Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/downloads/content/indicator.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/downloads/content/indicator.js@@ -553,7 +553,10 @@ return; }- DownloadsPanel.showPanel(/* openedManually */ true);+ DownloadsPanel.showPanel(+ /* openedManually */ true,+ aEvent.type.startsWith("key")+ ); aEvent.stopPropagation(); },
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
[Potential User Interaction Verification Issue] [browser/components/downloads/content/indicator.js] [Lines 553-557]
[Old Code]
DownloadsPanel.showPanel(/* openedManually */ true);
[Fixed Code]
DownloadsPanel.showPanel(
/* openedManually */ true,
aEvent.type.startsWith("key")
);
Additional Details:
The change adds a second parameter to indicate whether the panel was opened via keyboard interaction. While this appears to be more of a functional improvement than a direct security fix, it could potentially relate to security by ensuring proper user interaction verification (distinguishing between mouse and keyboard events). However, without more context about how this parameter is used in the `showPanel` function, I can't definitively say this fixes a security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/readable-streams/patched-global.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/readable-streams/patched-global.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker 'use strict'; // Tests which patch the global environment are kept separate to avoid
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Global Scope Pollution] [testing/web-platform/tests/streams/readable-streams/patched-global.any.js] [Lines 1]
[Old Code]
// META: global=window,worker,jsshell
[Fixed Code]
// META: global=window,worker
Additional Details:
- The change removes 'jsshell' from the global scope declaration in the test file's metadata
- This might be related to preventing potential scope pollution or test contamination when running in jsshell environments
- Without more context about the jsshell environment and what tests are being run, it's difficult to determine if this was an actual security fix or just a test configuration change
- The change could be related to security if jsshell had different security properties than window/worker contexts that needed to be isolated
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/generic/HyperTextAccessible.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/generic/HyperTextAccessible.h@@ -146,20 +146,18 @@ */ bool IsLineEndCharAt(int32_t aOffset) { return IsCharAt(aOffset, '\n'); }- /**- * Return text before/at/after the given offset corresponding to- * the boundary type.- */- void TextBeforeOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,- int32_t* aStartOffset, int32_t* aEndOffset,- nsAString& aText);+ virtual void TextBeforeOffset(int32_t aOffset,+ AccessibleTextBoundary aBoundaryType,+ int32_t* aStartOffset, int32_t* aEndOffset,+ nsAString& aText) override; virtual void TextAtOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType, int32_t* aStartOffset, int32_t* aEndOffset, nsAString& aText) override;- void TextAfterOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,- int32_t* aStartOffset, int32_t* aEndOffset,- nsAString& aText);+ virtual void TextAfterOffset(int32_t aOffset,+ AccessibleTextBoundary aBoundaryType,+ int32_t* aStartOffset, int32_t* aEndOffset,+ nsAString& aText) override; virtual already_AddRefed<AccAttributes> TextAttributes( bool aIncludeDefAttrs, int32_t aOffset, int32_t* aStartOffset,@@ -184,18 +182,19 @@ int32_t OffsetAtPoint(int32_t aX, int32_t aY, uint32_t aCoordType); /**- * Return a rect of the given text range relative given coordinate system.- */- nsIntRect TextBounds(+ * Return a rect (in dev pixels) of the given text range relative given+ * coordinate system.+ */+ LayoutDeviceIntRect TextBounds( int32_t aStartOffset, int32_t aEndOffset, uint32_t aCoordType = nsIAccessibleCoordinateType::COORDTYPE_SCREEN_RELATIVE); /**- * Return a rect for character at given offset relative given coordinate- * system.- */- nsIntRect CharBounds(int32_t aOffset, uint32_t aCoordType) {+ * Return a rect (in dev pixels) for character at given offset relative given+ * coordinate system.+ */+ LayoutDeviceIntRect CharBounds(int32_t aOffset, uint32_t aCoordType) { int32_t endOffset = aOffset == static_cast<int32_t>(CharacterCount()) ? aOffset : aOffset + 1;@@ -394,11 +393,13 @@ EWordMovementType aWordMovementType = eDefaultBehavior); /**- * Return the boundaries of the substring in case of textual frame or- * frame boundaries in case of non textual frame, offsets are ignored.- */- nsIntRect GetBoundsInFrame(nsIFrame* aFrame, uint32_t aStartRenderedOffset,- uint32_t aEndRenderedOffset);+ * Return the boundaries (in dev pixels) of the substring in case of textual+ * frame or frame boundaries in case of non textual frame, offsets are+ * ignored.+ */+ LayoutDeviceIntRect GetBoundsInFrame(nsIFrame* aFrame,+ uint32_t aStartRenderedOffset,+ uint32_t aEndRenderedOffset); // Selection helpers
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Inheritance Issue] [accessible/generic/HyperTextAccessible.h] [Lines 146-158]
[Old Code]
void TextBeforeOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText);
void TextAfterOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText);
[Fixed Code]
virtual void TextBeforeOffset(int32_t aOffset,
AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText) override;
virtual void TextAfterOffset(int32_t aOffset,
AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText) override;
[Details] The change adds 'virtual' and 'override' keywords, which suggests potential inheritance issues were fixed. While not directly a security vulnerability, improper inheritance could lead to security issues if methods weren't being called as expected.
2. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [accessible/generic/HyperTextAccessible.h] [Lines 184-203]
[Old Code]
nsIntRect TextBounds(...);
nsIntRect CharBounds(...);
nsIntRect GetBoundsInFrame(...);
[Fixed Code]
LayoutDeviceIntRect TextBounds(...);
LayoutDeviceIntRect CharBounds(...);
LayoutDeviceIntRect GetBoundsInFrame(...);
[Details] The change from nsIntRect to LayoutDeviceIntRect suggests potential type safety or coordinate system issues were addressed. While not explicitly a security fix, incorrect coordinate handling could potentially lead to security issues in rendering or accessibility features.
No clear security vulnerabilities were identified in the diff, but there are changes that improve code safety and correctness which could indirectly prevent potential security issues. The changes appear to be more about code quality and proper inheritance rather than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -29,10 +29,10 @@ ctx.rect(0, 50, 50, -25); ctx.rect(100, 50, -50, -25); ctx.fill();-_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");+_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");+_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");+_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");+_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the analysis following your format:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-29]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, only the variable name has been changed for better clarity or consistency.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.readonly.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.readonly.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.getImageData(0, 0, 10, 10); var w = imgdata.width;
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming without any security implications. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.readonly.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The change simply renames the variable `offscreenCanvas` to `canvas` for consistency or clarity, but doesn't address any security issues. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/cache-padded/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/cache-padded/.cargo-checksum.json@@ -1 +1 @@-{"files":{"CHANGELOG.md":"50d6fbb00aa801cffefd2ecbbb43bba8686925658b3bf5e304b5af735f90bf08","Cargo.toml":"7ff90cd0fd3bc7449b8f55dea7de4d7d51f7c11948119512a274369733a94321","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"23f18e03dc49df91622fe2a76176497404e46ced8a715d9d2b67a7446571cca3","README.md":"106c91d873d7c2681ca6264195737d7f2ea73f91cc74dd4c200f3fe9c5ea4907","src/lib.rs":"d2b1a7280c5cb8c1e946a5839862a1496749c445851f7ed196debf8386a4e646","tests/padding.rs":"120cc65d1fcebbdb0ed8b0c287680ede2483e3ab040746e1a3616ffb39d8f414"},"package":"631ae5198c9be5e753e5cc215e1bd73c2b466a3565173db433f52bb9d3e66dba"}+{"files":{"CHANGELOG.md":"01efe9c9a75e5a305dac0e12676ed451f746049a825aa86acef0d8ee90742f71","Cargo.toml":"ea55c73cacac2dcc3bdcb2c657e057d9b73214e76f8654799236b13c853e97bd","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"23f18e03dc49df91622fe2a76176497404e46ced8a715d9d2b67a7446571cca3","README.md":"61d450a57f8699dfc1c39e3bb69236f7d10f31f4503b03aa8b2b37b2448b8b69","src/lib.rs":"4bcb45fe37cdca78ba0e403d9e531102c521ad42e9ffd2ecbb154b4509864978","tests/padding.rs":"120cc65d1fcebbdb0ed8b0c287680ede2483e3ab040746e1a3616ffb39d8f414"},"package":"c1db59621ec70f09c5e9b597b220c7a2b43611f4710dc03ceb8748637775692c"}=========testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.negative.html========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,10 +27,10 @@ ctx.fillRect(100, 0, -50, 25); ctx.fillRect(0, 50, 50, -25); ctx.fillRect(100, 50, -50, -25);-_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");+_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");+_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");+_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");+_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be either:
1. Updates to checksums and file hashes in the cargo-checksum.json file (normal maintenance)
2. Variable renaming in a test file (from `offscreenCanvas` to `canvas`)
Here are the structured responses:
1. For the cargo-checksum.json changes:
Vulnerability Existed: no
