Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside3.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -28,15 +28,15 @@ g.addColorStop(1, '#0f0'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring, changing the variable name from `offscreenCanvas` to `canvas` and updating all subsequent references to this variable.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside3.html
Lines: 17-48
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixel(offscreenCanvas, ...)
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixel(canvas, ...)
The changes are simply variable renaming and don't appear to address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-015.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-break/flexbox/multi-line-row-flex-fragmentation-015.html@@ -35,6 +35,6 @@ <div style="contain: size; width: 10px; height: 30px;"></div> </div> <div style="height: 100px; width: 20px;"></div>- <div style="height: 70px; width: 20px;"></div>+ <div style="height: 20px; width: 20px;"></div> </div> </div>
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 35-36] [Old Code] <div style="height: 70px; width: 20px;"></div> [Fixed Code] <div style="height: 20px; width: 20px;"></div> Additional Details: - This appears to be a simple layout adjustment in a CSS test file - The change modifies the height of a div element from 70px to 20px - No security implications are evident in this change - The modification seems related to visual rendering/testing rather than security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/public/GeckoProfiler.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/public/GeckoProfiler.h@@ -27,6 +27,7 @@ #include "mozilla/ProfilerMarkers.h" #include "mozilla/ProfilerState.h" #include "mozilla/ProfilerThreadState.h"+#include "mozilla/ProgressLogger.h" enum class IsFastShutdown { No,@@ -99,7 +100,8 @@ static inline void profiler_register_page(uint64_t aTabID, uint64_t aInnerWindowID, const nsCString& aUrl,- uint64_t aEmbedderInnerWindowID) {}+ uint64_t aEmbedderInnerWindowID,+ bool aIsPrivateBrowsing) {} static inline void profiler_unregister_page(uint64_t aRegisteredInnerWindowID) { }@@ -266,9 +268,12 @@ // "aUrl" is the URL of the page. // "aEmbedderInnerWindowID" is the inner window id of embedder. It's used to // determine sub documents of a page.+// "aIsPrivateBrowsing" is true if this browsing context happens in a+// private browsing context. void profiler_register_page(uint64_t aTabID, uint64_t aInnerWindowID, const nsCString& aUrl,- uint64_t aEmbedderInnerWindowID);+ uint64_t aEmbedderInnerWindowID,+ bool aIsPrivateBrowsing); // Unregister page with the profiler. // // Take a Inner Window ID and unregister the page entry that has the same ID.@@ -507,7 +512,8 @@ bool profiler_stream_json_for_this_process( mozilla::baseprofiler::SpliceableJSONWriter& aWriter, double aSinceTime = 0, bool aIsShuttingDown = false,- ProfilerCodeAddressService* aService = nullptr);+ ProfilerCodeAddressService* aService = nullptr,+ mozilla::ProgressLogger aProgressLogger = {}); // Get the profile and write it into a file. A no-op if the profile is // inactive.
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Leak] [tools/profiler/public/GeckoProfiler.h] [Lines 99-100, 266-271]
[Old Code]
static inline void profiler_register_page(uint64_t aTabID,
uint64_t aInnerWindowID,
const nsCString& aUrl,
uint64_t aEmbedderInnerWindowID) {}
[Fixed Code]
static inline void profiler_register_page(uint64_t aTabID,
uint64_t aInnerWindowID,
const nsCString& aUrl,
uint64_t aEmbedderInnerWindowID,
bool aIsPrivateBrowsing) {}
Additional Details: The addition of private browsing flag could be related to preventing information leaks from private browsing sessions, but without more context it's unclear if this was fixing an actual vulnerability or just adding functionality.
2. Vulnerability Existed: not sure
[Potential Denial of Service] [tools/profiler/public/GeckoProfiler.h] [Lines 507-511]
[Old Code]
bool profiler_stream_json_for_this_process(
mozilla::baseprofiler::SpliceableJSONWriter& aWriter, double aSinceTime = 0,
bool aIsShuttingDown = false,
ProfilerCodeAddressService* aService = nullptr);
[Fixed Code]
bool profiler_stream_json_for_this_process(
mozilla::baseprofiler::SpliceableJSONWriter& aWriter, double aSinceTime = 0,
bool aIsShuttingDown = false,
ProfilerCodeAddressService* aService = nullptr,
mozilla::ProgressLogger aProgressLogger = {});
Additional Details: The addition of ProgressLogger could be related to preventing potential DoS from hanging processes during profiling, but this is speculative without more context.
