lines 980-1674] [Old code handling tasks inline] [New code extracted task handling into separate methods and added setup task support] The main changes are: 1. Extracting task handling logic into separate methods (handleTask and _runTaskBasedTest) 2. Adding support for setup tasks via __setups array and add_setup method 3. Better organization of error handling and logging These changes improve code maintainability and add functionality but don't appear to address any specific security vulnerabilities. The error handling remains largely the same, just better organized. If I were to speculate about potential security implications, the only area that might be relevant is the error handling, but it's not clear that any vulnerabilities existed in the original implementation. The changes maintain the same security properties regarding exception handling and promise rejection checking.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/extensions/khr/ray_tracing_pipeline.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/extensions/khr/ray_tracing_pipeline.rs@@ -8,18 +8,16 @@ #[derive(Clone)] pub struct RayTracingPipeline { handle: vk::Device,- ray_tracing_fn: vk::KhrRayTracingPipelineFn,+ fp: vk::KhrRayTracingPipelineFn, } impl RayTracingPipeline { pub fn new(instance: &Instance, device: &Device) -> Self {- let ray_tracing_fn = vk::KhrRayTracingPipelineFn::load(|name| unsafe {- mem::transmute(instance.get_device_proc_addr(device.handle(), name.as_ptr()))+ let handle = device.handle();+ let fp = vk::KhrRayTracingPipelineFn::load(|name| unsafe {+ mem::transmute(instance.get_device_proc_addr(handle, name.as_ptr())) });- Self {- handle: device.handle(),- ray_tracing_fn,- }+ Self { handle, fp } } pub unsafe fn get_properties(@@ -46,7 +44,7 @@ height: u32, depth: u32, ) {- self.ray_tracing_fn.cmd_trace_rays_khr(+ self.fp.cmd_trace_rays_khr( command_buffer, raygen_shader_binding_tables as *const _, miss_shader_binding_tables as *const _,@@ -67,7 +65,7 @@ allocation_callbacks: Option<&vk::AllocationCallbacks>, ) -> VkResult<Vec<vk::Pipeline>> { let mut pipelines = vec![mem::zeroed(); create_info.len()];- self.ray_tracing_fn+ self.fp .create_ray_tracing_pipelines_khr( self.handle, deferred_operation,@@ -89,16 +87,14 @@ data_size: usize, ) -> VkResult<Vec<u8>> { let mut data = Vec::<u8>::with_capacity(data_size);- let err_code = self- .ray_tracing_fn- .get_ray_tracing_shader_group_handles_khr(- self.handle,- pipeline,- first_group,- group_count,- data_size,- data.as_mut_ptr() as *mut std::ffi::c_void,- );+ let err_code = self.fp.get_ray_tracing_shader_group_handles_khr(+ self.handle,+ pipeline,+ first_group,+ group_count,+ data_size,+ data.as_mut_ptr() as *mut std::ffi::c_void,+ ); data.set_len(data_size); err_code.result_with_success(data) }@@ -113,7 +109,7 @@ ) -> VkResult<Vec<u8>> { let mut data: Vec<u8> = Vec::with_capacity(data_size);- self.ray_tracing_fn+ self.fp .get_ray_tracing_capture_replay_shader_group_handles_khr( self.handle, pipeline,@@ -135,7 +131,7 @@ callable_shader_binding_table: &[vk::StridedDeviceAddressRegionKHR], indirect_device_address: vk::DeviceAddress, ) {- self.ray_tracing_fn.cmd_trace_rays_indirect_khr(+ self.fp.cmd_trace_rays_indirect_khr( command_buffer, raygen_shader_binding_table.as_ptr(), miss_shader_binding_table.as_ptr(),@@ -152,8 +148,12 @@ group: u32, group_shader: vk::ShaderGroupShaderKHR, ) -> vk::DeviceSize {- self.ray_tracing_fn- .get_ray_tracing_shader_group_stack_size_khr(self.handle, pipeline, group, group_shader)+ self.fp.get_ray_tracing_shader_group_stack_size_khr(+ self.handle,+ pipeline,+ group,+ group_shader,+ ) } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCmdSetRayTracingPipelineStackSizeKHR.html>"]@@ -162,7 +162,7 @@ command_buffer: vk::CommandBuffer, pipeline_stack_size: u32, ) {- self.ray_tracing_fn+ self.fp .cmd_set_ray_tracing_pipeline_stack_size_khr(command_buffer, pipeline_stack_size); }@@ -171,7 +171,7 @@ } pub fn fp(&self) -> &vk::KhrRayTracingPipelineFn {- &self.ray_tracing_fn+ &self.fp } pub fn device(&self) -> vk::Device {