No security vulnerability - File hash updates [third_party/rust/cache-padded/.cargo-checksum.json] [Entire file]
[Old checksums and hashes]
[New checksums and hashes]
2. For the test file changes:
Vulnerability Existed: no
No security vulnerability - Test variable renaming [testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.negative.html] [Lines 17-18, 27-30]
[Old variable name offscreenCanvas]
[New variable name canvas]
The changes appear to be routine maintenance and test improvements rather than security fixes. No specific vulnerabilities were identified in these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/webgpu/ipc/WebGPUParent.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/webgpu/ipc/WebGPUParent.h@@ -21,7 +21,7 @@ }; class WebGPUParent final : public PWebGPUParent {- NS_INLINE_DECL_THREADSAFE_REFCOUNTING(WebGPUParent)+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(WebGPUParent, override) public: explicit WebGPUParent();@@ -30,9 +30,9 @@ const dom::GPURequestAdapterOptions& aOptions, const nsTArray<RawId>& aTargetIds, InstanceRequestAdapterResolver&& resolver);- ipc::IPCResult RecvAdapterRequestDevice(RawId aSelfId,- const ipc::ByteBuf& aByteBuf,- RawId aNewId);+ ipc::IPCResult RecvAdapterRequestDevice(+ RawId aSelfId, const ipc::ByteBuf& aByteBuf, RawId aNewId,+ AdapterRequestDeviceResolver&& resolver); ipc::IPCResult RecvAdapterDestroy(RawId aSelfId); ipc::IPCResult RecvDeviceDestroy(RawId aSelfId); ipc::IPCResult RecvBufferReturnShmem(RawId aSelfId, Shmem&& aShmem);@@ -74,6 +74,9 @@ ipc::IPCResult RecvSwapChainDestroy(wr::ExternalImageId aExternalId); ipc::IPCResult RecvDeviceAction(RawId aSelf, const ipc::ByteBuf& aByteBuf);+ ipc::IPCResult RecvDeviceActionWithAck(+ RawId aSelf, const ipc::ByteBuf& aByteBuf,+ DeviceActionWithAckResolver&& aResolver); ipc::IPCResult RecvTextureAction(RawId aSelf, RawId aDevice, const ipc::ByteBuf& aByteBuf); ipc::IPCResult RecvCommandEncoderAction(RawId aSelf, RawId aDevice,@@ -87,7 +90,7 @@ ipc::IPCResult RecvDevicePopErrorScope( RawId aSelfId, DevicePopErrorScopeResolver&& aResolver);- ipc::IPCResult RecvShutdown();+ void ActorDestroy(ActorDestroyReason aWhy) override; private: virtual ~WebGPUParent();
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure [Thread Safety Issue] [dom/webgpu/ipc/WebGPUParent.h] [Lines 21] [Old Code] `NS_INLINE_DECL_THREADSAFE_REFCOUNTING(WebGPUParent)` [Fixed Code] `NS_INLINE_DECL_THREADSAFE_REFCOUNTING(WebGPUParent, override)` Additional Details: The change adds 'override' to thread-safe reference counting declaration, which might indicate a fix for potential inheritance issues, but it's unclear if this was fixing an actual vulnerability. 2. Vulnerability Existed: not sure [IPC Message Handler Missing Resolver] [dom/webgpu/ipc/WebGPUParent.h] [Lines 30-32] [Old Code] `ipc::IPCResult RecvAdapterRequestDevice(RawId aSelfId, const ipc::ByteBuf& aByteBuf, RawId aNewId);` [Fixed Code] `ipc::IPCResult RecvAdapterRequestDevice(RawId aSelfId, const ipc::ByteBuf& aByteBuf, RawId aNewId, AdapterRequestDeviceResolver&& resolver);` Additional Details: The change adds a resolver parameter, which might indicate a fix for potential race conditions or unacknowledged messages, but it's unclear if this was fixing an actual vulnerability. 3. Vulnerability Existed: not sure [Missing Acknowledgement Mechanism] [dom/webgpu/ipc/WebGPUParent.h] [Lines 74-76] [Old Code] (No equivalent function) [Fixed Code] `ipc::IPCResult RecvDeviceActionWithAck(RawId aSelf, const ipc::ByteBuf& aByteBuf, DeviceActionWithAckResolver&& aResolver);` Additional Details: The addition of a new function with an acknowledgement resolver might indicate a fix for potential message loss issues, but it's unclear if this was fixing an actual vulnerability. 4. Vulnerability Existed: not sure [Shutdown Handling Issue] [dom/webgpu/ipc/WebGPUParent.h] [Lines 87] [Old Code] `ipc::IPCResult RecvShutdown();` [Fixed Code] `void ActorDestroy(ActorDestroyReason aWhy) override;` Additional Details: The change from RecvShutdown to ActorDestroy might indicate a fix for potential cleanup issues during shutdown, but it's unclear if this was fixing an actual vulnerability. Note: While these changes appear to improve thread safety and IPC message handling, without more context about the specific security issues being addressed, we can't definitively state whether actual vulnerabilities were being fixed. The changes seem to follow good practices for IPC and thread safety, which are common areas for security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/builtin/Array.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/builtin/Array.js@@ -307,6 +307,149 @@ return A; }+#ifdef NIGHTLY_BUILD+// Array Grouping proposal+//+// Array.prototype.groupBy+// https://tc39.es/proposal-array-grouping/#sec-array.prototype.groupby+function ArrayGroupBy(callbackfn/*, thisArg*/) {+ /* Step 1. Let O be ? ToObject(this value). */+ var O = ToObject(this);++ /* Step 2. Let len be ? LengthOfArrayLike(O). */+ var len = ToLength(O.length);++ /* Step 3. If IsCallable(callbackfn) is false, throw a TypeError exception. */+ if (!IsCallable(callbackfn)) {+ ThrowTypeError(JSMSG_NOT_FUNCTION, DecompileArg(0, callbackfn));+ }++ /* Step 5. Let groups be a new empty List. */+ var groups = new_List();++ var T = arguments.length > 1 ? arguments[1] : void 0;++ /* Steps 4, 6. */+ for (var k = 0; k < len; k++) {++ /* Skip Step 6.a. Let Pk be ! ToString(𝔽(k)).+ *+ * k is coerced into a string through the property access. */++ /* Step 6.b. Let kValue be ? Get(O, Pk). */+ var kValue = O[k];++ /* Step 6.c.+ * Let propertyKey be ? ToPropertyKey(+ * ? Call(callbackfn, thisArg, « kValue, 𝔽(k), O »)).+ */+ var propertyKey = TO_PROPERTY_KEY(+ callContentFunction(callbackfn, T, kValue, k, O)+ );++ /* Step 6.d. Perform ! AddValueToKeyedGroup(groups, propertyKey, kValue). */+ if (!groups[propertyKey]) {+ var elements = [ kValue ];+ DefineDataProperty(groups, propertyKey, elements);+ } else {+ var lenElements = groups[propertyKey].length;+ DefineDataProperty(groups[propertyKey], lenElements, kValue);+ }+ }++ /* Step 7. Let obj be ! OrdinaryObjectCreate(null). */+ var object = std_Object_create(null);++ /* Step 8. For each Record { [[Key]], [[Elements]] } g of groups, do+ * a. Let elements be ! CreateArrayFromList(g.[[Elements]]).+ * b. Perform ! CreateDataPropertyOrThrow(obj, g.[[Key]], elements).+ */+ for (var propertyKey in groups) {+ DefineDataProperty(object, propertyKey, groups[propertyKey])+ }++ /* Step 9. Return obj. */+ return object;+}++// Array Grouping proposal+//+// Array.prototype.groupByToMap+// https://tc39.es/proposal-array-grouping/#sec-array.prototype.groupbymap+function ArrayGroupByToMap(callbackfn/*, thisArg*/) {++ /* Step 1. Let O be ? ToObject(this value). */+ var O = ToObject(this);++ /* Step 2. Let len be ? LengthOfArrayLike(O). */+ var len = ToLength(O.length);++ /* Step 3.+ * If IsCallable(callbackfn) is false, throw a TypeError exception.+ */+ if (!IsCallable(callbackfn)) {+ ThrowTypeError(JSMSG_NOT_FUNCTION, DecompileArg(0, callbackfn));+ }++ /* Skipping Step 5. Let groups be a new empty List.+ *+ * Intermediate object isn't necessary as we have direct access+ * to the map constructor and set/get methods.+ */++ /* Step 7. Let map be ! Construct(%Map%). */+ var C = GetBuiltinConstructor("Map");+ var map = new C();++ var T = arguments.length > 1 ? arguments[1] : void 0;++ /* Combine Step 6. and Step 8.+ *+ * We have direct access to the map constructor and set/get methods.+ * We can treat these two loops as one, as there isn't a risk that user+ * polyfilling will impact the implementation.+ */+ for (var k = 0; k < len; k++) {+ /* Skipping Step 6.a. Let Pk be ! ToString(𝔽(k)).+ *+ * Value is coerced to String by property access in step 6.b.+ */++ /* Step 6.b. Let kValue be ? Get(O, Pk). */+ var kValue = O[k];++ /* Step 6.c.+ * Let key be ? Call(callbackfn, thisArg, « kValue, 𝔽(k), O »).+ */+ var propertyKey = callContentFunction(callbackfn,T, kValue, k, O);++ /* Skipping Step 6.d. If key is -0𝔽, set key to +0𝔽.+ *+ * This step is performed by std_Map_set.+ */++ /* Step 8.c. Append entry as the last element of map.[[MapData]].+ *+ * We are not using an intermediate object to store the values.+ * So, this step applies it directly to the map object. Skips steps+ * 6.e (Perform ! AddValueToKeyedGroup(groups, key, kValue))+ * and 8.a-b as a result.+ */+ if (!callFunction(std_Map_get, map, propertyKey)) {+ var elements = [ kValue ];+ callFunction(std_Map_set, map, propertyKey, elements);+ } else {+ var elements = callFunction(std_Map_get, map, propertyKey);+ DefineDataProperty(elements, elements.length, kValue);+ }+ }++ /* Step 9. Return map. */+ return map;+}++#endif+ /* ES5 15.4.4.21. */ function ArrayReduce(callbackfn/*, initialValue*/) { /* Step 1. */@@ -956,8 +1099,22 @@ // ES 2017 draft (April 8, 2016) 22.1.3.1.1 function IsConcatSpreadable(O) {+ /* Use an intermediate var in order to evade a lint error for+ * unreachable code (the linter doesn't recognize preprocessor+ * directives) */+ var maybeSpreadable = true;+ // Step 1.- if (!IsObject(O))+ if (!IsObject(O)) {+ maybeSpreadable = false;+#ifdef ENABLE_RECORD_TUPLE+ // This check ensures that unboxed Tuples are spreadable+ if (IsTuple(O)) {+ return true;+ }+#endif+ }+ if (!maybeSpreadable) return false; // Step 2.@@ -968,7 +1125,12 @@ return ToBoolean(spreadable); // Step 4.- return IsArray(O);+ spreadable |= IsArray(O);+#ifdef ENABLE_RECORD_TUPLE+ // This check ensures that Tuple object wrappers are spreadable+ spreadable |= IsTuple(O);+#endif+ return spreadable; } // ES 2016 draft Mar 25, 2016 22.1.3.1.@@ -1237,7 +1399,7 @@ var items = std_Array(len); /* Steps 5-6. */- for(var k = 0; k < len; k++) {+ for (var k = 0; k < len; k++) { DefineDataProperty(items, k, O[k]); }
I'll analyze the code diff for security fixes following the specified format. The diff shows several changes, but I don't see any obvious security vulnerabilities being fixed. Here's my analysis:
1. For the new ArrayGroupBy and ArrayGroupByToMap functions:
Vulnerability Existed: no
These are new feature implementations (Array Grouping proposal) rather than security fixes.