Note: The changes appear to be adding new parameters to functions rather than fixing obviously vulnerable code. Without more context about the motivations for these changes or any accompanying bug reports, it's difficult to determine if these were security fixes or just feature additions. The changes could be related to security hardening, but there's no clear evidence of specific vulnerabilities being fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsNativeThemeGTK.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsNativeThemeGTK.cpp@@ -42,8 +42,7 @@ #include "mozilla/StaticPrefs_widget.h" #include "nsWindow.h" #include "nsLayoutUtils.h"-#include "nsNativeBasicTheme.h"-#include "ScrollbarDrawingGTK.h"+#include "Theme.h" #ifdef MOZ_X11 # ifdef CAIRO_HAS_XLIB_SURFACE@@ -57,7 +56,6 @@ using namespace mozilla; using namespace mozilla::gfx; using namespace mozilla::widget;-using ScrollbarDrawingGTK = mozilla::widget::ScrollbarDrawingGTK; static int gLastGdkError;@@ -96,8 +94,7 @@ return GetMonitorScaleFactor(aFrame->PresContext()); }-nsNativeThemeGTK::nsNativeThemeGTK()- : nsNativeBasicTheme(DefaultPlatformScrollbarStyle()) {+nsNativeThemeGTK::nsNativeThemeGTK() : Theme(ScrollbarStyle()) { if (moz_gtk_init() != MOZ_GTK_SUCCESS) { memset(mDisabledWidgetTypes, 0xff, sizeof(mDisabledWidgetTypes)); return;@@ -129,7 +126,7 @@ static bool IsWidgetTypeDisabled(const uint8_t* aDisabledVector, StyleAppearance aAppearance) { auto type = static_cast<size_t>(aAppearance);- MOZ_ASSERT(type < static_cast<size_t>(mozilla::StyleAppearance::Count));+ MOZ_ASSERT(type < static_cast<size_t>(StyleAppearance::Count)); return (aDisabledVector[type >> 3] & (1 << (type & 7))) != 0; }@@ -183,16 +180,6 @@ return std::min<gint>( MOZ_GTK_TAB_MARGIN_MASK, std::max(0, aFrame->PresContext()->AppUnitsToDevPixels(-margin)));-}--static bool ShouldScrollbarButtonBeDisabled(int32_t aCurpos, int32_t aMaxpos,- StyleAppearance aAppearance) {- return (aCurpos == 0 &&- (aAppearance == StyleAppearance::ScrollbarbuttonUp ||- aAppearance == StyleAppearance::ScrollbarbuttonLeft)) ||- (aCurpos == aMaxpos &&- (aAppearance == StyleAppearance::ScrollbarbuttonDown ||- aAppearance == StyleAppearance::ScrollbarbuttonRight)); } bool nsNativeThemeGTK::GetGtkWidgetAndState(StyleAppearance aAppearance,@@ -267,50 +254,6 @@ aState->focused = FALSE; }- if (aAppearance == StyleAppearance::ScrollbarthumbVertical ||- aAppearance == StyleAppearance::ScrollbarthumbHorizontal) {- // for scrollbars we need to go up two to go from the thumb to- // the slider to the actual scrollbar object- nsIFrame* tmpFrame = aFrame->GetParent()->GetParent();-- aState->curpos = CheckIntAttr(tmpFrame, nsGkAtoms::curpos, 0);- aState->maxpos = CheckIntAttr(tmpFrame, nsGkAtoms::maxpos, 100);-- if (CheckBooleanAttr(aFrame, nsGkAtoms::active)) {- aState->active = TRUE;- // Set hover state to emulate Gtk style of active scrollbar thumb- aState->inHover = TRUE;- }- }-- if (aAppearance == StyleAppearance::ScrollbarbuttonUp ||- aAppearance == StyleAppearance::ScrollbarbuttonDown ||- aAppearance == StyleAppearance::ScrollbarbuttonLeft ||- aAppearance == StyleAppearance::ScrollbarbuttonRight) {- // set the state to disabled when the scrollbar is scrolled to- // the beginning or the end, depending on the button type.- int32_t curpos = CheckIntAttr(aFrame, nsGkAtoms::curpos, 0);- int32_t maxpos = CheckIntAttr(aFrame, nsGkAtoms::maxpos, 100);- if (ShouldScrollbarButtonBeDisabled(curpos, maxpos, aAppearance)) {- aState->disabled = true;- }-- // In order to simulate native GTK scrollbar click behavior,- // we set the active attribute on the element to true if it's- // pressed with any mouse button.- // This allows us to show that it's active without setting :active- else if (CheckBooleanAttr(aFrame, nsGkAtoms::active))- aState->active = true;-- if (aWidgetFlags) {- *aWidgetFlags = GetScrollbarButtonType(aFrame);- if (static_cast<uint8_t>(aAppearance) -- static_cast<uint8_t>(StyleAppearance::ScrollbarbuttonUp) <- 2)- *aWidgetFlags |= MOZ_GTK_STEPPER_VERTICAL;- }- }- // menu item state is determined by the attribute "_moz-menuactive", // and not by the mouse hovering (accessibility). as a special case, // menus which are children of a menu bar are only marked as prelight@@ -379,21 +322,6 @@ aAppearance == StyleAppearance::MozWindowButtonRestore) { aState->backdrop = !nsWindow::GetTopLevelWindowActiveState(aFrame); }-- if (aAppearance == StyleAppearance::ScrollbarbuttonUp ||- aAppearance == StyleAppearance::ScrollbarbuttonDown ||- aAppearance == StyleAppearance::ScrollbarbuttonLeft ||- aAppearance == StyleAppearance::ScrollbarbuttonRight ||- aAppearance == StyleAppearance::ScrollbarVertical ||- aAppearance == StyleAppearance::ScrollbarHorizontal ||- aAppearance == StyleAppearance::ScrollbartrackHorizontal ||- aAppearance == StyleAppearance::ScrollbartrackVertical ||- aAppearance == StyleAppearance::ScrollbarthumbVertical ||- aAppearance == StyleAppearance::ScrollbarthumbHorizontal) {- EventStates docState =- aFrame->GetContent()->OwnerDoc()->GetDocumentState();- aState->backdrop = docState.HasState(NS_DOCUMENT_STATE_WINDOW_INACTIVE);- } } switch (aAppearance) {@@ -414,38 +342,6 @@ aGtkWidgetType = (aAppearance == StyleAppearance::Radio) ? MOZ_GTK_RADIOBUTTON : MOZ_GTK_CHECKBUTTON;- break;- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_BUTTON;- break;- case StyleAppearance::ScrollbarVertical:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_VERTICAL;- if (GetWidgetTransparency(aFrame, aAppearance) == eOpaque)- *aWidgetFlags = MOZ_GTK_TRACK_OPAQUE;- else- *aWidgetFlags = 0;- break;- case StyleAppearance::ScrollbarHorizontal:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_HORIZONTAL;- if (GetWidgetTransparency(aFrame, aAppearance) == eOpaque)- *aWidgetFlags = MOZ_GTK_TRACK_OPAQUE;- else- *aWidgetFlags = 0;- break;- case StyleAppearance::ScrollbartrackHorizontal:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_TROUGH_HORIZONTAL;- break;- case StyleAppearance::ScrollbartrackVertical:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_TROUGH_VERTICAL;- break;- case StyleAppearance::ScrollbarthumbVertical:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_THUMB_VERTICAL;- break;- case StyleAppearance::ScrollbarthumbHorizontal:- aGtkWidgetType = MOZ_GTK_SCROLLBAR_THUMB_HORIZONTAL; break; case StyleAppearance::Spinner: aGtkWidgetType = MOZ_GTK_SPINBUTTON;@@ -935,13 +831,6 @@ // GTK2 themes (Ximian Industrial, Bluecurve, Misty, at least); // We modify the frame's overflow area. See bug 297508. switch (aAppearance) {- case StyleAppearance::ScrollbarthumbVertical:- aExtra->top = aExtra->bottom = 1;- break;- case StyleAppearance::ScrollbarthumbHorizontal:- aExtra->left = aExtra->right = 1;- break;- case StyleAppearance::Button: { if (IsDefaultButton(aFrame)) { // Some themes draw a default indicator outside the widget,@@ -1007,8 +896,8 @@ const nsRect& aDirtyRect, DrawOverflow aDrawOverflow) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::DrawWidgetBackground(- aContext, aFrame, aAppearance, aRect, aDirtyRect, aDrawOverflow);+ return Theme::DrawWidgetBackground(aContext, aFrame, aAppearance, aRect,+ aDirtyRect, aDrawOverflow); } GtkWidgetState state;@@ -1137,7 +1026,7 @@ mozilla::layers::RenderRootStateManager* aManager, nsIFrame* aFrame, StyleAppearance aAppearance, const nsRect& aRect) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::CreateWebRenderCommandsForWidget(+ return Theme::CreateWebRenderCommandsForWidget( aBuilder, aResources, aSc, aManager, aFrame, aAppearance, aRect); } return false;@@ -1204,36 +1093,6 @@ LayoutDeviceIntMargin result; GtkTextDirection direction = GetTextDirection(aFrame); switch (aAppearance) {- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical: {- GtkOrientation orientation =- aAppearance == StyleAppearance::ScrollbarHorizontal- ? GTK_ORIENTATION_HORIZONTAL- : GTK_ORIENTATION_VERTICAL;- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(orientation);-- const GtkBorder& border = metrics->border.scrollbar;- result.top = border.top;- result.right = border.right;- result.bottom = border.bottom;- result.left = border.left;- } break;- case StyleAppearance::ScrollbartrackHorizontal:- case StyleAppearance::ScrollbartrackVertical: {- GtkOrientation orientation =- aAppearance == StyleAppearance::ScrollbartrackHorizontal- ? GTK_ORIENTATION_HORIZONTAL- : GTK_ORIENTATION_VERTICAL;- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(orientation);-- const GtkBorder& border = metrics->border.track;- result.top = border.top;- result.right = border.right;- result.bottom = border.bottom;- result.left = border.left;- } break; case StyleAppearance::Toolbox: // gtk has no toolbox equivalent. So, although we map toolbox to // gtk's 'toolbar' for purposes of painting the widget background,@@ -1347,8 +1206,8 @@ StyleAppearance aAppearance, nsRect* aOverflowRect) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::GetWidgetOverflow(aContext, aFrame, aAppearance,- aOverflowRect);+ return Theme::GetWidgetOverflow(aContext, aFrame, aAppearance,+ aOverflowRect); } nsIntMargin extraSize;@@ -1369,15 +1228,11 @@ auto nsNativeThemeGTK::IsWidgetNonNative(nsIFrame* aFrame, StyleAppearance aAppearance) -> NonNative {- if (!StaticPrefs::widget_non_native_theme_enabled()) {- return NonNative::No;- } if (IsWidgetScrollbarPart(aAppearance)) { return NonNative::Always; } // We can't draw light widgets if the current GTK theme is dark or vice versa.- if (nsNativeBasicTheme::ThemeSupportsWidget(aFrame->PresContext(), aFrame,- aAppearance) &&+ if (Theme::ThemeSupportsWidget(aFrame->PresContext(), aFrame, aAppearance) && LookAndFeel::ColorSchemeForFrame(aFrame) != LookAndFeel::ColorSchemeForChrome()) { return NonNative::BecauseColorMismatch;@@ -1392,32 +1247,14 @@ LayoutDeviceIntSize* aResult, bool* aIsOverridable) { if (IsWidgetNonNative(aFrame, aAppearance) == NonNative::Always) {- return nsNativeBasicTheme::GetMinimumWidgetSize(- aPresContext, aFrame, aAppearance, aResult, aIsOverridable);+ return Theme::GetMinimumWidgetSize(aPresContext, aFrame, aAppearance,+ aResult, aIsOverridable); } aResult->width = aResult->height = 0; *aIsOverridable = true; switch (aAppearance) {- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown: {- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(GTK_ORIENTATION_VERTICAL);-- aResult->width = metrics->size.button.width;- aResult->height = metrics->size.button.height;- *aIsOverridable = false;- } break;- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight: {- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(GTK_ORIENTATION_HORIZONTAL);-- aResult->width = metrics->size.button.width;- aResult->height = metrics->size.button.height;- *aIsOverridable = false;- } break; case StyleAppearance::Splitter: { gint metrics; if (IsHorizontal(aFrame)) {@@ -1429,36 +1266,6 @@ aResult->width = 0; aResult->height = metrics; }- *aIsOverridable = false;- } break;- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical: {- /* While we enforce a minimum size for the thumb, this is ignored- * for the some scrollbars if buttons are hidden (bug 513006) because- * the thumb isn't a direct child of the scrollbar, unlike the buttons- * or track. So add a minimum size to the track as well to prevent a- * 0-width scrollbar. */- GtkOrientation orientation =- aAppearance == StyleAppearance::ScrollbarHorizontal- ? GTK_ORIENTATION_HORIZONTAL- : GTK_ORIENTATION_VERTICAL;- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(orientation);-- aResult->width = metrics->size.scrollbar.width;- aResult->height = metrics->size.scrollbar.height;- } break;- case StyleAppearance::ScrollbarthumbVertical:- case StyleAppearance::ScrollbarthumbHorizontal: {- GtkOrientation orientation =- aAppearance == StyleAppearance::ScrollbarthumbHorizontal- ? GTK_ORIENTATION_HORIZONTAL- : GTK_ORIENTATION_VERTICAL;- const ScrollbarGTKMetrics* metrics =- GetActiveScrollbarMetrics(orientation);-- aResult->width = metrics->size.thumb.width;- aResult->height = metrics->size.thumb.height; *aIsOverridable = false; } break; case StyleAppearance::RangeThumb: {@@ -1641,8 +1448,8 @@ *aShouldRepaint = false; if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::WidgetStateChanged(- aFrame, aAppearance, aAttribute, aShouldRepaint, aOldValue);+ return Theme::WidgetStateChanged(aFrame, aAppearance, aAttribute,+ aShouldRepaint, aOldValue); } // Some widget types just never change state.@@ -1669,42 +1476,6 @@ return NS_OK; }- if ((aAppearance == StyleAppearance::ScrollbarthumbVertical ||- aAppearance == StyleAppearance::ScrollbarthumbHorizontal) &&- aAttribute == nsGkAtoms::active) {- *aShouldRepaint = true;- return NS_OK;- }-- if ((aAppearance == StyleAppearance::ScrollbarbuttonUp ||- aAppearance == StyleAppearance::ScrollbarbuttonDown ||- aAppearance == StyleAppearance::ScrollbarbuttonLeft ||- aAppearance == StyleAppearance::ScrollbarbuttonRight) &&- (aAttribute == nsGkAtoms::curpos || aAttribute == nsGkAtoms::maxpos)) {- // If 'curpos' has changed and we are passed its old value, we can- // determine whether the button's enablement actually needs to change.- if (aAttribute == nsGkAtoms::curpos && aOldValue) {- int32_t curpos = CheckIntAttr(aFrame, nsGkAtoms::curpos, 0);- int32_t maxpos = CheckIntAttr(aFrame, nsGkAtoms::maxpos, 0);- nsAutoString str;- aOldValue->ToString(str);- nsresult err;- int32_t oldCurpos = str.ToInteger(&err);- if (str.IsEmpty() || NS_FAILED(err)) {- *aShouldRepaint = true;- } else {- bool disabledBefore =- ShouldScrollbarButtonBeDisabled(oldCurpos, maxpos, aAppearance);- bool disabledNow =- ShouldScrollbarButtonBeDisabled(curpos, maxpos, aAppearance);- *aShouldRepaint = (disabledBefore != disabledNow);- }- } else {- *aShouldRepaint = true;- }- return NS_OK;- }- // XXXdwh Not sure what can really be done here. Can at least guess for // specific widgets that they're highly unlikely to have certain states. // For example, a toolbar doesn't care about any states.@@ -1738,11 +1509,6 @@ return NS_OK; }-static bool CanHandleScrollbar(const ComputedStyle& aStyle) {- return !aStyle.StyleUI()->HasCustomScrollbars() &&- aStyle.StyleUIReset()->mScrollbarWidth != StyleScrollbarWidth::Thin;-}- NS_IMETHODIMP_(bool) nsNativeThemeGTK::ThemeSupportsWidget(nsPresContext* aPresContext, nsIFrame* aFrame,@@ -1752,15 +1518,7 @@ } if (IsWidgetNonNative(aFrame, aAppearance) == NonNative::Always) {- return nsNativeBasicTheme::ThemeSupportsWidget(aPresContext, aFrame,- aAppearance);- }-- if (IsWidgetScrollbarPart(aAppearance)) {- ComputedStyle* cs = nsLayoutUtils::StyleForScrollbar(aFrame);- if (!CanHandleScrollbar(*cs)) {- return false;- }+ return Theme::ThemeSupportsWidget(aPresContext, aFrame, aAppearance); } switch (aAppearance) {@@ -1812,16 +1570,6 @@ case StyleAppearance::SpinnerUpbutton: case StyleAppearance::SpinnerDownbutton: case StyleAppearance::SpinnerTextfield:- case StyleAppearance::ScrollbarbuttonUp:- case StyleAppearance::ScrollbarbuttonDown:- case StyleAppearance::ScrollbarbuttonLeft:- case StyleAppearance::ScrollbarbuttonRight:- case StyleAppearance::ScrollbarHorizontal:- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbartrackHorizontal:- case StyleAppearance::ScrollbartrackVertical:- case StyleAppearance::ScrollbarthumbHorizontal:- case StyleAppearance::ScrollbarthumbVertical: case StyleAppearance::NumberInput: case StyleAppearance::Textfield: case StyleAppearance::Textarea:@@ -1886,7 +1634,7 @@ bool nsNativeThemeGTK::ThemeDrawsFocusForWidget(nsIFrame* aFrame, StyleAppearance aAppearance) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::ThemeDrawsFocusForWidget(aFrame, aAppearance);+ return Theme::ThemeDrawsFocusForWidget(aFrame, aAppearance); } switch (aAppearance) { case StyleAppearance::Button:@@ -1907,20 +1655,10 @@ nsITheme::Transparency nsNativeThemeGTK::GetWidgetTransparency( nsIFrame* aFrame, StyleAppearance aAppearance) { if (IsWidgetNonNative(aFrame, aAppearance) != NonNative::No) {- return nsNativeBasicTheme::GetWidgetTransparency(aFrame, aAppearance);+ return Theme::GetWidgetTransparency(aFrame, aAppearance); } switch (aAppearance) {- case StyleAppearance::ScrollbarVertical:- case StyleAppearance::ScrollbarHorizontal:- // Make scrollbar tracks opaque on the window's scroll frame to prevent- // leaf layers from overlapping. See bug 1179780.