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily cosmetic/structural, renaming a field (`ray_tracing_fn` to `fp`) and adjusting some formatting. Here's my analysis: Vulnerability Existed: no No security vulnerability found [third_party/rust/ash/src/extensions/khr/ray_tracing_pipeline.rs] [8-171] [Old Code: Various instances of `self.ray_tracing_fn`] [Fixed Code: Various instances of `self.fp`] The changes appear to be: 1. Field renaming from `ray_tracing_fn` to `fp` for consistency/brevity 2. Minor code restructuring in the `new()` function 3. Formatting adjustments in function calls 4. No changes to the actual security-sensitive operations or memory handling There are no changes to: - Memory safety practices - Input validation - Pointer handling - Error handling - Security-critical operations The modifications seem focused on code organization rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.unaffected.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.unaffected.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -28,7 +28,7 @@ ctx.closePath(); ctx.strokeStyle = '#0f0'; ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.unaffected.worker.js [Lines] 13-28
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring, renaming the variable `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains exactly the same, just with a different variable name. No security vulnerabilities were fixed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp@@ -9,26 +9,30 @@ #include "mozilla/widget/DMABufLibWrapper.h" #include "libavutil/pixfmt.h"+#undef FFMPEG_LOG+#define FFMPEG_LOG(str, ...) \+ MOZ_LOG(sPDMLog, mozilla::LogLevel::Debug, (str, ##__VA_ARGS__))+ namespace mozilla {-RefPtr<layers::Image> VideoFrameSurfaceDMABuf::GetAsImage() {+RefPtr<layers::Image> VideoFrameSurfaceVAAPI::GetAsImage() { return new layers::DMABUFSurfaceImage(mSurface); }-VideoFrameSurfaceDMABuf::VideoFrameSurfaceDMABuf(DMABufSurface* aSurface)- : mSurface(aSurface) {+VideoFrameSurfaceVAAPI::VideoFrameSurfaceVAAPI(DMABufSurface* aSurface)+ : mSurface(aSurface),+ mLib(nullptr),+ mAVHWFramesContext(nullptr),+ mHWAVBuffer(nullptr) { // Create global refcount object to track mSurface usage over // gects rendering engine. We can't release it until it's used // by GL compositor / WebRender. MOZ_ASSERT(mSurface); MOZ_RELEASE_ASSERT(mSurface->GetAsDMABufSurfaceYUV()); mSurface->GlobalRefCountCreate();- FFMPEG_LOG("VideoFrameSurfaceDMABuf: creating surface UID = %d",+ FFMPEG_LOG("VideoFrameSurfaceVAAPI: creating surface UID = %d", mSurface->GetUID()); }--VideoFrameSurfaceVAAPI::VideoFrameSurfaceVAAPI(DMABufSurface* aSurface)- : VideoFrameSurfaceDMABuf(aSurface) {} void VideoFrameSurfaceVAAPI::LockVAAPIData(AVCodecContext* aAVCodecContext, AVFrame* aAVFrame,@@ -50,12 +54,14 @@ // In such case we don't care as the dmabuf surface will not be // recycled for another frame and stays here untill last fd of it // is closed.- mLib->av_buffer_unref(&mHWAVBuffer);- mLib->av_buffer_unref(&mAVHWFramesContext);+ if (mLib) {+ mLib->av_buffer_unref(&mHWAVBuffer);+ mLib->av_buffer_unref(&mAVHWFramesContext);+ }+ // If we want to recycle the frame, make sure it's not used+ // by gecko rendering pipeline. if (aForFrameRecycle) {- // If we want to recycle the frame, make sure it's not used- // by gecko rendering pipeline. MOZ_DIAGNOSTIC_ASSERT(!IsUsed()); mSurface->ReleaseSurface(); }@@ -68,37 +74,46 @@ ReleaseVAAPIData(/* aForFrameRecycle */ false); }-VideoFramePool::VideoFramePool(bool aUseVAAPI) : mUseVAAPI(aUseVAAPI) {}+VideoFramePool::VideoFramePool() : mSurfaceLock("VideoFramePoolSurfaceLock") {}-VideoFramePool::~VideoFramePool() { mDMABufSurfaces.Clear(); }+VideoFramePool::~VideoFramePool() {+ MutexAutoLock lock(mSurfaceLock);+ mDMABufSurfaces.Clear();+} void VideoFramePool::ReleaseUnusedVAAPIFrames() {- if (!mUseVAAPI) {- return;- }+ MutexAutoLock lock(mSurfaceLock); for (const auto& surface : mDMABufSurfaces) {- if (!surface->IsUsed()) {- surface->ReleaseVAAPIData();+ auto* vaapiSurface = surface->AsVideoFrameSurfaceVAAPI();+ if (!vaapiSurface->IsUsed()) {+ vaapiSurface->ReleaseVAAPIData(); } } } RefPtr<VideoFrameSurface> VideoFramePool::GetFreeVideoFrameSurface() {- int len = mDMABufSurfaces.Length();- for (int i = 0; i < len; i++) {- if (!mDMABufSurfaces[i]->IsUsed()) {- return mDMABufSurfaces[i];+ for (auto& surface : mDMABufSurfaces) {+ if (surface->IsUsed()) {+ continue; }+ auto* vaapiSurface = surface->AsVideoFrameSurfaceVAAPI();+ vaapiSurface->ReleaseVAAPIData();+ return surface; } return nullptr; } RefPtr<VideoFrameSurface> VideoFramePool::GetVideoFrameSurface(- VADRMPRIMESurfaceDescriptor& aVaDesc) {- // VADRMPRIMESurfaceDescriptor can be used with VA-API only.