2. For the IsConcatSpreadable changes:
Vulnerability Existed: not sure
The changes add support for Tuples and modify the spreadable check logic, but it's unclear if this fixes any specific vulnerability. The changes appear to be feature additions rather than security fixes.
3. For the ArraySlice changes:
Vulnerability Existed: no
The change is just a formatting fix (adding space in `for` loop), not a security fix.
The diff primarily shows:
1. Addition of new array grouping functionality (ArrayGroupBy and ArrayGroupByToMap)
2. Modifications to IsConcatSpreadable to support Tuples
3. Minor code formatting changes
No clear security vulnerabilities are being fixed in this diff. The changes appear to be either:
- New feature implementations
- Code maintenance/formatting
- Support for new language features (Tuples)
If I had to speculate about potential security implications, the most relevant change would be the IsConcatSpreadable modification, but there's no evidence this fixes an existing vulnerability.
Would you like me to analyze any specific part of the diff in more detail?
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.2.dompoint.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.2.dompoint.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,20 +23,20 @@ ctx.fill(); // top-right corner-_assertPixel(offscreenCanvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255");+_assertPixel(canvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");+_assertPixel(canvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");+_assertPixel(canvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");+_assertPixel(canvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255"); // bottom-left corner-_assertPixel(offscreenCanvas, 20,48, 255,0,0,255, "20,48", "255,0,0,255");-_assertPixel(offscreenCanvas, 41,48, 0,255,0,255, "41,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,39, 255,0,0,255, "1,39", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,28, 0,255,0,255, "1,28", "0,255,0,255");+_assertPixel(canvas, 20,48, 255,0,0,255, "20,48", "255,0,0,255");+_assertPixel(canvas, 41,48, 0,255,0,255, "41,48", "0,255,0,255");+_assertPixel(canvas, 1,39, 255,0,0,255, "1,39", "255,0,0,255");+_assertPixel(canvas, 1,28, 0,255,0,255, "1,28", "0,255,0,255"); // other corners-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` and updating all references accordingly. Here's the analysis:
Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 23-36]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");
```
Additional Details:
The changes are purely cosmetic/refactoring in nature, improving variable naming consistency without affecting security. All functionality remains identical, just with a different variable name. No security vulnerabilities were addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-background-linear-gradient-1-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-background-linear-gradient-1-ref.html@@ -2,7 +2,6 @@ <head> <title>CSS Reference: Support calc() on gradient stop positions</title> <link rel="author" title="Yu-Sian (Thomasy) Liu" href="https://bugzilla.mozilla.org/show_bug.cgi?id=594935">- <meta name="flags" content=""> <style type="text/css"> div { width:100px;
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The change appears to be a simple removal of an empty meta tag for flags, which doesn't relate to security.
Answer:
Vulnerability Existed: no
No security vulnerability found in this change
File: testing/web-platform/tests/css/css-values/calc-background-linear-gradient-1-ref.html
Old Code: <meta name="flags" content="">
Fixed Code: [removed]
Additional Notes:
1. The change is minor and appears to be cleanup rather than a security fix
2. The removed meta tag was empty and not serving any security-related purpose
3. No CVE or known vulnerability patterns are involved in this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/nss/cmd/pk11gcmtest/pk11gcmtest.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/nss/cmd/pk11gcmtest/pk11gcmtest.c@@ -439,10 +439,13 @@ int main(int argc, char **argv) {- if (argc < 2)- exit(1);-- NSS_NoDB_Init(NULL);+ if (argc < 2) {+ return 1;+ }++ if (NSS_NoDB_Init(NULL) != SECSuccess) {+ return 1;+ } /*************/ /* AES */@@ -455,6 +458,8 @@ } }- NSS_Shutdown();+ if (NSS_Shutdown() != SECSuccess) {+ return 1;+ } return 0; }
Here's the analysis of the provided code diff:
1. Vulnerability Existed: yes
Improper Error Handling [File] security/nss/cmd/pk11gcmtest/pk11gcmtest.c [Lines] 439-458
[Old Code]
```c
if (argc < 2)
exit(1);
NSS_NoDB_Init(NULL);
...
NSS_Shutdown();
```
[Fixed Code]
```c
if (argc < 2) {
return 1;
}
if (NSS_NoDB_Init(NULL) != SECSuccess) {
return 1;
}
...
if (NSS_Shutdown() != SECSuccess) {
return 1;
}
```
2. Vulnerability Existed: not sure
Potential Resource Leak [File] security/nss/cmd/pk11gcmtest/pk11gcmtest.c [Lines] 439-458
[Old Code]
```c
NSS_NoDB_Init(NULL);
...
NSS_Shutdown();
```
[Fixed Code]
```c
if (NSS_NoDB_Init(NULL) != SECSuccess) {
return 1;
}
...
if (NSS_Shutdown() != SECSuccess) {
return 1;
}
```
Note: While the changes improve error handling, it's unclear if there were actual resource leaks in the original code. The changes ensure proper cleanup on failure conditions.
The main security improvement is the addition of proper error checking for NSS initialization and shutdown functions, which could previously fail silently. The change from `exit(1)` to `return 1` is also more appropriate for a function context.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/ipc/RemoteAccessibleShared.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/ipc/RemoteAccessibleShared.h@@ -80,26 +80,28 @@ virtual void TextSubstring(int32_t aStartOffset, int32_t aEndOfset, nsAString& aText) const override;-void GetTextAfterOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,- nsString& aText, int32_t* aStartOffset,- int32_t* aEndOffset);+virtual void TextAfterOffset(int32_t aOffset,+ AccessibleTextBoundary aBoundaryType,+ int32_t* aStartOffset, int32_t* aEndOffset,+ nsAString& aText) override; virtual void TextAtOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType, int32_t* aStartOffset, int32_t* aEndOffset, nsAString& aText) override;-void GetTextBeforeOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,- nsString& aText, int32_t* aStartOffset,- int32_t* aEndOffset);+virtual void TextBeforeOffset(int32_t aOffset,+ AccessibleTextBoundary aBoundaryType,+ int32_t* aStartOffset, int32_t* aEndOffset,+ nsAString& aText) override; char16_t CharAt(int32_t aOffset);-nsIntRect TextBounds(+LayoutDeviceIntRect TextBounds( int32_t aStartOffset, int32_t aEndOffset, uint32_t aCoordType = nsIAccessibleCoordinateType::COORDTYPE_SCREEN_RELATIVE);-nsIntRect CharBounds(int32_t aOffset, uint32_t aCoordType);+LayoutDeviceIntRect CharBounds(int32_t aOffset, uint32_t aCoordType); int32_t OffsetAtPoint(int32_t aX, int32_t aY, uint32_t aCoordType);@@ -133,9 +135,9 @@ bool PasteText(int32_t aPosition);-nsIntPoint ImagePosition(uint32_t aCoordType);--nsIntSize ImageSize();+LayoutDeviceIntPoint ImagePosition(uint32_t aCoordType);++LayoutDeviceIntSize ImageSize(); uint32_t EndOffset(bool* aOk);@@ -216,10 +218,6 @@ void TakeSelection(); void SetSelected(bool aSelect);-bool DoAction(uint8_t aIndex);-uint8_t ActionCount();-void ActionDescriptionAt(uint8_t aIndex, nsString& aDescription);-void ActionNameAt(uint8_t aIndex, nsString& aName); KeyBinding AccessKey(); KeyBinding KeyboardShortcut(); void AtkKeyBinding(nsString& aBinding);@@ -234,7 +232,7 @@ virtual Accessible* ChildAtPoint( int32_t aX, int32_t aY, LocalAccessible::EWhichChildAtPoint aWhichChild) override;-nsIntRect Bounds() const override;+LayoutDeviceIntRect Bounds() const override; nsIntRect BoundsInCSSPixels(); void Language(nsString& aLocale);
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Type Confusion/Inheritance Issue] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 80-83]
[Old Code]
void GetTextAfterOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,
nsString& aText, int32_t* aStartOffset,
int32_t* aEndOffset);
[Fixed Code]
virtual void TextAfterOffset(int32_t aOffset,
AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText) override;
2. Vulnerability Existed: not sure
[Potential Type Confusion/Inheritance Issue] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 88-90]
[Old Code]
void GetTextBeforeOffset(int32_t aOffset, AccessibleTextBoundary aBoundaryType,
nsString& aText, int32_t* aStartOffset,
int32_t* aEndOffset);
[Fixed Code]
virtual void TextBeforeOffset(int32_t aOffset,
AccessibleTextBoundary aBoundaryType,
int32_t* aStartOffset, int32_t* aEndOffset,
nsAString& aText) override;
3. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 94-97]
[Old Code]
nsIntRect TextBounds(
int32_t aStartOffset, int32_t aEndOffset,
uint32_t aCoordType =
nsIAccessibleCoordinateType::COORDTYPE_SCREEN_RELATIVE);
[Fixed Code]
LayoutDeviceIntRect TextBounds(
int32_t aStartOffset, int32_t aEndOffset,
uint32_t aCoordType =
nsIAccessibleCoordinateType::COORDTYPE_SCREEN_RELATIVE);
4. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 99]
[Old Code]
nsIntRect CharBounds(int32_t aOffset, uint32_t aCoordType);
[Fixed Code]
LayoutDeviceIntRect CharBounds(int32_t aOffset, uint32_t aCoordType);
5. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 135]
[Old Code]
nsIntPoint ImagePosition(uint32_t aCoordType);
[Fixed Code]
LayoutDeviceIntPoint ImagePosition(uint32_t aCoordType);
6. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 137]
[Old Code]
nsIntSize ImageSize();
[Fixed Code]
LayoutDeviceIntSize ImageSize();
7. Vulnerability Existed: not sure
[Potential Integer Overflow/Type Safety] [File: accessible/ipc/RemoteAccessibleShared.h] [Lines: 234]
[Old Code]
nsIntRect Bounds() const override;
[Fixed Code]
LayoutDeviceIntRect Bounds() const override;
Note: While I can't confirm specific vulnerabilities, the changes suggest potential security improvements:
1. Adding 'virtual' and 'override' keywords to methods suggests fixing potential inheritance/type confusion issues
2. Changing from nsIntRect/LayoutDeviceIntRect suggests addressing potential integer overflow/type safety issues
3. The removal of action-related methods (DoAction, ActionCount etc.) might indicate fixing potential unsafe operations
The most likely security concerns being addressed are type safety and integer overflow vulnerabilities through more precise type usage (LayoutDeviceIntRect vs nsIntRect) and better inheritance control (virtual/override).