- if (!(CheckBooleanAttr(aFrame, nsGkAtoms::root_) &&- aFrame->PresContext()->IsRootContentDocumentCrossProcess() &&- IsFrameContentNodeInNamespace(aFrame, kNameSpaceID_XUL))) {- return eTransparent;- }- return eOpaque; // Tooltips use gtk_paint_flat_box() on Gtk2 // but are shaped on Gtk3 case StyleAppearance::Tooltip:@@ -1930,43 +1668,9 @@ } }-auto nsNativeThemeGTK::GetScrollbarSizes(nsPresContext* aPresContext,- StyleScrollbarWidth aWidth,- Overlay aOverlay) -> ScrollbarSizes {- if (StaticPrefs::widget_non_native_theme_enabled()) {- return nsNativeBasicTheme::GetScrollbarSizes(aPresContext, aWidth,- aOverlay);- }-- CSSIntCoord vertical;- CSSIntCoord horizontal;- if (aWidth != StyleScrollbarWidth::Thin) {- const ScrollbarGTKMetrics* verticalMetrics =- GetActiveScrollbarMetrics(GTK_ORIENTATION_VERTICAL);- const ScrollbarGTKMetrics* horizontalMetrics =- GetActiveScrollbarMetrics(GTK_ORIENTATION_HORIZONTAL);- vertical = verticalMetrics->size.scrollbar.width;- horizontal = horizontalMetrics->size.scrollbar.height;- } else {- auto unthemed = nsLayoutUtils::UnthemedScrollbarSize(aWidth);- vertical = horizontal = unthemed;- }- auto scale = GetMonitorScaleFactor(aPresContext);- return {int32_t(vertical) * scale, int32_t(horizontal) * scale};-}--already_AddRefed<nsITheme> do_GetNativeThemeDoNotUseDirectly() {- static nsCOMPtr<nsITheme> inst;-- if (!inst) {- if (gfxPlatform::IsHeadless()) {- inst = new nsNativeBasicTheme(- nsNativeBasicTheme::DefaultPlatformScrollbarStyle());- } else {- inst = new nsNativeThemeGTK();- }- ClearOnShutdown(&inst);- }-- return do_AddRef(inst);-}+already_AddRefed<Theme> do_CreateNativeThemeDoNotUseDirectly() {+ if (gfxPlatform::IsHeadless()) {+ return do_AddRef(new Theme(Theme::ScrollbarStyle()));+ }+ return do_AddRef(new nsNativeThemeGTK());+}
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily architectural, moving from a `nsNativeBasicTheme` implementation to a more generic `Theme` class, and removing scrollbar-related code that's now handled elsewhere.
Here's the analysis following your requested format:
1. First potential area examined (scrollbar handling removal):
Vulnerability Existed: no
No vulnerability found in removed scrollbar code
File: widget/gtk/nsNativeThemeGTK.cpp
Lines: Various scrollbar-related code removed
Old Code: Various scrollbar handling implementations
Fixed Code: Removed scrollbar handling code
2. Second potential area examined (theme class change):
Vulnerability Existed: no
No vulnerability found in theme class migration
File: widget/gtk/nsNativeThemeGTK.cpp
Lines: Throughout file
Old Code: Using nsNativeBasicTheme
Fixed Code: Using Theme class
3. Third potential area examined (removed functions):
Vulnerability Existed: no
No vulnerability found in removed functions
File: widget/gtk/nsNativeThemeGTK.cpp
Lines: Removed ShouldScrollbarButtonBeDisabled and other functions
Old Code: Various scrollbar utility functions
Fixed Code: Functions removed
The changes appear to be:
1. Architectural refactoring to use a more generic Theme class
2. Moving scrollbar handling out of this file
3. Cleaning up related unused code
4. No obvious security fixes or vulnerability patches in this diff
The modifications seem focused on code organization and maintenance rather than addressing specific security issues. The removal of scrollbar handling code suggests this functionality was moved to a different component, but there's no indication this was due to security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,7 +27,7 @@ ctx.moveTo(100, 0); ctx.arc(100, 0, 150, Math.PI/2, -Math.PI, true); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely variable renaming and don't affect security aspects. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.1.html] [17-27]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable from `offscreenCanvas` to `canvas` throughout the file, which doesn't impact security. The functionality remains identical.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.default.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.default.html@@ -17,11 +17,11 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-_assertSame(offscreenCanvas.width, 100, "offscreenCanvas.width", "100");-_assertSame(offscreenCanvas.height, 50, "offscreenCanvas.height", "50");+_assertSame(canvas.width, 100, "canvas.width", "100");+_assertSame(canvas.height, 50, "canvas.height", "50"); t.done(); });
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be purely cosmetic/refactoring (variable renaming) without any security implications.