- MOZ_ASSERT(mUseVAAPI);+ VADRMPRIMESurfaceDescriptor& aVaDesc, AVCodecContext* aAVCodecContext,+ AVFrame* aAVFrame, FFmpegLibWrapper* aLib) {+ if (aVaDesc.fourcc != VA_FOURCC_NV12 && aVaDesc.fourcc != VA_FOURCC_YV12 &&+ aVaDesc.fourcc != VA_FOURCC_P010) {+ FFMPEG_LOG("Unsupported VA-API surface format %d", aVaDesc.fourcc);+ return nullptr;+ }- auto videoSurface = GetFreeVideoFrameSurface();+ MutexAutoLock lock(mSurfaceLock);+ RefPtr<VideoFrameSurface> videoSurface = GetFreeVideoFrameSurface(); if (!videoSurface) { RefPtr<DMABufSurfaceYUV> surface = DMABufSurfaceYUV::CreateYUVSurface(aVaDesc);@@ -106,51 +121,28 @@ return nullptr; } FFMPEG_LOG("Created new VA-API DMABufSurface UID = %d", surface->GetUID());- videoSurface = new VideoFrameSurfaceVAAPI(surface);- mDMABufSurfaces.AppendElement(videoSurface);- return videoSurface;+ RefPtr<VideoFrameSurfaceVAAPI> surf = new VideoFrameSurfaceVAAPI(surface);+ if (!mTextureCreationWorks) {+ mTextureCreationWorks = Some(surface->VerifyTextureCreation());+ }+ if (!*mTextureCreationWorks) {+ FFMPEG_LOG(" failed to create texture over DMABuf memory!");+ return nullptr;+ }+ videoSurface = surf;+ mDMABufSurfaces.AppendElement(std::move(surf));+ } else {+ RefPtr<DMABufSurfaceYUV> surface = videoSurface->GetDMABufSurface();+ if (!surface->UpdateYUVData(aVaDesc)) {+ return nullptr;+ }+ FFMPEG_LOG("Reusing VA-API DMABufSurface UID = %d", surface->GetUID()); }- // Release VAAPI surface data before we reuse it.- videoSurface->ReleaseVAAPIData();+ auto* vaapiSurface = videoSurface->AsVideoFrameSurfaceVAAPI();+ vaapiSurface->LockVAAPIData(aAVCodecContext, aAVFrame, aLib);+ vaapiSurface->MarkAsUsed();- RefPtr<DMABufSurfaceYUV> surface = videoSurface->GetDMABufSurface();- if (!surface->UpdateYUVData(aVaDesc)) {- return nullptr;- }- FFMPEG_LOG("Reusing VA-API DMABufSurface UID = %d", surface->GetUID());- return videoSurface;-}--RefPtr<VideoFrameSurface> VideoFramePool::GetVideoFrameSurface(- AVPixelFormat aPixelFormat, AVFrame* aFrame) {- // We should not use SW surfaces when VA-API is enabled.- MOZ_ASSERT(!mUseVAAPI);- MOZ_ASSERT(aFrame);-- // With SW decode we support only YUV420P format with DMABuf surfaces.- if (aPixelFormat != AV_PIX_FMT_YUV420P) {- return nullptr;- }-- auto videoSurface = GetFreeVideoFrameSurface();- if (!videoSurface) {- RefPtr<DMABufSurfaceYUV> surface = DMABufSurfaceYUV::CreateYUVSurface(- aFrame->width, aFrame->height, (void**)aFrame->data, aFrame->linesize);- if (!surface) {- return nullptr;- }- FFMPEG_LOG("Created new SW DMABufSurface UID = %d", surface->GetUID());- videoSurface = new VideoFrameSurfaceDMABuf(surface);- mDMABufSurfaces.AppendElement(videoSurface);- return videoSurface;- }-- RefPtr<DMABufSurfaceYUV> surface = videoSurface->GetDMABufSurface();- if (!surface->UpdateYUVData((void**)aFrame->data, aFrame->linesize)) {- return nullptr;- }- FFMPEG_LOG("Reusing SW DMABufSurface UID = %d", surface->GetUID()); return videoSurface; }
Let me analyze the code diff for potential security fixes:
1. Vulnerability Existed: yes
Race Condition Vulnerability [dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp] [Lines 74-76, 82-84, 91-93]
[Old Code]
VideoFramePool::VideoFramePool(bool aUseVAAPI) : mUseVAAPI(aUseVAAPI) {}
VideoFramePool::~VideoFramePool() { mDMABufSurfaces.Clear(); }
void VideoFramePool::ReleaseUnusedVAAPIFrames() {
if (!mUseVAAPI) {
return;
}
[Fixed Code]
VideoFramePool::VideoFramePool() : mSurfaceLock("VideoFramePoolSurfaceLock") {}
VideoFramePool::~VideoFramePool() {
MutexAutoLock lock(mSurfaceLock);
mDMABufSurfaces.Clear();
}
void VideoFramePool::ReleaseUnusedVAAPIFrames() {
MutexAutoLock lock(mSurfaceLock);
[Details: Added mutex locks to prevent race conditions when accessing shared resources]
2. Vulnerability Existed: yes
Null Pointer Dereference Vulnerability [dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp] [Lines 50-52]
[Old Code]
mLib->av_buffer_unref(&mHWAVBuffer);
mLib->av_buffer_unref(&mAVHWFramesContext);
[Fixed Code]
if (mLib) {
mLib->av_buffer_unref(&mHWAVBuffer);
mLib->av_buffer_unref(&mAVHWFramesContext);
}
[Details: Added null check before dereferencing mLib pointer]
3. Vulnerability Existed: yes
Input Validation Vulnerability [dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp] [Lines 103-107]
[Old Code]
VADRMPRIMESurfaceDescriptor& aVaDesc) {
// VADRMPRIMESurfaceDescriptor can be used with VA-API only.
MOZ_ASSERT(mUseVAAPI);
[Fixed Code]
VADRMPRIMESurfaceDescriptor& aVaDesc, AVCodecContext* aAVCodecContext,
AVFrame* aAVFrame, FFmpegLibWrapper* aLib) {
if (aVaDesc.fourcc != VA_FOURCC_NV12 && aVaDesc.fourcc != VA_FOURCC_YV12 &&
aVaDesc.fourcc != VA_FOURCC_P010) {
FFMPEG_LOG("Unsupported VA-API surface format %d", aVaDesc.fourcc);
return nullptr;
}
[Details: Added validation for supported surface formats]
4. Vulnerability Existed: not sure
Resource Leak Potential [dom/media/platforms/ffmpeg/FFmpegVideoFramePool.cpp] [Lines 121-123]
[Old Code]
videoSurface = new VideoFrameSurfaceVAAPI(surface);
mDMABufSurfaces.AppendElement(videoSurface);
[Fixed Code]
if (!mTextureCreationWorks) {
mTextureCreationWorks = Some(surface->VerifyTextureCreation());