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/app-history/app-history-entry/entry-after-detach.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/app-history/app-history-entry/entry-after-detach.html@@ -7,12 +7,12 @@ window.onload = t.step_func_done(() => { let i_entry = i.contentWindow.appHistory.current; assert_true(i_entry.sameDocument);- assert_not_equals(i_entry.url, "");+ assert_not_equals(i_entry.url, null); assert_not_equals(i_entry.key, ""); assert_not_equals(i_entry.id, ""); i.remove(); assert_false(i_entry.sameDocument);- assert_equals(i_entry.url, "");+ assert_equals(i_entry.url, null); assert_equals(i_entry.key, ""); assert_equals(i_entry.id, ""); });
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: not sure [Potential Null Reference Vulnerability] [testing/web-platform/tests/app-history/app-history-entry/entry-after-detach.html] [Lines 7,12] [Old Code] `assert_not_equals(i_entry.url, "");` `assert_equals(i_entry.url, "");` [Fixed Code] `assert_not_equals(i_entry.url, null);` `assert_equals(i_entry.url, null);` Additional Details: The change suggests a shift from checking empty strings to checking null values for the URL property. While this doesn't appear to be fixing a direct security vulnerability, it could be addressing potential null reference issues that might lead to undefined behavior. The change makes the test more precise by explicitly checking for null rather than empty strings, which could prevent potential type-related bugs in the implementation. However, without more context about the broader codebase, I can't definitively identify this as a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsPageSequenceFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsPageSequenceFrame.cpp@@ -190,10 +190,21 @@ nscoord iSize = wm.IsVertical() ? mSize.Height() : mSize.Width(); nscoord bSize = wm.IsVertical() ? mSize.Width() : mSize.Height();+ nscoord availableISize = aReflowInput.AvailableISize();+ nscoord computedBSize = aReflowInput.ComputedBSize();+ if (MOZ_UNLIKELY(computedBSize == NS_UNCONSTRAINEDSIZE)) {+ // We have unconstrained BSize, which should only happen if someone calls+ // SizeToContent() on our window (which we don't expect to happen for+ // actual user flows, but is possible for fuzzers to trigger). We just nerf+ // the ReflowInput's contributions to the std::max() expressions below,+ // which does indeed make us "size to content", via letting std::max()+ // choose the scaled iSize/bSize expressions.+ availableISize = computedBSize = 0;+ } aReflowOutput.ISize(wm) =- std::max(NSToCoordFloor(iSize * scale), aReflowInput.AvailableISize());+ std::max(NSToCoordFloor(iSize * scale), availableISize); aReflowOutput.BSize(wm) =- std::max(NSToCoordFloor(bSize * scale), aReflowInput.ComputedBSize());+ std::max(NSToCoordFloor(bSize * scale), computedBSize); aReflowOutput.SetOverflowAreasToDesiredBounds(); }@@ -275,6 +286,9 @@ // When we're displayed on-screen, the computed size that we're given is // the size of our scrollport. We need to save this for use in // GetPrintPreviewScale.+ // (NOTE: It's possible but unlikely that we have an unconstrained BSize+ // here, if we're being sized to content. GetPrintPreviewScale() checks+ // for and handles this, when making use of this member-var.) mScrollportSize = aReflowInput.ComputedSize(); }
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Integer Overflow/Unconstrained Size Handling] [layout/generic/nsPageSequenceFrame.cpp] [Lines 190-201]
[Old Code]
```cpp
aReflowOutput.ISize(wm) =
std::max(NSToCoordFloor(iSize * scale), aReflowInput.AvailableISize());
aReflowOutput.BSize(wm) =
std::max(NSToCoordFloor(bSize * scale), aReflowInput.ComputedBSize());
```
[Fixed Code]
```cpp
nscoord availableISize = aReflowInput.AvailableISize();
nscoord computedBSize = aReflowInput.ComputedBSize();
if (MOZ_UNLIKELY(computedBSize == NS_UNCONSTRAINEDSIZE)) {
availableISize = computedBSize = 0;
}
aReflowOutput.ISize(wm) =
std::max(NSToCoordFloor(iSize * scale), availableISize);
aReflowOutput.BSize(wm) =
std::max(NSToCoordFloor(bSize * scale), computedBSize);
```
Additional Details: The fix adds handling for unconstrained BSize cases (NS_UNCONSTRAINEDSIZE) which could potentially lead to undefined behavior or incorrect layout calculations. While not explicitly a security vulnerability, improper handling of unconstrained sizes could potentially be exploited in some contexts.
2. Vulnerability Existed: no
[Documentation Improvement] [layout/generic/nsPageSequenceFrame.cpp] [Lines 275-286]
[Old Code]
```cpp
// When we're displayed on-screen, the computed size that we're given is
// the size of our scrollport. We need to save this for use in
// GetPrintPreviewScale.
```
[Fixed Code]
```cpp
// When we're displayed on-screen, the computed size that we're given is
// the size of our scrollport. We need to save this for use in
// GetPrintPreviewScale.
// (NOTE: It's possible but unlikely that we have an unconstrained BSize
// here, if we're being sized to content. GetPrintPreviewScale() checks
// for and handles this, when making use of this member-var.)
```
Additional Details: This change only adds clarifying comments about unconstrained BSize handling, with no actual code changes that would indicate a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/xpcom/threads/ThreadEventQueue.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/xpcom/threads/ThreadEventQueue.h@@ -52,8 +52,7 @@ Mutex& MutexRef() { return mLock; }- size_t SizeOfExcludingThis(- mozilla::MallocSizeOf aMallocSizeOf) const override;+ size_t SizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf) override; private: class NestedSink;@@ -63,7 +62,7 @@ bool PutEventInternal(already_AddRefed<nsIRunnable>&& aEvent, EventQueuePriority aPriority, NestedSink* aQueue);- UniquePtr<EventQueue> mBaseQueue;+ const UniquePtr<EventQueue> mBaseQueue; struct NestedQueueItem { UniquePtr<EventQueue> mQueue;
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Memory Management Issue] [xpcom/threads/ThreadEventQueue.h] [Lines 52-53]
[Old Code]
size_t SizeOfExcludingThis(
mozilla::MallocSizeOf aMallocSizeOf) const override;
[Fixed Code]
size_t SizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf) override;
Additional Details: The const qualifier was removed from the method. While this might indicate a change in memory management behavior, it's unclear if this was fixing a specific security vulnerability or just a behavioral change.
2. Vulnerability Existed: not sure
[Potential Thread Safety Issue] [xpcom/threads/ThreadEventQueue.h] [Lines 63]
[Old Code]
UniquePtr<EventQueue> mBaseQueue;
[Fixed Code]
const UniquePtr<EventQueue> mBaseQueue;
Additional Details: The mBaseQueue member was made const. This could potentially address thread safety concerns by preventing modifications after initialization, but it's not clear if this was fixing a specific security vulnerability or just improving code safety.