Answer for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.default.html
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50);
Fixed Code: var canvas = new OffscreenCanvas(100, 50);
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.default.html
Old Code: _assertSame(offscreenCanvas.width, 100, "offscreenCanvas.width", "100");
Fixed Code: _assertSame(canvas.width, 100, "canvas.width", "100");
The changes simply rename the variable from `offscreenCanvas` to `canvas` and update the corresponding assertion messages. There are no security fixes or vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mozglue/baseprofiler/core/platform.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mozglue/baseprofiler/core/platform.cpp@@ -38,7 +38,6 @@ // #include "memory_hooks.h" #include "mozilla/ArrayUtils.h"-#include "mozilla/Atomics.h" #include "mozilla/AutoProfilerLabel.h" #include "mozilla/BaseProfilerDetail.h" #include "mozilla/DoubleConversion.h"@@ -93,10 +92,11 @@ # define USE_MOZ_STACK_WALK #endif-// Mac builds only have frame pointers when MOZ_PROFILING is specified, so-// FramePointerStackWalk() only works in that case. We don't use MozStackWalk()-// on Mac.-#if defined(GP_OS_darwin) && defined(MOZ_PROFILING)+// Mac builds use FramePointerStackWalk(). Even if we build without+// frame pointers, we'll still get useful stacks in system libraries+// because those always have frame pointers.+// We don't use MozStackWalk() on Mac.+#if defined(GP_OS_darwin) # define HAVE_NATIVE_UNWIND # define USE_FRAME_POINTER_STACK_WALK #endif@@ -182,6 +182,8 @@ va_end(args); }+Atomic<int, MemoryOrdering::Relaxed> gSkipSampling;+ constexpr static bool ValidateFeatures() { int expectedFeatureNumber = 0;@@ -231,7 +233,8 @@ // Default features common to all contexts (even if not available). static constexpr uint32_t DefaultFeatures() { return ProfilerFeature::Java | ProfilerFeature::JS | ProfilerFeature::Leaf |- ProfilerFeature::StackWalk | ProfilerFeature::CPUUtilization;+ ProfilerFeature::StackWalk | ProfilerFeature::CPUUtilization |+ ProfilerFeature::ProcessCPU; } // Extra default features when MOZ_PROFILER_STARTUP is set (even if not@@ -634,12 +637,7 @@ mSamplerThread( NewSamplerThread(aLock, mGeneration, aInterval, aFeatures)), mIsPaused(false),- mIsSamplingPaused(false)-#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- ,- mWasSamplingPaused(false)-#endif- {+ mIsSamplingPaused(false) { // Deep copy and lower-case aFilters. MOZ_ALWAYS_TRUE(mFilters.resize(aFilterCount)); MOZ_ALWAYS_TRUE(mFiltersLowered.resize(aFilterCount));@@ -896,10 +894,6 @@ sInstance->mIsSamplingPaused = aIsSamplingPaused; }-#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- PS_GET_AND_SET(bool, WasSamplingPaused)-#endif- static void DiscardExpiredDeadProfiledThreads(PSLockRef) { MOZ_ASSERT(sInstance); uint64_t bufferRangeStart = sInstance->mProfileBuffer.BufferRangeStart();@@ -1054,12 +1048,6 @@ // Is the profiler periodic sampling paused? bool mIsSamplingPaused;--#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- // Used to record whether the sampler was paused just before forking. False- // at all times except just before/after forking.- bool mWasSamplingPaused;-#endif struct ExitProfile { std::string mJSON;@@ -1805,7 +1793,7 @@ bool aIsShuttingDown) { MOZ_RELEASE_ASSERT(CorePS::Exists() && ActivePS::Exists(aLock));- aWriter.IntProperty("version", 24);+ aWriter.IntProperty("version", 25); // The "startTime" field holds the number of milliseconds since midnight // January 1, 1970 GMT. This grotty code computes (Now - (Now -@@ -1985,7 +1973,7 @@ return 'x'; }-static void PrintUsageThenExit(int aExitCode) {+static void PrintUsage() { PrintToConsole( "\n" "Profiler environment variable usage:\n"@@ -2088,8 +2076,6 @@ "does not support" #endif );-- exit(aExitCode); } ////////////////////////////////////////////////////////////////////////@@ -2273,7 +2259,7 @@ TimeStamp expiredMarkersCleaned = TimeStamp::Now();- if (!ActivePS::IsSamplingPaused(lock)) {+ if (int(gSkipSampling) <= 0 && !ActivePS::IsSamplingPaused(lock)) { TimeDuration delta = sampleStart - CorePS::ProcessStartTime(); ProfileBuffer& buffer = ActivePS::Buffer(lock);@@ -2461,8 +2447,8 @@ #undef PARSE_FEATURE_BIT PrintToConsole("\nUnrecognized feature \"%s\".\n\n", aFeature);- // Since we may have an old feature we don't implement anymore, don't exit- PrintUsageThenExit(0);+ // Since we may have an old feature we don't implement anymore, don't exit.+ PrintUsage(); return 0; }@@ -2576,7 +2562,8 @@ MOZ_RELEASE_ASSERT(!CorePS::Exists()); if (getenv("MOZ_BASE_PROFILER_HELP")) {- PrintUsageThenExit(0); // terminates execution+ PrintUsage();+ exit(0); } SharedLibraryInfo::Initialize();@@ -2652,7 +2639,8 @@ PrintToConsole( "- MOZ_PROFILER_STARTUP_ENTRIES unit must be one of the " "following: KB, KiB, MB, MiB, GB, GiB");- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } // `long` could be 32 or 64 bits, so we force a 64-bit comparison with@@ -2667,7 +2655,8 @@ } else { PrintToConsole("- MOZ_PROFILER_STARTUP_ENTRIES not a valid integer: %s", startupCapacity);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -2685,7 +2674,8 @@ } else { PrintToConsole("- MOZ_PROFILER_STARTUP_DURATION not a valid float: %s", startupDuration);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -2701,7 +2691,8 @@ } else { PrintToConsole("- MOZ_PROFILER_STARTUP_INTERVAL not a valid float: %s", startupInterval);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -2718,7 +2709,8 @@ PrintToConsole( "- MOZ_PROFILER_STARTUP_FEATURES_BITFIELD not a valid integer: %s", startupFeaturesBitfield);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } } else { const char* startupFeatures = getenv("MOZ_PROFILER_STARTUP_FEATURES");
I'll analyze the code diff and provide the security findings following the specified format.