}
if (!*mTextureCreationWorks) {
FFMPEG_LOG(" failed to create texture over DMABuf memory!");
return nullptr;
}
[Details: Added additional resource verification, but unclear if this fixes an actual leak]
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling_core/src/usage/generics_ext.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling_core/src/usage/generics_ext.rs@@ -1,6 +1,6 @@ use syn::Generics;-use usage::{IdentSet, LifetimeSet};+use crate::usage::{IdentSet, LifetimeSet}; /// Extension trait for pulling specific generics data from a generics AST representation. pub trait GenericsExt {
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability [third_party/rust/darling_core/src/usage/generics_ext.rs] [Lines 1-3]
Old Code: `use usage::{IdentSet, LifetimeSet};`
Fixed Code: `use crate::usage::{IdentSet, LifetimeSet};`
Additional Details:
- The change is simply updating the import path from a relative `usage` to an absolute `crate::usage`
- This appears to be a code organization/refactoring change rather than a security fix
- No security vulnerability is being addressed here
- The change makes the import more explicit by using the crate root path
No security vulnerabilities were identified in this diff. The change appears to be purely structural/refactoring in nature.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/.cargo-checksum.json@@ -1 +1 @@-{"files":{".github/workflows/lazy.yml":"efffd9aafa5e1fbe8c1746035e31523c5819348116a6b982ab6ab39a8c887c78",".github/workflows/pipeline.yml":"a8b6a5a9f67d8afd085af6e0fb9a52f9994c33f07845c22000fb496a78d44711",".github/workflows/validation-linux.yml":"797389222960f54d3da8d58b017c44be1b5f45033d8f635c17172bd79a975dbd",".github/workflows/validation-macos.yml":"ace910e819b4b7f4c3bcef0f6b8109bdf9fa817806b125605bd5f860c375d77e",".github/workflows/validation-windows.yml":"3717d69c8c21b379a40a6ff5a19dff18f06c56b767b3884565ecda0ddbe54493","CHANGELOG.md":"82eded86e209fd1ace837b7222a9d99ccb8dd4236597278683e5d46a7c827709","Cargo.toml":"9da053960b280189d30d02da109ef081dcdfadad42099fcb96505446ad0b269b","LICENSE-APACHE":"c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4","LICENSE-MIT":"ca3be8518f5ef097669cea882643fc532025f29972def4fda49df885565a0480","Makefile":"2d4f0ec26e216fbdf07adbadc6d22673113df1d9fd88c39bb08cf2b7e33e596b","README.md":"5ca0312b21dfe64d7a56a3cd5e1b8cf1e02401c4ab7a2f35ee517bcb9f3d2b59","src/arena.rs":"61d7fc5765b4f3b8937d094ba735dcdca821c784c82d0011479e4d6f2d124119","src/back/dot/mod.rs":"13ed1adabdec168588063fa3fc4f20461a520919d30ae2707dcddcadf38f8269","src/back/glsl/features.rs":"8d8b46f8072b54363accf1270bf8104e5142048ff828a2678fc1920689739534","src/back/glsl/keywords.rs":"3f23b1e63e99a7056c3b223524d5d37000ef7316ae9df25532a726a1157d1dcd","src/back/glsl/mod.rs":"d6fdf6f69a7abadc054b98a60465e730c83afd9bf0920226f0e2fd2df5c3b01a","src/back/hlsl/conv.rs":"d953ca0e87be17be98cdf38ff817cf2cefcfb5bebb60749aecc11aaa5b1ff7c9","src/back/hlsl/help.rs":"cbd6c492764f5a2d5d2fae70d2b791833827f7a693130e921e84f557069d9563","src/back/hlsl/keywords.rs":"d0fdd74bc166da61200d595689d2fbfbaa863d18eda706bb44aee1c2e66f9552","src/back/hlsl/mod.rs":"f39bda69a86bf02e4bb978f4498ccd8738f00883dfd55c39011da9fa2bd006fd","src/back/hlsl/storage.rs":"ad01f03fae29f332b03d74d451e5dae49b861715a7df0b8475e7ff502780216c","src/back/hlsl/writer.rs":"867f3499cf00b70f8a1ea8c757b4cb268118b90347575a81eda297e30ddb2d47","src/back/mod.rs":"9b5b99830a5e1e90d6d915b9c54b35917002500f96e3cc826ddf959a6f9b2b42","src/back/msl/keywords.rs":"295e9df5cca319a9a506305bb3461057225b8468dfb920d4927608d42382e170","src/back/msl/mod.rs":"321056bca15c6afd0285376fc29109f8113d5494152b4d2037216dab38a0bacb","src/back/msl/sampler.rs":"19a905f5eb11d9dad769b60694d1ed7a16ad36ce92b57f9bf70f0a60cd0df1ee","src/back/msl/writer.rs":"d529e0f3907db9d9a6f342dc1762c4364040734e180734b304bf8cc5a2786057","src/back/spv/block.rs":"498a081a45b57d828fac02ed4e71e036ab5887d591f4db3e4031552defed08d5","src/back/spv/helpers.rs":"f44763f7781b1a77c6701e3061aa89e84a4dd87e1821d0600ad97f118c451594","src/back/spv/image.rs":"3bfc6ba26cf6cc218f433ca7a17764ecfbb8c9da10a2bf8d1d281e1a8724da89","src/back/spv/index.rs":"86495ac33b47de1a942cfdd30547971c7a24b26b047244366011e911ce50927a","src/back/spv/instructions.rs":"188412198c3b12a7c305819179e4308bc0f999ea87ee63c1fc4b14b7bed3a868","src/back/spv/layout.rs":"41b5b8b5c1ca85be27246c0d2393542e971514362a445dd2a984fad7ee49cedb","src/back/spv/mod.rs":"33e955772e8fa760d6833e921ab8c8f979bd73bfec3dbe1d500ed55946794fee","src/back/spv/recyclable.rs":"e8afff29750035ef7e20d86eb9976b83d26aa8431c93233f5749dfc1933790f5","src/back/spv/selection.rs":"11b