Note: Neither change clearly indicates a specific security vulnerability fix, but both appear to be hardening changes that could potentially prevent certain types of issues. The changes seem more related to code quality and safety than to fixing identified vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-ui/outline-style-012.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-ui/outline-style-012.html@@ -6,7 +6,6 @@ <link rel="help" title="7.3. 'outline-style' property" href="http://www.w3.org/TR/css3-ui/#outline-style"> <link rel="help" href="http://www.w3.org/TR/CSS21/box.html#value-def-border-style"> <link rel="match" href="reference/outline-style-012-ref.html">-<meta name="flags" content=""> <meta name="assert" content="Test checks that the sub element outline style is same as parent element outline style when outline-style set inherit"> <style> #parent {
Based on the provided diff, I'll analyze it for potential security vulnerabilities: Vulnerability Existed: no No specific vulnerability [File] testing/web-platform/tests/css/css-ui/outline-style-012.html [Lines] 6 [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: This change simply removes an empty meta tag for "flags" which appears to be test-related metadata. There's no security implication to this change, as it was just removing an unused or unnecessary HTML tag. The content was empty and the tag itself doesn't relate to any security-sensitive functionality. No other vulnerabilities or changes were detected in the provided diff. The rest of the diff shows unchanged context lines.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/clients/manager/ClientSource.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/clients/manager/ClientSource.h@@ -61,6 +61,7 @@ ClientInfo mClientInfo; Maybe<ServiceWorkerDescriptor> mController;+ Maybe<nsCOMPtr<nsIPrincipal>> mPrincipal; // Contained a de-duplicated list of ServiceWorker scope strings // for which this client has called navigator.serviceWorker.register().@@ -164,6 +165,8 @@ void NoteCalledRegisterForServiceWorkerScope(const nsACString& aScope); bool CalledRegisterForServiceWorkerScope(const nsACString& aScope);++ nsIPrincipal* GetPrincipal(); }; inline void ImplCycleCollectionUnlink(UniquePtr<ClientSource>& aField) {
Let me analyze the code diff for potential security fixes:
1. Vulnerability Existed: not sure
[Potential Principal Management Issue] [dom/clients/manager/ClientSource.h] [Lines 61-62]
[Old Code]
ClientInfo mClientInfo;
Maybe<ServiceWorkerDescriptor> mController;
[Fixed Code]
ClientInfo mClientInfo;
Maybe<ServiceWorkerDescriptor> mController;
Maybe<nsCOMPtr<nsIPrincipal>> mPrincipal;
2. Vulnerability Existed: not sure
[Potential Missing Principal Access Control] [dom/clients/manager/ClientSource.h] [Lines 164-165]
[Old Code]
bool CalledRegisterForServiceWorkerScope(const nsACString& aScope);
[Fixed Code]
bool CalledRegisterForServiceWorkerScope(const nsACString& aScope);
nsIPrincipal* GetPrincipal();
The changes involve:
1. Adding a new member variable `mPrincipal` to store a principal object
2. Adding a new method `GetPrincipal()` to access the principal
While I can't identify a specific known vulnerability from this diff alone, these changes suggest improvements in principal management, which is security-sensitive in browsers. The addition of principal storage and access methods could be related to fixing:
- Potential security issues around proper principal handling
- Missing access control checks
- Origin-related security policies
However, without more context about the actual security issue being fixed, I can't definitively name a specific vulnerability. These changes appear to be part of a broader security hardening effort.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.negativesource.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.negativesource.worker.js@@ -14,8 +14,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -32,16 +32,16 @@ createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 100, 78, -100, 50, 0, 0, 50, 50); ctx.drawImage(bitmap, 100, 128, -100, -50, 50, 0, 50, 50);- _assertPixelApprox(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 51,1, 0,255,0,255, "51,1", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 51,48, 0,255,0,255, "51,48", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 51,1, 0,255,0,255, "51,1", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 51,48, 0,255,0,255, "51,48", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the variable name in the assertion calls. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 14-16, 32-42]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ... various _assertPixelApprox calls using offscreenCanvas
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ... various _assertPixelApprox calls using canvas
```
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var gradient = ctx.createLinearGradient(0, 0, 100, 0); gradient.addColorStop(0, 'rgba(255,0,0,0.5)');@@ -25,7 +25,7 @@ ctx.shadowColor = '#00f'; ctx.fillStyle = gradient; ctx.fillRect(0, -50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);+_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.worker.js] [Lines 13-14, 25]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or readability, with no security implications. No actual functionality or security-related behavior was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/pdfjs/content/build/pdf.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/pdfjs/content/build/pdf.worker.js@@ -2,7 +2,7 @@ * @licstart The following is the entire license notice for the * Javascript code in this page *- * Copyright 2021 Mozilla Foundation+ * Copyright 2022 Mozilla Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.@@ -50,13 +50,15 @@ var _pdf_manager = __w_pdfjs_require__(7);-var _writer = __w_pdfjs_require__(71);+var _cleanup_helper = __w_pdfjs_require__(66);++var _writer = __w_pdfjs_require__(72); var _is_node = __w_pdfjs_require__(4);-var _message_handler = __w_pdfjs_require__(99);--var _worker_stream = __w_pdfjs_require__(100);+var _message_handler = __w_pdfjs_require__(100);++var _worker_stream = __w_pdfjs_require__(101); var _core_utils = __w_pdfjs_require__(9);@@ -115,7 +117,7 @@ const WorkerTasks = []; const verbosity = (0, _util.getVerbosityLevel)(); const apiVersion = docParams.apiVersion;- const workerVersion = '2.13.24';+ const workerVersion = '2.13.93'; if (apiVersion !== workerVersion) { throw new Error(`The API version "${apiVersion}" does not match ` + `the Worker version "${workerVersion}".`);@@ -649,7 +651,7 @@ waitOn.push(cleanupPromise); pdfManager = null; } else {- (0, _primitives.clearPrimitiveCaches)();+ (0, _cleanup_helper.clearGlobalCaches)(); } if (cancelXHRs) {@@ -721,7 +723,6 @@ exports.isString = isString; exports.objectFromMap = objectFromMap; exports.objectSize = objectSize;-exports.removeNullCharacters = removeNullCharacters; exports.setVerbosityLevel = setVerbosityLevel; exports.shadow = shadow; exports.string32 = string32;@@ -1268,24 +1269,12 @@ } exports.AbortException = AbortException;-const NullCharactersRegExp = /\x00+/g;-const InvisibleCharactersRegExp = /[\x01-\x1F]/g;--function removeNullCharacters(str, replaceInvisible = false) {- if (typeof str !== "string") {- warn("The argument for removeNullCharacters must be a string.");- return str;- }-- if (replaceInvisible) {- str = str.replace(InvisibleCharactersRegExp, " ");- }-- return str.replace(NullCharactersRegExp, "");-} function bytesToString(bytes) {- assert(bytes !== null && typeof bytes === "object" && bytes.length !== undefined, "Invalid argument for bytesToString");+ if (typeof bytes !== "object" || bytes === null || bytes.length === undefined) {+ unreachable("Invalid argument for bytesToString");+ }+ const length = bytes.length; const MAX_ARGUMENT_COUNT = 8192;@@ -1305,7 +1294,10 @@ } function stringToBytes(str) {- assert(typeof str === "string", "Invalid argument for stringToBytes");+ if (typeof str !== "string") {+ unreachable("Invalid argument for stringToBytes");+ }+ const length = str.length; const bytes = new Uint8Array(length);@@ -1321,8 +1313,11 @@ return arr.length; }- assert(arr.byteLength !== undefined, "arrayByteLength - invalid argument.");- return arr.byteLength;+ if (arr.byteLength !== undefined) {+ return arr.byteLength;+ }++ unreachable("Invalid argument for arrayByteLength"); } function arraysToBytes(arr) {@@ -1582,22 +1577,35 @@ const PDFStringTranslateTable = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x2d8, 0x2c7, 0x2c6, 0x2d9, 0x2dd, 0x2db, 0x2da, 0x2dc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x2022, 0x2020, 0x2021, 0x2026, 0x2014, 0x2013, 0x192, 0x2044, 0x2039, 0x203a, 0x2212, 0x2030, 0x201e, 0x201c, 0x201d, 0x2018, 0x2019, 0x201a, 0x2122, 0xfb01, 0xfb02, 0x141, 0x152, 0x160, 0x178, 0x17d, 0x131, 0x142, 0x153, 0x161, 0x17e, 0, 0x20ac]; function stringToPDFString(str) {- const length = str.length,- strBuf = [];-- if (str[0] === "\xFE" && str[1] === "\xFF") {- for (let i = 2; i < length; i += 2) {- strBuf.push(String.fromCharCode(str.charCodeAt(i) << 8 | str.charCodeAt(i + 1)));- }- } else if (str[0] === "\xFF" && str[1] === "\xFE") {- for (let i = 2; i < length; i += 2) {- strBuf.push(String.fromCharCode(str.charCodeAt(i + 1) << 8 | str.charCodeAt(i)));- }- } else {- for (let i = 0; i < length; ++i) {- const code = PDFStringTranslateTable[str.charCodeAt(i)];- strBuf.push(code ? String.fromCharCode(code) : str.charAt(i));- }+ if (str[0] >= "\xEF") {+ let encoding;++ if (str[0] === "\xFE" && str[1] === "\xFF") {+ encoding = "utf-16be";+ } else if (str[0] === "\xFF" && str[1] === "\xFE") {+ encoding = "utf-16le";+ } else if (str[0] === "\xEF" && str[1] === "\xBB" && str[2] === "\xBF") {+ encoding = "utf-8";+ }++ if (encoding) {+ try {+ const decoder = new TextDecoder(encoding, {+ fatal: true+ });+ const buffer = stringToBytes(str);+ return decoder.decode(buffer);+ } catch (ex) {+ warn(`stringToPDFString: "${ex}".