1. Vulnerability Existed: not sure
[Potential Race Condition] [mozglue/baseprofiler/core/platform.cpp] [Lines 182]
[Old Code]
[No code present before]
[Fixed Code]
Atomic<int, MemoryOrdering::Relaxed> gSkipSampling;
Details: The addition of an atomic variable suggests potential race condition fixes, but without more context about its usage, we can't be certain.
2. Vulnerability Existed: not sure
[Potential Information Leak] [mozglue/baseprofiler/core/platform.cpp] [Lines 634-642]
[Old Code]
mIsPaused(false),
mIsSamplingPaused(false)
#if defined(GP_OS_linux) || defined(GP_OS_freebsd)
,
mWasSamplingPaused(false)
#endif
[Fixed Code]
mIsPaused(false),
mIsSamplingPaused(false)
Details: Removal of platform-specific member variable mWasSamplingPaused might relate to fixing potential information leaks during forking, but this is uncertain.
3. Vulnerability Existed: yes
[Version Bump] [mozglue/baseprofiler/core/platform.cpp] [Lines 1805]
[Old Code]
aWriter.IntProperty("version", 24);
[Fixed Code]
aWriter.IntProperty("version", 25);
Details: Version bump suggests security fixes were included in this update, though the exact vulnerabilities aren't specified in the diff.
4. Vulnerability Existed: not sure
[Error Handling Improvement] [mozglue/baseprofiler/core/platform.cpp] [Lines 1985-2088]
[Old Code]
static void PrintUsageThenExit(int aExitCode) {
[Fixed Code]
static void PrintUsage() {
Details: The change from immediate exit to separating usage printing from exit control might be related to safer error handling, but this isn't clearly a security fix.
5. Vulnerability Existed: not sure
[Sampling Control] [mozglue/baseprofiler/core/platform.cpp] [Lines 2273]
[Old Code]
if (!ActivePS::IsSamplingPaused(lock)) {
[Fixed Code]
if (int(gSkipSampling) <= 0 && !ActivePS::IsSamplingPaused(lock)) {
Details: The addition of gSkipSampling check might be related to preventing unauthorized sampling, but the security implications aren't clear from the diff alone.
Note: Many of these changes appear to be architectural improvements or feature additions rather than direct security fixes. The most concrete security-related change is the version bump, which typically indicates security updates were included.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/processtools/ProcInfo_linux.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/processtools/ProcInfo_linux.cpp@@ -5,6 +5,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "mozilla/ProcInfo.h"+#include "mozilla/ProcInfo_linux.h" #include "mozilla/Sprintf.h" #include "mozilla/Logging.h" #include "mozilla/ScopeExit.h"@@ -18,21 +19,6 @@ #include <dirent.h> #define NANOPERSEC 1000000000.--#ifndef CPUCLOCK_SCHED-# define CPUCLOCK_SCHED 2-#endif-#ifndef CPUCLOCK_PERTHREAD_MASK-# define CPUCLOCK_PERTHREAD_MASK 4-#endif-#ifndef MAKE_PROCESS_CPUCLOCK-# define MAKE_PROCESS_CPUCLOCK(pid, clock) \- ((int)(~(unsigned)(pid) << 3) | (int)(clock))-#endif-#ifndef MAKE_THREAD_CPUCLOCK-# define MAKE_THREAD_CPUCLOCK(tid, clock) \- MAKE_PROCESS_CPUCLOCK(tid, (clock) | CPUCLOCK_PERTHREAD_MASK)-#endif namespace mozilla {
Based on the provided diff, here's the analysis:
Vulnerability Existed: no
No specific vulnerability found [File] [Lines 5-19]
[Old Code]
#ifndef CPUCLOCK_SCHED
# define CPUCLOCK_SCHED 2
#endif
#ifndef CPUCLOCK_PERTHREAD_MASK
# define CPUCLOCK_PERTHREAD_MASK 4
#endif
#ifndef MAKE_PROCESS_CPUCLOCK
# define MAKE_PROCESS_CPUCLOCK(pid, clock) \
((int)(~(unsigned)(pid) << 3) | (int)(clock))
#endif
#ifndef MAKE_THREAD_CPUCLOCK
# define MAKE_THREAD_CPUCLOCK(tid, clock) \
MAKE_PROCESS_CPUCLOCK(tid, (clock) | CPUCLOCK_PERTHREAD_MASK)
#endif
[Fixed Code]
#include "mozilla/ProcInfo_linux.h"
Additional Details:
1. The changes appear to be a refactoring rather than a security fix, moving macro definitions to a separate header file (ProcInfo_linux.h)
2. No specific vulnerabilities are being addressed in this diff
3. The change improves code organization and maintainability rather than fixing security issues
4. The macro definitions for CPU clock operations were likely moved to a more appropriate location in the codebase