54603b909619ac5c1ed35501a583a4594a35e6b06f8110f641bfa49bfcff9","src/back/spv/writer.rs":"f54e97453d525dcdbe8548b9dd0b780ef4b88e6fb17417ae64b32c7608c9e8dc","src/back/wgsl/mod.rs":"5b8320b020228a80cdf5f156655e81fcea1c5f4cdfee586ecb5732b5658f193a","src/back/wgsl/writer.rs":"132ac62a17153df1b1a5d9aacbb080aeb35e3ada414e9e6c73e68e129158ed82","src/block.rs":"70df4dc2db3eddd2e79ece7f1b47bac29aeb0f8508cebc45ca8a53afa85e2d8e","src/front/glsl/ast.rs":"9a2e2629e56529ee96461e6abd50bd5ecaa380224664a003682b89669d42bfd0","src/front/glsl/builtins.rs":"612ca328365fcd007e7b83d8b35a0df42df4a0b86a16309e31fc317cf68cd376","src/front/glsl/constants.rs":"77577f577e300978c06546912419eea710d2ca2eec1ecde5a0b3f2bf2273f757","src/front/glsl/context.rs":"8bd485f0af154f61277841e261b5052f7b147ed348aca889e1ddacb6ff63ba4b","src/front/glsl/error.rs":"8d922a9272966d2b217d182b772b51ddf3285a5259d5d7e93e7f6c26602e9572","src/front/glsl/functions.rs":"2ac210bb6e0047088baaf222b65846076b90fff842912f0c77f28435c0b2221f","src/front/glsl/lex.rs":"32f3c20c2e1c96ac17e5ad12b329b887ac6118bc64b50cee6b30522f7108e765","src/front/glsl/mod.rs":"8274819551f8d87d5a2ec5fd1ebb7ace99d4f388256651b9eece5e510d88fc2b","src/front/glsl/offset.rs":"176cbb38f0495637f40e71e2c9abc40692b996d006293a844fde65cf8d1329dd","src/front/glsl/parser.rs":"ec107dd25159328a89d87ae7fc3d785a90e997fe95ee06e40c6c29ce69790d7d","src/front/glsl/parser/declarations.rs":"8c6a89ab55c601eecdb30d6e7d35e9131d74faa4930adcfcd02bb1dd26546018","src/front/glsl/parser/expressions.rs":"9d83c8913d6b29dfafeb8dcef8acc20037f12fad10706106de3997f82f5cba05","src/front/glsl/parser/functions.rs":"82c3249ed852dc141e70dc12d414fcbc905832e7dedc623a36fa3f45a44b6360","src/front/glsl/parser/types.rs":"347a2df154f3af63b92a732b54c50f69443f54719c33cc6ad3206bc85e9cb364","src/front/glsl/parser_tests.rs":"4256fdce5e5de7234a173ecd0dc77eef20052932b0d298c1227b40bd6a7f6a28","src/front/glsl/token.rs":"fb1e7a49962810b437626a673d3d4f6ae7944203ee7dc957c08faf4571509d0e","src/front/glsl/types.rs":"8519cb2b82c3d97e5d57118ac656b02ca124f4d9c685cd43ed94614a1e32bb20","src/front/glsl/variables.rs":"aeae6d4c77ecce36d42a8f7ae0d3e28ec3160eb4569d597305d90bd0c8ca67bd","src/front/interpolator.rs":"6e332ab7bede15b20db9e287e99b9d9f4308745a3a48ee15e734ac99a68a1672","src/front/mod.rs":"cfbf9b7df3532901a1d18e3d65623d7016e40d143fcce8deb9883bc85fd4640a","src/front/spv/convert.rs":"78c79e136731521348c74fb745e2e719fb7655203e7fe6907d7fc841475602cf","src/front/spv/error.rs":"62265bbd2f06f0251002d3af7848945848472a95028fd699b15f6e78a68c4849","src/front/spv/function.rs":"b8af2f68d2525a70c638d4cbe0d2609bae9c9bd30f18feb9eccbb4ee58554795","src/front/spv/image.rs":"fd266cd6d2e0eaa2415550b0827541a5d57161b5cf66ec16d90ab7b4ffb26bce","src/front/spv/mod.rs":"784903292a812c0aed0743b7b42c9cc29fdb812aac6a9c55d8f3c71fa44b0e8f","src/front/spv/null.rs":"f61427f28330d07954269743cc5a39278d3f4774602735eb2995e43ce799a471","src/front/wgsl/conv.rs":"a8743f92a7fb0b64dbb55e89230d72a64e6f6617eff083f4088bbbb1ee180434","src/front/wgsl/lexer.rs":"ed72c13552628b035edabc21e9ee9517df71ce32a259d864d350889381be105b","src/front/wgsl/mod.rs":"72159bba6066f6f21f42e647f216dd66f6a6733f54247e84d401827a1f915211","src/front/wgsl/number_literals.rs":"2ff0d67d4266d8b49515bb4ecf555f13b24708c325c5d4c1d4fff01db746fc6f","src/front/wgsl/tests.rs":"957da8516114e27643c6da20d8e78ac258d820be8e845083c867ae838fddd9a3","src/keywords/mod.rs":"b991d0ac2004fd801ee2aea92363fdcdcdf2d32495870f4db0a31043af3d8af0","src/keywords/wgsl.rs":"42fe3f63d850c0c424234333efd9349303422f273a4047f4b5edb4ab6efcd54f","src/lib.rs":"d09c849b847144d27e63c7282c83832f3869ebf78b1744ffced18aad19e47fbd","src/proc/index.rs":"6de2c35272bf780fbe7bdb2b998c8442a178459cedabe9bc2ba7575bfe70931c","src/proc/layouter.rs":"01003caa3d9e34636a249b6da9862d2595c6d12a161e8e1c1f2a9579fd8e7be0","src/proc/mod.rs":"ca40f2e7f21badb8fdce06ab88a415202ac476b2cae6c536146866d209831dbc","src/proc/namer.rs":"2cab7428296a243a23234a516ceb569104f86ad4d68ffdf022a060a9fc0c4e83","src/proc/terminator.rs":"f00409a63d5258494080ee55d25cc91c40dc1d4b211a99a0e3cb43e78d4843cd","src/proc/typifier.rs":"bb271f15039e7c8f88fd576953a65e7a323d612ec8a70414a71e107472c9c74c","src/span.rs":"e91a5e4c99188bc22d574503eb7bfe4de84feeeac8b9cc8ef03f5e6a6390434c","src/valid/analyzer.rs":"58c9f7fe44c22c208005167084e59ab7077067eb62cf75e9db00ad07881debc6","src/valid/compose.rs":"17f4a35a47a839efc15dd73a53d6f7df69435d42fe4fdb6cef2619115bd748a7","src/valid/expression.rs":"a096b0f46f08c2233896f25318aeeb40b8b4ad997631b23cfd12a71b1c2e24f9","src/valid/function.rs":"1b0ca4b9ce803cafff163a6f8de215ac258e377dc64ef914a22467d3725d5f8b","src/valid/interface.rs":"41b8fa