`);+ }+ }+ }++ const strBuf = [];++ for (let i = 0, ii = str.length; i < ii; i++) {+ const code = PDFStringTranslateTable[str.charCodeAt(i)];+ strBuf.push(code ? String.fromCharCode(code) : str.charAt(i)); } return strBuf.join("");@@ -3643,10 +3651,10 @@ var _util = __w_pdfjs_require__(2);+var _core_utils = __w_pdfjs_require__(9);+ var _primitives = __w_pdfjs_require__(5);-var _core_utils = __w_pdfjs_require__(9);- var _xfa_fonts = __w_pdfjs_require__(12); var _stream = __w_pdfjs_require__(10);@@ -3655,13 +3663,15 @@ var _base_stream = __w_pdfjs_require__(6);-var _crypto = __w_pdfjs_require__(72);+var _crypto = __w_pdfjs_require__(73); var _catalog = __w_pdfjs_require__(64);+var _cleanup_helper = __w_pdfjs_require__(66);+ var _parser = __w_pdfjs_require__(27);-var _object_loader = __w_pdfjs_require__(70);+var _object_loader = __w_pdfjs_require__(71); var _operator_list = __w_pdfjs_require__(62);@@ -3669,11 +3679,11 @@ var _decode_stream = __w_pdfjs_require__(29);-var _struct_tree = __w_pdfjs_require__(69);--var _factory = __w_pdfjs_require__(74);--var _xref = __w_pdfjs_require__(98);+var _struct_tree = __w_pdfjs_require__(70);++var _factory = __w_pdfjs_require__(75);++var _xref = __w_pdfjs_require__(99); const DEFAULT_USER_UNIT = 1.0; const LETTER_SIZE_MEDIABOX = [0, 0, 612, 792];@@ -4916,7 +4926,7 @@ } async cleanup(manuallyTriggered = false) {- return this.catalog ? this.catalog.cleanup(manuallyTriggered) : (0, _primitives.clearPrimitiveCaches)();+ return this.catalog ? this.catalog.cleanup(manuallyTriggered) : (0, _cleanup_helper.clearGlobalCaches)(); } _collectFieldObjects(name, fieldRef, promises) {@@ -5694,6 +5704,8 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));+exports.clearUnicodeCaches = clearUnicodeCaches;+exports.getCharUnicodeCategory = getCharUnicodeCategory; exports.getNormalizedUnicodes = void 0; exports.getUnicodeForGlyph = getUnicodeForGlyph; exports.getUnicodeRangeFor = getUnicodeRangeFor;@@ -6196,6 +6208,30 @@ return buf.join(""); }+const SpecialCharRegExp = new RegExp("^(\\s)|(\\p{Mn})|(\\p{Cf})$", "u");+const CategoryCache = new Map();++function getCharUnicodeCategory(char) {+ const cachedCategory = CategoryCache.get(char);++ if (cachedCategory) {+ return cachedCategory;+ }++ const groups = char.match(SpecialCharRegExp);+ const category = {+ isWhitespace: !!(groups && groups[1]),+ isZeroWidthDiacritic: !!(groups && groups[2]),+ isInvisibleFormatMark: !!(groups && groups[3])+ };+ CategoryCache.set(char, category);+ return category;+}++function clearUnicodeCaches() {+ CategoryCache.clear();+}+ /***/ }), /* 22 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -6222,17 +6258,17 @@ var _colorspace = __w_pdfjs_require__(24);-var _file_spec = __w_pdfjs_require__(66);--var _object_loader = __w_pdfjs_require__(70);+var _file_spec = __w_pdfjs_require__(67);++var _object_loader = __w_pdfjs_require__(71); var _operator_list = __w_pdfjs_require__(62); var _stream = __w_pdfjs_require__(10);-var _writer = __w_pdfjs_require__(71);--var _factory = __w_pdfjs_require__(74);+var _writer = __w_pdfjs_require__(72);++var _factory = __w_pdfjs_require__(75); class AnnotationFactory { static create(xref, ref, pdfManager, idFactory, collectFields) {@@ -10846,6 +10882,10 @@ } }+ if (this.parsingType3Font && this.type3FontRefs.has(fontRef)) {+ return errorFont();+ }+ if (this.fontCache.has(fontRef)) { return this.fontCache.get(fontRef); }@@ -11746,8 +11786,6 @@ }) { resources = resources || _primitives.Dict.empty; stateManager = stateManager || new StateManager(new TextState());- const WhitespaceRegexp = /\s/g;- const DiacriticRegExp = new RegExp("^\\p{Mn}$", "u"); const NormalizedUnicodes = (0, _unicode.getNormalizedUnicodes)(); const textContent = { items: [],@@ -11866,24 +11904,11 @@ textContentItem.textAdvanceScale = scaleFactor; }- function replaceWhitespace(str) {- const ii = str.length;- let i = 0,- code;-- while (i < ii && (code = str.charCodeAt(i)) >= 0x20 && code <= 0x7f) {- i++;- }-- return i < ii ? str.replace(WhitespaceRegexp, " ") : str;- }- function runBidiTransform(textChunk) { const text = textChunk.str.join(""); const bidiResult = (0, _bidi.bidi)(text, -1, textChunk.vertical);- const str = normalizeWhitespace ? replaceWhitespace(bidiResult.str) : bidiResult.str; return {- str,+ str: bidiResult.str, dir: bidiResult.dir, width: Math.abs(textChunk.totalWidth), height: Math.abs(textChunk.totalHeight),@@ -11908,6 +11933,11 @@ }); }+ function applyInverseRotation(x, y, matrix) {+ const scale = Math.hypot(matrix[0], matrix[1]);+ return [(matrix[0] * x + matrix[1] * y) / scale, (matrix[2] * x + matrix[3] * y) / scale];+ }+ function compareWithLastPosition() { if (!combineTextItems || !textState.font || !textContentItem.prevTransform) { return;@@ -11923,30 +11953,35 @@ return; }- let rotate = 0;+ let rotate = -1; if (currentTransform[0] && currentTransform[1] === 0 && currentTransform[2] === 0) { rotate = currentTransform[0] > 0 ? 0 : 180; } else if (currentTransform[1] && currentTransform[0] === 0 && currentTransform[3] === 0) {- rotate += currentTransform[1] > 0 ? 90 : 270;- }-- if (rotate !== 0) {- switch (rotate) {- case 90:- [posX, posY] = [posY, posX];- [lastPosX, lastPosY] = [lastPosY, lastPosX];- break;-- case 180:- [posX, posY, lastPosX, lastPosY] = [-posX, -posY, -lastPosX, -lastPosY];- break;-- case 270:- [posX, posY] = [-posY, -posX];- [lastPosX, lastPosY] = [-lastPosY, -lastPosX];- break;- }+ rotate = currentTransform[1] > 0 ? 90 : 270;+ }++ switch (rotate) {+ case 0:+ break;++ case 90:+ [posX, posY] = [posY, posX];+ [lastPosX, lastPosY] = [lastPosY, lastPosX];+ break;++ case 180:+ [posX, posY, lastPosX, lastPosY] = [-posX, -posY, -lastPosX, -lastPosY];+ break;++ case 270:+ [posX, posY] = [-posY, -posX];+ [lastPosX, lastPosY] = [-lastPosY, -lastPosX];+ break;++ default:+ [posX, posY] = applyInverseRotation(posX, posY, currentTransform);+ [lastPosX, lastPosY] = applyInverseRotation(lastPosX, lastPosY, textContentItem.prevTransform); } if (textState.font.vertical) {@@ -11964,7 +11999,7 @@ return; }- if (Math.abs(advanceX) > textContentItem.height) {+ if (Math.abs(advanceX) > textContentItem.width) { appendEOL(); return; }@@ -12053,6 +12088,11 @@ for (let i = 0, ii = glyphs.length; i < ii; i++) { const glyph = glyphs[i];++ if (glyph.isInvisibleFormatMark) {+ continue;+ }+ let charSpacing = textState.charSpacing + (i + 1 === ii ? extraSpacing : 0); let glyphWidth = glyph.width;@@ -12061,9 +12101,8 @@ } let scaledDim = glyphWidth * scale;- let glyphUnicode = glyph.unicode;-- if (glyphUnicode === " " && (i === 0 || i + 1 === ii || glyphs[i - 1].unicode === " " || glyphs[i + 1].unicode === " " || extraSpacing)) {++ if (glyph.isWhitespace && (i === 0 || i + 1 === ii || glyphs[i - 1].isWhitespace || glyphs[i + 1].isWhitespace || extraSpacing)) { if (!font.vertical) { charSpacing += scaledDim + textState.wordSpacing; textState.translateTextMatrix(charSpacing * textState.textHScale, 0);@@ -12078,7 +12117,7 @@ compareWithLastPosition(); const textChunk = ensureTextContentItem();- if (DiacriticRegExp.test(glyph.unicode)) {+ if (glyph.isZeroWidthDiacritic) { scaledDim = 0; }@@ -12096,9 +12135,14 @@ textChunk.prevTransform = getCurrentTextTransform(); }- glyphUnicode = NormalizedUnicodes[glyphUnicode] || glyphUnicode;- glyphUnicode = (0, _unicode.reverseIfRtl)(glyphUnicode);- textChunk.str.push(glyphUnicode);+ if (glyph.isWhitespace && normalizeWhitespace) {+ textChunk.str.push(" ");+ } else {+ let glyphUnicode = glyph.unicode;+ glyphUnicode = NormalizedUnicodes[glyphUnicode] || glyphUnicode;+ glyphUnicode = (0, _unicode.reverseIfRtl)(glyphUnicode);+ textChunk.str.push(glyphUnicode);+ } if (charSpacing) { if (!font.vertical) {@@ -13536,6 +13580,13 @@ ignoreErrors: false }); type3Evaluator.parsingType3Font = true;+ const type3FontRefs = new _primitives.RefSet(evaluator.type3FontRefs);++ if (this.dict.objId && !type3FontRefs.has(this.dict.objId)) {+ type3FontRefs.put(this.dict.objId);+ }++ type3Evaluator.type3FontRefs = type3FontRefs; const translatedFont = this.font, type3Dependencies = this.type3Dependencies; let loadCharProcsPromise = Promise.resolve();@@ -24879,13 +24930,13 @@ var _fonts_utils = __w_pdfjs_require__(18);+var _unicode = __w_pdfjs_require__(21);+ var _glyphlist = __w_pdfjs_require__(20); var _encodings = __w_pdfjs_require__(19); var _standard_fonts = __w_pdfjs_require__(47);--var _unicode = __w_pdfjs_require__(21); var _to_unicode_map = __w_pdfjs_require__(48);@@ -25004,6 +25055,10 @@ this.operatorListId = operatorListId; this.isSpace = isSpace; this.isInFont = isInFont;+ const category = (0, _unicode.getCharUnicodeCategory)(unicode);+ this.isWhitespace = category.isWhitespace;+ this.isZeroWidthDiacritic = category.isZeroWidthDiacritic;+ this.isInvisibleFormatMark = category.isInvisibleFormatMark; } matchesForCache(originalCharCode, fontChar, unicode, accent, width, vmetric, operatorListId, isSpace, isInFont) {@@ -30626,12 +30681,24 @@ var _stream = __w_pdfjs_require__(10);-function getLong(data, offset) {- return data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3];-}--function getUshort(data, offset) {+function getUint32(data, offset) {+ return (data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3]) >>> 0;+}++function getUint16(data, offset) { return data[offset] << 8 | data[offset + 