281f796e5e6bf0798a8cef5837e5d7f8e1ed19b2221da331302f257d64","src/valid/mod.rs":"0d2ac4202780d12040788b3b78c1d7ed5af1c680acd6aab55f1672a6ac6080e8","src/valid/type.rs":"9688297672eb89c8fded7823004432a441bbb14a04b096b47ab65e2f977ed071"},"package":null}+{"files":{".github/workflows/lazy.yml":"efffd9aafa5e1fbe8c1746035e31523c5819348116a6b982ab6ab39a8c887c78",".github/workflows/pipeline.yml":"a8b6a5a9f67d8afd085af6e0fb9a52f9994c33f07845c22000fb496a78d44711",".github/workflows/validation-linux.yml":"797389222960f54d3da8d58b017c44be1b5f45033d8f635c17172bd79a975dbd",".github/workflows/validation-macos.yml":"ace910e819b4b7f4c3bcef0f6b8109bdf9fa817806b125605bd5f860c375d77e",".github/workflows/validation-windows.yml":"3717d69c8c21b379a40a6ff5a19dff18f06c56b767b3884565ecda0ddbe54493","CHANGELOG.md":"72d2dd5ce3a831f5eac9c1459efdfca0af2a42794221f56191c3e4fb2a6d25d8","Cargo.toml":"44d4f635972b61fbc954747ff9eedb0d6024a78d0e25a2e7e7e7cbbf5ad27843","LICENSE-APACHE":"c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4","LICENSE-MIT":"ca3be8518f5ef097669cea882643fc532025f29972def4fda49df885565a0480","Makefile":"2d4f0ec26e216fbdf07adbadc6d22673113df1d9fd88c39bb08cf2b7e33e596b","README.md":"5ca0312b21dfe64d7a56a3cd5e1b8cf1e02401c4ab7a2f35ee517bcb9f3d2b59","src/arena.rs":"61d7fc5765b4f3b8937d094ba735dcdca821c784c82d0011479e4d6f2d124119","src/back/dot/mod.rs":"cf441bcd461f5a4cb387f8c0723976718e209f4df3cc28553a2857ee0164365e","src/back/glsl/features.rs":"4a3dffb37479fd4c3e7181a09d7feec7b0832ebdcd9994e97ad23878e1ccf5fd","src/back/glsl/keywords.rs":"3f23b1e63e99a7056c3b223524d5d37000ef7316ae9df25532a726a1157d1dcd","src/back/glsl/mod.rs":"2e9abd51acac4b13a9dfe0d008fbbf1a3ef0bbe123b5f0d59eb43b7eb5d4ed28","src/back/hlsl/conv.rs":"d953ca0e87be17be98cdf38ff817cf2cefcfb5bebb60749aecc11aaa5b1ff7c9","src/back/hlsl/help.rs":"cbd6c492764f5a2d5d2fae70d2b791833827f7a693130e921e84f557069d9563","src/back/hlsl/keywords.rs":"d0fdd74bc166da61200d595689d2fbfbaa863d18eda706bb44aee1c2e66f9552","src/back/hlsl/mod.rs":"f39bda69a86bf02e4bb978f4498ccd8738f00883dfd55c39011da9fa2bd006fd","src/back/hlsl/storage.rs":"ad01f03fae29f332b03d74d451e5dae49b861715a7df0b8475e7ff502780216c","src/back/hlsl/writer.rs":"0e8c151db0eb4dd59bcf2a1528fbf2718151f0705558d35848b098146359081a","src/back/mod.rs":"9b5b99830a5e1e90d6d915b9c54b35917002500f96e3cc826ddf959a6f9b2b42","src/back/msl/keywords.rs":"295e9df5cca319a9a506305bb3461057225b8468dfb920d4927608d42382e170","src/back/msl/mod.rs":"321056bca15c6afd0285376fc29109f8113d5494152b4d2037216dab38a0bacb","src/back/msl/sampler.rs":"19a905f5eb11d9dad769b60694d1ed7a16ad36ce92b57f9bf70f0a60cd0df1ee","src/back/msl/writer.rs":"bf750f61b053d523a25dc1f0ea15211eae6593bc31ba763379e2050df5b49b82","src/back/spv/block.rs":"c02ecac1dbca29fb0472aaa1eb09022f89c1c6f12a2c0183bf939211d8b32cb2","src/back/spv/helpers.rs":"be99802e93ba16d37d2c4fb22df1344ef68972c8392a6288bbbc98b9f10bad29","src/back/spv/image.rs":"06d2cdaad927f084e6655c628bde9686180881a0485d1d27bdf97d165e7652f1","src/back/spv/index.rs":"86495ac33b47de1a942cfdd30547971c7a24b26b047244366011e911ce50927a","src/back/spv/instructions.rs":"75392cb3312e247d2cda846b4560b4abf713d15723ef5bc368a45de0ce466830","src/back/spv/layout.rs":"41b5b8b5c1ca85be27246c0d2393542e971514362a445dd2a984fad7ee49cedb","src/back/spv/mod.rs":"33e955772e8fa760d6833e921ab8c8f979bd73bfec3dbe1d500ed55946794fee","src/back/spv/recyclable.rs":"e8afff29750035ef7e20d86eb9976b83d26aa8431c93233f5749dfc1933790f5","src/back/spv/selection.rs":"11b54603b909619ac5c1ed35501a583a4594a35e6b06f8110f641bfa49bfcff9","src/back/spv/writer.rs":"9a4678b1848a0dbc5f9f43f2a10421fcdfdd9b5624ac22855cd6150107ed242d","src/back/wgsl/mod.rs":"5b8320b020228a80cdf5f156655e81fcea1c5f4cdfee586ecb5732b5658f193a","src/back/wgsl/writer.rs":"524ce7773a6998c476935fc67b845b10b4282764671ca8f3039f4869fa6efc3d","src/block.rs":"70df4dc2db3eddd2e79ece7f1b47bac29aeb0f8508cebc45ca8a53afa85e2d8e","src/front/glsl/ast.rs":"9a2e2629e56529ee96461e6abd50bd5ecaa380224664a003682b89669d42bfd0","src/front/glsl/builtins.rs":"4b5e8b85f904c3fb8651736f7546fb7266eab16eeaf4f0b3dd4c78d290bfda94","src/front/glsl/constants.rs":"77577f577e300978c06546912419eea710d2ca2eec1ecde5a0b3f2bf2273f757","src/front/glsl/context.rs":"e564148af72e0d8a933649bfa5c67e0ec11636cbafaac162b16a21bf6b730102","src/front/glsl/error.rs":"8d922a9272966d2b217d182b772b51ddf3285a5259d5d7e93e7f6c26602e9572","src/front/glsl/functions.rs":"70dacb5d4f446421b6e888b7f2637c2903e825d91c3ddf83d9114505d87aff7b","src/front/glsl/lex.rs":"32f3c20c2e1c96ac17e5ad12b329b887ac6118bc64b50cee6b30522f7108e765","src/front/glsl/mod.rs":"8274819551f8d87d5a2ec5fd1ebb7ace99d4f388256651b9eece5e510d88fc2b","src/front/glsl/offset.rs":"176cbb38f0495637f40e71e2c9abc40692b996d006293a844fde65cf8d1329dd","src/front/glsl/parser.rs":"ec107dd25159328a89d87ae7fc3d785a90e997fe95ee06e40c6c29ce69790d7d","src/front/glsl/parser/declarations.rs":"051f73470cc07e049cbfccfcbdb1fd712182b2d6359b6000b4678a8fbff56e9d","src/front/glsl/parser/expressions.rs":"9d83c8913d6b29dfafeb8dcef8acc20037f12fad10706106de3997f82f5cba05","src/front/glsl/parser/functions.rs":"26e6fc498608d1ae3f683a472c37950d5bf2ed9bf5a53a6452b508ba78f04416","src/front/glsl/parser/types.rs":"347a2df154f3af63b92a732b54c50f69443f54719c33cc6ad3206bc85e9cb364","src/front/glsl/parser_tests.rs":"4256fdce5e5de7234a173ecd0dc77eef20052932b0d298c1227b40bd6a7f6a28","src/front/glsl/token.rs":"fb1e7a49962810b437626a673d3d4f6ae7944203ee7dc957c08faf4571509d0e","src/front/glsl/types.rs":"8519cb2b82c3d97e5d57118ac656b02ca124f4d9c685cd43ed94614a1e32bb20","src/front/glsl/variables.rs":"aeae6d4c77ecce36d42a8f7ae0d3e28ec3160eb4569d597305d90bd0c8ca67bd","src/front/interpolator.rs":"6e332ab7bede15b20db9e287e99b9d9f4308745a3a48ee15e734ac99a68a1672","src/front/mod.rs":"cfbf9b7df3532901a1d18e3d65623d7016e40d143fcce8deb9883bc85fd4640a","src/front/spv/convert.rs":"537886868d9872aaab0e40bd12546bf7355971c9eae8a2825d58530860626a9a","src/front/spv/error.rs":"62265bbd2f06f0251002d3af7848945848472a95028fd699b15f6e78a68c4849","src/front/spv/function.rs":"b8af2f68d2525a70c638d4cbe0d2609bae9c9bd30f18feb9eccbb4ee58554795","src/front/spv/image.rs":"ad2640c88ae3d9cafb668c12438059d523862c73709b4042709bc7fd23af4cac","src/front/spv/mod.rs":"dc30ddeb1c686e0d1d4711d9f2fd7dd30f29b244a3293f608107b81bf8ced6ec","src/front/spv/null.rs":"f61427f28330d07954269743cc5a39278d3f4774602735eb2995e43ce799a471","src/front/wgsl/conv.rs":"711adef37ac9eb0b10a31f0a72b9fbd448bf0cf986d5257d3f41ced631db2524","src/front/wgsl/lexer.rs":"2eed41d137abee6f7bde70ddf77ae8ac79c6389f79769e2673bb048537835680","src/front/wgsl/mod.rs":"25f6b8fbd25ef76342c89f457259a21e138571ed03a59259ff378703b5018256","src/front/wgsl/number_literals.rs":"2ff0d67d4266d8b49515bb4ecf555f13b24708c325c5d4c1d4fff01db746fc6f","src/front/wgsl/tests.rs":"3c540534229aa01a894cd7576f0932753bf2bbb652154790871baa058e30ebb9","src/keywords/mod.rs":"b991d0ac2004fd801ee2aea92363fdcdcdf2d32495870f4db0a31043af3d8af0","src/keywords/wgsl.rs":"42fe3f63d850c0c424234333efd9349303422f273a4047f4b5edb4ab6efcd54f","src/lib.rs":"39f4083190154bef41ff0dfa5363b5d7af43123bb103d54070216fe2310e391b","src/proc/index.rs":"6de2c35272bf780fbe7bdb2b998c8442a178459cedabe9bc2ba7575bfe70931c","src/proc/layouter.rs":"01003caa3d9e34636a249b6da9862d2595c6d12a161e8e1c1f2a9579fd8e7be0","src/proc/mod.rs":"d907b2fc40603b971de60fa9fab594c1791c97968831e12e6ae291d2667cd8f7","src/proc/namer.rs":"2cab7428296a243a23234a516ceb569104f86ad4d68ffdf022a060a9fc0c4e83","src/proc/terminator.rs":"f00409a63d5258494080ee55d25cc91c40dc1d4b211a99a0e3cb43e78d4843cd","src/proc/typifier.rs":"fa7bab65f51400e5d1444220836a59bad276116343ce7cf7544a257a416502d2","src/span.rs":"094d13d19bb5017cbf6a942ec9c9055fdea554fe8e06e7b88406532eba8b54fa","src/valid/analyzer.rs":"fd59ea9523c45eaf3fd4392a6c0ed9115e5b19e97b48453cb657e3a88db096c8","src/valid/compose.rs":"17f4a35a47a839efc15dd73a53d6f7df69435d42fe4fdb6cef2619115bd748a7","src/valid/expression.rs":"bad7186b41484fff7a8cfec264e8668c4ac536bb334177065c08e24b637f5cce","src/valid/function.rs":"1b0ca4b9ce803cafff163a6f8de215ac258e377dc64ef914a22467d3725d5f8b","src/valid/interface.rs":"0c64a9bc82ac44ab5d8b4713f734b1c950271625c2a3ae88aa64357361167d99","src/valid/mod.rs":"0d2ac4202780d12040788b3b78c1d7ed5af1c680acd6aab55f1672a6ac6080e8","src/valid/type.rs":"9688297672eb89c8fded7823004432a441bbb14a04b096b47ab65e2f977ed071"},"package":null}=========testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unaffected.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unaffected.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unaffected.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50)@@ -28,7 +28,7 @@ ctx.translate(100, 50); ctx.scale(0.1, 0.1); ctx.putImageData(imgdata, 0, 0);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2); t.done(); });
After analyzing the provided code diff, I can identify the following changes:
1. For the `.cargo-checksum.json` file, this appears to be a checksum update for multiple Rust source files in the naga project. Since these are checksum updates without seeing the actual source changes, I cannot determine if there are security fixes.
2. For the worker.js file, there's a simple variable rename from `offscreenCanvas` to `canvas`, which doesn't appear to be security-related.