1];+}++function getInt16(data, offset) {+ return (data[offset] << 24 | data[offset + 1] << 16) >> 16;+}++function getInt8(data, offset) {+ return data[offset] << 24 >> 24;+}++function getFloat214(data, offset) {+ return getInt16(data, offset) / 16384; } function getSubroutineBias(subrs) {@@ -30648,34 +30715,34 @@ } function parseCmap(data, start, end) {- const offset = getUshort(data, start + 2) === 1 ? getLong(data, start + 8) : getLong(data, start + 16);- const format = getUshort(data, start + offset);+ const offset = getUint16(data, start + 2) === 1 ? getUint32(data, start + 8) : getUint32(data, start + 16);+ const format = getUint16(data, start + offset); let ranges, p, i; if (format === 4) {- getUshort(data, start + offset + 2);- const segCount = getUshort(data, start + offset + 6) >> 1;+ getUint16(data, start + offset + 2);+ const segCount = getUint16(data, start + offset + 6) >> 1; p = start + offset + 14; ranges = []; for (i = 0; i < segCount; i++, p += 2) { ranges[i] = {- end: getUshort(data, p)+ end: getUint16(data, p) }; } p += 2; for (i = 0; i < segCount; i++, p += 2) {- ranges[i].start = getUshort(data, p);+ ranges[i].start = getUint16(data, p); } for (i = 0; i < segCount; i++, p += 2) {- ranges[i].idDelta = getUshort(data, p);+ ranges[i].idDelta = getUint16(data, p); } for (i = 0; i < segCount; i++, p += 2) {- let idOffset = getUshort(data, p);+ let idOffset = getUint16(data, p); if (idOffset === 0) { continue;@@ -30684,23 +30751,23 @@ ranges[i].ids = []; for (let j = 0, jj = ranges[i].end - ranges[i].start + 1; j < jj; j++) {- ranges[i].ids[j] = getUshort(data, p + idOffset);+ ranges[i].ids[j] = getUint16(data, p + idOffset); idOffset += 2; } } return ranges; } else if (format === 12) {- getLong(data, start + offset + 4);- const groups = getLong(data, start + offset + 12);+ const groups = getUint32(data, start + offset + 12); p = start + offset + 16; ranges = []; for (i = 0; i < groups; i++) {+ start = getUint32(data, p); ranges.push({- start: getLong(data, p),- end: getLong(data, p + 4),- idDelta: getLong(data, p + 8) - getLong(data, p)+ start,+ end: getUint32(data, p + 4),+ idDelta: getUint32(data, p + 8) - start }); p += 12; }@@ -30730,16 +30797,11 @@ if (isGlyphLocationsLong) { itemSize = 4;-- itemDecode = function fontItemDecodeLong(data, offset) {- return data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3];- };+ itemDecode = getUint32; } else { itemSize = 2;- itemDecode = function fontItemDecode(data, offset) {- return data[offset] << 9 | data[offset + 1] << 1;- };+ itemDecode = (data, offset) => 2 * getUint16(data, offset); } const glyphs = [];@@ -30803,7 +30865,7 @@ } let i = 0;- const numberOfContours = (code[i] << 24 | code[i + 1] << 16) >> 16;+ const numberOfContours = getInt16(code, i); let flags; let x = 0, y = 0;@@ -30811,18 +30873,29 @@ if (numberOfContours < 0) { do {- flags = code[i] << 8 | code[i + 1];- const glyphIndex = code[i + 2] << 8 | code[i + 3];+ flags = getUint16(code, i);+ const glyphIndex = getUint16(code, i + 2); i += 4; let arg1, arg2; if (flags & 0x01) {- arg1 = (code[i] << 24 | code[i + 1] << 16) >> 16;- arg2 = (code[i + 2] << 24 | code[i + 3] << 16) >> 16;+ if (flags & 0x02) {+ arg1 = getInt16(code, i);+ arg2 = getInt16(code, i + 2);+ } else {+ arg1 = getUint16(code, i);+ arg2 = getUint16(code, i + 2);+ }+ i += 4; } else {- arg1 = code[i++];- arg2 = code[i++];+ if (flags & 0x02) {+ arg1 = getInt8(code, i++);+ arg2 = getInt8(code, i++);+ } else {+ arg1 = code[i++];+ arg2 = code[i++];+ } } if (flags & 0x02) {@@ -30839,17 +30912,17 @@ scale10 = 0; if (flags & 0x08) {- scaleX = scaleY = (code[i] << 24 | code[i + 1] << 16) / 1073741824;+ scaleX = scaleY = getFloat214(code, i); i += 2; } else if (flags & 0x40) {- scaleX = (code[i] << 24 | code[i + 1] << 16) / 1073741824;- scaleY = (code[i + 2] << 24 | code[i + 3] << 16) / 1073741824;+ scaleX = getFloat214(code, i);+ scaleY = getFloat214(code, i + 2); i += 4; } else if (flags & 0x80) {- scaleX = (code[i] << 24 | code[i + 1] << 16) / 1073741824;- scale01 = (code[i + 2] << 24 | code[i + 3] << 16) / 1073741824;- scale10 = (code[i + 4] << 24 | code[i + 5] << 16) / 1073741824;- scaleY = (code[i + 6] << 24 | code[i + 7] << 16) / 1073741824;+ scaleX = getFloat214(code, i);+ scale01 = getFloat214(code, i + 2);+ scale10 = getFloat214(code, i + 4);+ scaleY = getFloat214(code, i + 6); i += 8; }@@ -30862,6 +30935,9 @@ cmd: "transform", args: [scaleX, scale01, scale10, scaleY, x, y] });++ if (!(flags & 0x02)) {}+ compileGlyf(subglyph, cmds, font); cmds.push({ cmd: "restore"@@ -30873,11 +30949,11 @@ let j, jj; for (j = 0; j < numberOfContours; j++) {- endPtsOfContours.push(code[i] << 8 | code[i + 1]);+ endPtsOfContours.push(getUint16(code, i)); i += 2; }- const instructionLength = code[i] << 8 | code[i + 1];+ const instructionLength = getUint16(code, i); i += 2 + instructionLength; const numberOfPoints = endPtsOfContours[endPtsOfContours.length - 1] + 1; const points = [];@@ -30900,7 +30976,7 @@ for (j = 0; j < numberOfPoints; j++) { switch (points[j].flags & 0x12) { case 0x00:- x += (code[i] << 24 | code[i + 1] << 16) >> 16;+ x += getInt16(code, i); i += 2; break;@@ -30919,7 +30995,7 @@ for (j = 0; j < numberOfPoints; j++) { switch (points[j].flags & 0x24) { case 0x00:- y += (code[i] << 24 | code[i + 1] << 16) >> 16;+ y += getInt16(code, i); i += 2; break;@@ -31537,12 +31613,12 @@ static create(font, seacAnalysisEnabled) { const data = new Uint8Array(font.data); let cmap, glyf, loca, cff, indexToLocFormat, unitsPerEm;- const numTables = getUshort(data, 4);+ const numTables = getUint16(data, 4); for (let i = 0, p = 12; i < numTables; i++, p += 16) { const tag = (0, _util.bytesToString)(data.subarray(p, p + 4));- const offset = getLong(data, p + 8);- const length = getLong(data, p + 12);+ const offset = getUint32(data, p + 8);+ const length = getUint32(data, p + 12); switch (tag) { case "cmap":@@ -31558,8 +31634,8 @@ break; case "head":- unitsPerEm = getUshort(data, offset + 18);- indexToLocFormat = getUshort(data, offset + 50);+ unitsPerEm = getUint16(data, offset + 18);+ indexToLocFormat = getUint16(data, offset + 50); break; case "CFF ":@@ -32121,14 +32197,12 @@ pos += 4; flags ^= ARG_1_AND_2_ARE_WORDS; } else {- argument1 = glyf.getUint8(pos);- argument2 = glyf.getUint8(pos + 1);- if (flags & ARGS_ARE_XY_VALUES) {- const abs1 = argument1 & 0x7f;- argument1 = argument1 & 0x80 ? -abs1 : abs1;- const abs2 = argument2 & 0x7f;- argument2 = argument2 & 0x80 ? -abs2 : abs2;+ argument1 = glyf.getInt8(pos);+ argument2 = glyf.getInt8(pos + 1);+ } else {+ argument1 = glyf.getUint8(pos);+ argument2 = glyf.getUint8(pos + 1); } pos += 2;@@ -33191,6 +33265,11 @@ return this.currentChar = this.stream.getByte(); }+ prevChar() {+ this.stream.skip(-2);+ return this.currentChar = this.stream.getByte();+ }+ getToken() { let comment = false; let ch = this.currentChar;@@ -33287,6 +33366,8 @@ if (token === "noaccess") { this.getToken();+ } else if (token === "/") {+ this.prevChar(); } charstrings.push({@@ -41046,25 +41127,27 @@ })); exports.Catalog = void 0;+var _core_utils = __w_pdfjs_require__(9);++var _util = __w_pdfjs_require__(2);+ var _primitives = __w_pdfjs_require__(5);-var _core_utils = __w_pdfjs_require__(9);--var _util = __w_pdfjs_require__(2);- var _name_number_tree = __w_pdfjs_require__(65); var _base_stream = __w_pdfjs_require__(6);+var _cleanup_helper = __w_pdfjs_require__(66);+ var _colorspace = __w_pdfjs_require__(24);-var _file_spec = __w_pdfjs_require__(66);+var _file_spec = __w_pdfjs_require__(67); var _image_utils = __w_pdfjs_require__(58);-var _metadata_parser = __w_pdfjs_require__(67);--var _struct_tree = __w_pdfjs_require__(69);+var _metadata_parser = __w_pdfjs_require__(68);++var _struct_tree = __w_pdfjs_require__(70); function fetchDestination(dest) { if (dest instanceof _primitives.Dict) {@@ -42163,7 +42246,7 @@ } cleanup(manuallyTriggered = false) {- (0, _primitives.clearPrimitiveCaches)();+ (0, _cleanup_helper.clearGlobalCaches)(); this.globalImageCache.clear(manuallyTriggered); this.pageKidsCountCache.clear(); this.pageIndexCache.clear();@@ -42871,6 +42954,26 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));+exports.clearGlobalCaches = clearGlobalCaches;++var _primitives = __w_pdfjs_require__(5);++var _unicode = __w_pdfjs_require__(21);++function clearGlobalCaches() {+ (0, _primitives.clearPrimitiveCaches)();+ (0, _unicode.clearUnicodeCaches)();+}++/***/ }),+/* 67 */+/***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {++++Object.defineProperty(exports, "__esModule", ({+ value: true+})); exports.FileSpec = void 0; var _primitives = __w_pdfjs_require__(5);@@ -42967,7 +43070,7 @@ exports.FileSpec = FileSpec; /***/ }),-/* 67 */+/* 68 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -42977,7 +43080,7 @@ })); exports.MetadataParser = void 0;-var _xml_parser = __w_pdfjs_require__(68);+var _xml_parser = __w_pdfjs_require__(69); class MetadataParser { constructor(data) {@@ -43106,7 +43209,7 @@ exports.MetadataParser = MetadataParser; /***/ }),-/* 68 */+/* 69 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -43653,7 +43756,7 @@ exports.SimpleXMLParser = SimpleXMLParser; /***/ }),-/* 69 */+/* 70 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -44022,7 +44125,7 @@ exports.StructTreePage = StructTreePage; /***/ }),-/* 70 */+/* 71 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -44170,7 +44273,7 @@ exports.ObjectLoader = ObjectLoader; /***/ }),-/* 71 */+/* 72 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -44187,9 +44290,9 @@ var _core_utils = __w_pdfjs_require__(9);-var _xml_parser = __w_pdfjs_require__(68);--var _crypto = __w_pdfjs_require__(72);+var _xml_parser = __w_pdfjs_require__(69);++var _crypto = __w_pdfjs_require__(73); function writeDict(dict, buffer, transform) { buffer.push("<<");@@ -44524,7 +44627,7 @@ } /***/ }),-/* 72 */+/* 73 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -44540,7 +44643,7 @@ var _primitives = __w_pdfjs_require__(5);-var _decrypt_stream = __w_pdfjs_require__(73);+var _decrypt_stream = __w_pdfjs_require__(74); class ARCFourCipher { constructor(key) {@@ -46115,7 +46218,7 @@ exports.CipherTransformFactory = CipherTransformFactory; /***/ }),-/* 73 */+/* 74 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -46174,7 +46277,7 @@ exports.DecryptStream = DecryptStream; /***/ }),-/* 74 */+/* 75 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -46184,21 +46287,21 @@ })); exports.XFAFactory = void 0;-var _xfa_object = __w_pdfjs_require__(75);--var _bind = __w_pdfjs_require__(79);--var _data = __w_pdfjs_require__(85);--var _fonts = __w_pdfjs_require__(83);--var _utils = __w_pdfjs_require__(76);+var _xfa_object = __w_pdfjs_require__(76);++var _bind = __w_pdfjs_require__(80);++var _data = __w_pdfjs_require__(86);++var _fonts = __w_pdfjs_require__(84);++var _utils = __w_pdfjs_require__(77); var _util = __w_pdfjs_require__(2);-var _parser = __w_pdfjs_require__(86);--var _xhtml = __w_pdfjs_require__(96);+var _parser = __w_pdfjs_require__(87);++var _xhtml = __w_pdfjs_require__(97); class XFAFactory { constructor(data) {@@ -46370,7 +46473,7 @@ exports.XFAFactory = XFAFactory; /***/ }),-/* 75 */+/* 76 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -46380,15 +46483,15 @@ })); exports.XmlObject = exports.XFAObjectArray = exports.XFAObject = exports.XFAAttribute = exports.StringObject = exports.OptionObject = exports.Option10 = exports.Option01 = exports.IntegerObject = exports.ContentObject = exports.$uid = exports.$toStyle = exports.$toString = exports.$toPages = exports.$toHTML = exports.$text = exports.$tabIndex = exports.$setValue = exports.$setSetAttributes = exports.$setId = exports.$searchNode = exports.$root = exports.$resolvePrototypes = exports.$removeChild = exports.$pushPara = exports.$pushGlyphs = exports.$popPara = exports.$onText = exports.$onChildCheck = exports.$onChild = exports.$nsAttributes = exports.$nodeName = exports.$namespaceId = exports.$isUsable = exports.$isTransparent = exports.$isThereMoreWidth = exports.$isSplittable = exports.$isNsAgnostic = exports.$isDescendent = exports.$isDataValue = exports.$isCDATAXml = exports.$isBindable = exports.$insertAt = exports.$indexOf = exports.$ids = exports.$hasSettableValue = exports.$globalData = exports.$getTemplateRoot = exports.$getSubformParent = exports.$getRealChildrenByNameIt = exports.$getParent = exports.$getNextPage = exports.$getExtra = exports.$getDataValue = exports.$getContainedChildren = exports.$getChildrenByNameIt = exports.$getChildrenByName = exports.$getChildrenByClass = exports.$getChildren = exports.$getAvailableSpace = exports.$getAttributes = exports.$getAttributeIt = exports.$flushHTML = exports.$finalize = exports.$extra = exports.$dump = exports.$data = exports.$content = exports.$consumed = exports.$clone = exports.$cleanup = exports.$cleanPage = exports.$clean = exports.$childrenToHTML = exports.$appendChild = exports.$addHTML = exports.$acceptWhitespace = void 0;-var _utils = __w_pdfjs_require__(76);+var _utils = __w_pdfjs_require__(77); var _util = __w_pdfjs_require__(2); var _core_utils = __w_pdfjs_require__(9);-var _namespaces = __w_pdfjs_require__(77);--var _som = __w_pdfjs_require__(78);+var _namespaces = __w_pdfjs_require__(78);++var _som = __w_pdfjs_require__(79); const $acceptWhitespace = Symbol(); exports.$acceptWhitespace = $acceptWhitespace;@@ -47568,7 +47671,7 @@ exports.Option10 = Option10; /***/ }),-/* 76 */+/* 77 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -47839,7 +47942,7 @@ exports.HTMLResult = HTMLResult; /***/ }),-/* 77 */+/* 78 */ /***/ ((__unused_webpack_module, exports) => {@@ -47915,7 +48018,7 @@ exports.NamespaceIds = NamespaceIds; /***/ }),-/* 78 */+/* 79 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -47926,9 +48029,9 @@ exports.createDataNode = createDataNode; exports.searchNode = searchNode;-var _xfa_object = __w_pdfjs_require__(75);--var _namespaces = __w_pdfjs_require__(77);+var _xfa_object = __w_pdfjs_require__(76);++var _namespaces = __w_pdfjs_require__(78); var _util = __w_pdfjs_require__(2);@@ -48263,7 +48366,7 @@ } /***/ }),-/* 79 */+/* 80 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -48273,13 +48376,13 @@ })); exports.Binder = void 0;-var _xfa_object = __w_pdfjs_require__(75);--var _template = __w_pdfjs_require__(80);--var _som = __w_pdfjs_require__(78);--var _namespaces = __w_pdfjs_require__(77);+var _xfa_object = __w_pdfjs_require__(76);++var _template = __w_pdfjs_require__(81);++var _som = __w_pdfjs_require__(79);++var _namespaces = __w_pdfjs_require__(78); var _util = __w_pdfjs_require__(2);@@ -48862,7 +48965,7 @@ exports.Binder = Binder; /***/ }),-/* 80 */+/* 81 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -48872,23 +48975,23 @@ })); exports.Value = exports.Text = exports.TemplateNamespace = exports.Template = exports.SetProperty = exports.Items = exports.Field = exports.BindItems = void 0;-var _xfa_object = __w_pdfjs_require__(75);--var _namespaces = __w_pdfjs_require__(77);--var _layout = __w_pdfjs_require__(81);--var _html_utils = __w_pdfjs_require__(82);--var _utils = __w_pdfjs_require__(76);+var _xfa_object = __w_pdfjs_require__(76);++var _namespaces = __w_pdfjs_require__(78);++var _layout = __w_pdfjs_require__(82);++var _html_utils = __w_pdfjs_require__(83);++var _utils = __w_pdfjs_require__(77); var _util = __w_pdfjs_require__(2);-var _fonts = __w_pdfjs_require__(83);+var _fonts = __w_pdfjs_require__(84); var _core_utils = __w_pdfjs_require__(9);-var _som = __w_pdfjs_require__(78);+var _som = __w_pdfjs_require__(79); const TEMPLATE_NS_ID = _namespaces.NamespaceIds.template.id; const SVG_NS = "http://www.w3.org/2000/svg";@@ -54784,7 +54887,7 @@ exports.TemplateNamespace = TemplateNamespace; /***/ }),-/* 81 */+/* 82 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -54797,9 +54900,9 @@ exports.flushHTML = flushHTML; exports.getAvailableSpace = getAvailableSpace;-var _xfa_object = __w_pdfjs_require__(75);--var _html_utils = __w_pdfjs_require__(82);+var _xfa_object = __w_pdfjs_require__(76);++var _html_utils = __w_pdfjs_require__(83); function createLine(node, children) { return {@@ -55136,7 +55239,7 @@ } /***/ }),-/* 82 */+/* 83 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {
Based on the provided code diff, I'll analyze it for security fixes following the specified format:
1. Vulnerability Existed: yes
Null Character Injection [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 1268-1282]
[Old Code]
const NullCharactersRegExp = /\x00+/g;
const InvisibleCharactersRegExp = /[\x01-\x1F]/g;
function removeNullCharacters(str, replaceInvisible = false) {
if (typeof str !== "string") {
warn("The argument for removeNullCharacters must be a string.");
return str;
}
if (replaceInvisible) {
str = str.replace(InvisibleCharactersRegExp, " ");
}
return str.replace(NullCharactersRegExp, "");
}
[Fixed Code]
(Removed entirely)
2. Vulnerability Existed: yes
Insecure Assertion Usage [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 1269-1295]
[Old Code]
function bytesToString(bytes) {
assert(bytes !== null && typeof bytes === "object" && bytes.length !== undefined, "Invalid argument for bytesToString");
[Fixed Code]
function bytesToString(bytes) {
if (typeof bytes !== "object" || bytes === null || bytes.length === undefined) {
unreachable("Invalid argument for bytesToString");
}
3. Vulnerability Existed: yes
Insecure Assertion Usage [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 1304-1306]
[Old Code]
function stringToBytes(str) {
assert(typeof str === "string", "Invalid argument for stringToBytes");
[Fixed Code]
function stringToBytes(str) {
if (typeof str !== "string") {
unreachable("Invalid argument for stringToBytes");
}
4. Vulnerability Existed: yes
Insecure Assertion Usage [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 1320-1323]
[Old Code]
function arrayByteLength(arr) {
assert(arr.byteLength !== undefined, "arrayByteLength - invalid argument.");
return arr.byteLength;
}
[Fixed Code]
function arrayByteLength(arr) {
if (arr.byteLength !== undefined) {
return arr.byteLength;
}
unreachable("Invalid argument for arrayByteLength");
}
5. Vulnerability Existed: yes
Type 3 Font Parsing Infinite Loop [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 10882-10886]
[Old Code]
(No check for recursive Type 3 fonts)
[Fixed Code]
if (this.parsingType3Font && this.type3FontRefs.has(fontRef)) {
return errorFont();
}
6. Vulnerability Existed: yes
Integer Overflow in Font Parsing [File] toolkit/components/pdfjs/content/build/pdf.worker.js [Lines 30626-30633]
[Old Code]
function getLong(data, offset) {
return data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3];
}
[Fixed Code]
function getUint32(data, offset) {
return (data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3]) >>> 0;
}
The changes indicate multiple security fixes including:
1. Removal of null character handling which could be exploited for injection attacks
2. Replacement of insecure assertions with proper error handling
3. Fix for Type 3 font parsing infinite loop vulnerability
4. Fix for integer overflow in font parsing
5. General hardening of input validation
The version was also updated from 2.13.24 to 2.13.93, suggesting these were part of a security update.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.