Here's the structured analysis:
Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unaffected.worker.js] [13,28]
[var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); _assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);]
[var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); _assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);]
For the checksum updates in `.cargo-checksum.json`, since we can't see the actual source changes:
Vulnerability Existed: not sure
Checksum Updates [third_party/rust/naga/.cargo-checksum.json] [Entire file]
[Old checksums for multiple files]
[New checksums for multiple files]
No clear security vulnerabilities were identified in the visible changes. The worker.js change is purely a variable naming improvement, and the checksum updates could correspond to any number of changes in the source files.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognisednull.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognisednull.html@@ -17,10 +17,10 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(offscreenCanvas, "null"); });+assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(canvas, "null"); }); t.done(); });
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognisednull.html [Lines] 17-20
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(offscreenCanvas, "null"); });
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(canvas, "null"); });
The changes appear to be purely cosmetic/refactoring, renaming the variable `offscreenCanvas` to `canvas`. The functionality remains the same, testing that creating a pattern with an invalid repeat value ("null") throws a SYNTAX_ERR. No security vulnerability is being fixed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsla(0, 100% 50%)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring (variable name change from `offscreenCanvas` to `canvas`). Here's the analysis:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.html
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are:
1. Variable name change from `offscreenCanvas` to `canvas`
2. Corresponding update in the `_assertPixel` call
No security implications were found in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/fetch/browsertime.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/fetch/browsertime.yml@@ -46,36 +46,6 @@ url: https://chromedriver.storage.googleapis.com/87.0.4280.20/chromedriver_linux64.zip sha256: a3248aa7308727fe1116b7e937511c3486b4efd45da9c50e3b6a7c31563df3b2 size: 5564194--win32-chromedriver-94:- description: 'Win32 chromedriver v94'- fetch:- type: static-url- artifact-name: chromedriver_win32_94.tar.zst- add-prefix: '94'- url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_win32.zip- sha256: 989cf1238b0a278a6380df75cfe522b7973b4ee181233ec92bd4843bbdc25d6d- size: 5993388--linux64-chromedriver-94:- description: 'Linux64 chromedriver v94'- fetch:- type: static-url- artifact-name: chromedriver_linux64_94.tar.zst- add-prefix: '94'- url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_linux64.zip- sha256: b83962722c8fc5a40c679166578715fc80dc9c0cd69b8f53ab925445747cd419- size: 9875677--mac64-chromedriver-94:- description: 'Mac64 chromedriver v94'- fetch:- type: static-url- artifact-name: chromedriver_mac64_94.tar.zst- add-prefix: '94'- url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_mac64.zip- sha256: 8a653c0b27264ae2b9ffd895cfa58b8bd9fefb20204a4526d1b554ac278480d5- size: 8182442 win32-chromedriver-95: description: 'Win32 chromedriver v95'@@ -136,3 +106,33 @@ url: https://chromedriver.storage.googleapis.com/96.0.4664.45/chromedriver_mac64.zip sha256: 0e88eab13db9bd6ef2def8c2342556c29f739f00846de21258b2a3b61e476b64 size: 8234174++win32-chromedriver-97:+ description: 'Win32 chromedriver v97'+ fetch:+ type: static-url+ artifact-name: chromedriver_win32_97.tar.zst+ add-prefix: '97'+ url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_win32.zip+ sha256: e19794a297636b3d88a4030896e8856a5eabea3e240c40dd8c9ff33782e61305+ size: 6180382++linux64-chromedriver-97:+ description: 'Linux64 chromedriver v97'+ fetch:+ type: static-url+ artifact-name: chromedriver_linux64_97.tar.zst+ add-prefix: '97'+ url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_linux64.zip+ sha256: 916df6c6d1532ce24b505629b6c11bfe598d78ded6fa6ec9c7036ec499278753+ size: 9982326++mac64-chromedriver-97:+ description: 'Mac64 chromedriver v97'+ fetch:+ type: static-url+ artifact-name: chromedriver_mac64_97.tar.zst+ add-prefix: '97'+ url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_mac64.zip+ sha256: 7ae949b20216aa9dda278564d877d2c815ded013442cf0b64f429d1676b361ff+ size: 8277283
Based on the provided code diff, I'll analyze it for security fixes. The changes primarily involve removing older versions of chromedriver (v94) and adding newer versions (v97). Here's the analysis:
1. Vulnerability Existed: not sure
[Potential Outdated Dependency Removal] [taskcluster/ci/fetch/browsertime.yml] [Lines 46-106]
[Old Code]
```yaml
win32-chromedriver-94:
description: 'Win32 chromedriver v94'
fetch:
type: static-url
artifact-name: chromedriver_win32_94.tar.zst
add-prefix: '94'
url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_win32.zip
sha256: 989cf1238b0a278a6380df75cfe522b7973b4ee181233ec92bd4843bbdc25d6d
size: 5993388
linux64-chromedriver-94:
description: 'Linux64 chromedriver v94'
fetch:
type: static-url
artifact-name: chromedriver_linux64_94.tar.zst
add-prefix: '94'
url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_linux64.zip
sha256: b83962722c8fc5a40c679166578715fc80dc9c0cd69b8f53ab925445747cd419
size: 9875677
mac64-chromedriver-94:
description: 'Mac64 chromedriver v94'
fetch:
type: static-url
artifact-name: chromedriver_mac64_94.tar.zst
add-prefix: '94'
url: https://chromedriver.storage.googleapis.com/94.0.4606.41/chromedriver_mac64.zip
sha256: 8a653c0b27264ae2b9ffd895cfa58b8bd9fefb20204a4526d1b554ac278480d5
size: 8182442
```
[Fixed Code]
(Removed entirely)
2. Vulnerability Existed: not sure
[New Dependency Version Addition] [taskcluster/ci/fetch/browsertime.yml] [Lines 106-136]
[Old Code]
(No previous code for v97)
[Fixed Code]
```yaml
win32-chromedriver-97:
description: 'Win32 chromedriver v97'
fetch:
type: static-url
artifact-name: chromedriver_win32_97.tar.zst
add-prefix: '97'
url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_win32.zip
sha256: e19794a297636b3d88a4030896e8856a5eabea3e240c40dd8c9ff33782e61305
size: 6180382
linux64-chromedriver-97:
description: 'Linux64 chromedriver v97'
fetch:
type: static-url
artifact-name: chromedriver_linux64_97.tar.zst
add-prefix: '97'
url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_linux64.zip
sha256: 916df6c6d1532ce24b505629b6c11bfe598d78ded6fa6ec9c7036ec499278753
size: 9982326
mac64-chromedriver-97:
description: 'Mac64 chromedriver v97'
fetch:
type: static-url
artifact-name: chromedriver_mac64_97.tar.zst
add-prefix: '97'
url: https://chromedriver.storage.googleapis.com/97.0.4692.71/chromedriver_mac64.zip
sha256: 7ae949b20216aa9dda278564d877d2c815ded013442cf0b64f429d1676b361ff
size: 8277283
```
Note: While the changes appear to be version updates rather than direct security fixes, it's possible that older versions (v94) had known vulnerabilities that were addressed in newer versions (v97). However, without specific information about vulnerabilities in these versions, we can't be certain this was a security fix. The changes could simply be routine version updates.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.