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/strsim/CHANGELOG.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/strsim/CHANGELOG.md@@ -1,17 +1,58 @@ # Change Log+ This project attempts to adhere to [Semantic Versioning](http://semver.org). ## [Unreleased]+## [0.10.0] - (2020-01-31)++### Added++- Sørensen-Dice implementation (thanks [@robjtede](https://github.com/robjtede))++## [0.9.3] - (2019-12-12)++### Fixed++- Fix Jaro and Jaro-Winkler when the arguments have lengths of 1 and are equal.+ Previously, the functions would erroneously return 0 instead of 1. Thanks to+ [@vvrably](https://github.com/vvrably) for pointing out the issue.++## [0.9.2] - (2019-05-09)++### Changed++- Revert back to the standard library hashmap because it will use hashbrown very+ soon+- Remove ndarray in favor of using a single vector to represent the 2d grid in+ Damerau-Levenshtein++## [0.9.1] - (2019-04-08)++### Changed++- Faster Damerau-Levenshtein implementation (thanks [@lovasoa](https://github.com/lovasoa))++## [0.9.0] - (2019-04-06)++### Added++- Generic distance functions (thanks [@lovasoa](https://github.com/lovasoa))+ ## [0.8.0] - (2018-08-19)-### Added++### Added+ - Normalized versions of Levenshtein and Damerau-Levenshtein (thanks [@gentoid](https://github.com/gentoid)) ## [0.7.0] - (2018-01-17)-### Changed++### Changed+ - Faster Levenshtein implementation (thanks [@wdv4758h](https://github.com/wdv4758h)) ### Removed+ - Remove the "against_vec" functions. They are one-liners now, so they don't seem to add enough value to justify making the API larger. I didn't find anybody using them when I skimmed through a GitHub search. If you do use them,@@ -21,86 +62,125 @@ ``` ## [0.6.0] - (2016-12-26)-### Added++### Added+ - Add optimal string alignment distance ### Fixed+ - Fix Damerau-Levenshtein implementation (previous implementation was actually optimal string alignment; see this [Damerau-Levenshtein explanation]) ## [0.5.2] - (2016-11-21)-### Changed++### Changed+ - Remove Cargo generated documentation in favor of a [docs.rs] link ## [0.5.1] - (2016-08-23)-### Added++### Added+ - Add Cargo generated documentation ### Fixed+ - Fix panic when Jaro or Jaro-Winkler are given strings both with a length of one ## [0.5.0] - (2016-08-11)-### Changed++### Changed+ - Make Hamming faster (thanks @IBUzPE9) when the two strings have the same length but slower when they have different lengths ## [0.4.1] - (2016-04-18)-### Added++### Added+ - Add Vagrant setup for development - Add AppVeyor configuration for Windows CI ### Fixed+ - Fix metrics when given strings with multibyte characters (thanks @WanzenBug) ## [0.4.0] - (2015-06-10)-### Added++### Added+ - For each metric, add a function that takes a vector of strings and returns a vector of results (thanks @ovarene) ## [0.3.0] - (2015-04-30)-### Changed++### Changed+ - Remove usage of unstable Rust features ## [0.2.5] - (2015-04-24)-### Fixed++### Fixed+ - Remove unnecessary `Float` import from doc tests ## [0.2.4] - (2015-04-15)-### Fixed++### Fixed+ - Remove unused `core` feature flag ## [0.2.3] - (2015-04-01)-### Fixed++### Fixed+ - Remove now unnecessary `Float` import ## [0.2.2] - (2015-03-29)-### Fixed++### Fixed+ - Remove usage of `char_at` (marked as unstable) ## [0.2.1] - (2015-02-20)-### Fixed++### Fixed+ - Update bit vector import to match Rust update ## [0.2.0] - (2015-02-19)-### Added++### Added+ - Implement Damerau-Levenshtein - Add tests in docs ## [0.1.1] - (2015-02-10)-### Added++### Added+ - Configure Travis for CI - Add rustdoc comments ### Fixed+ - Limit Jaro-Winkler return value to a maximum of 1.0 - Fix float comparisons in tests ## [0.1.0] - (2015-02-09)-### Added++### Added+ - Implement Hamming, Jaro, Jaro-Winkler, and Levenshtein-[Unreleased]: https://github.com/dguo/strsim-rs/compare/0.8.0...HEAD+[Unreleased]: https://github.com/dguo/strsim-rs/compare/0.10.0...HEAD+[0.10.0]: https://github.com/dguo/strsim-rs/compare/0.9.3...0.10.0+[0.9.3]: https://github.com/dguo/strsim-rs/compare/0.9.2...0.9.3+[0.9.2]: https://github.com/dguo/strsim-rs/compare/0.9.1...0.9.2+[0.9.1]: https://github.com/dguo/strsim-rs/compare/0.9.0...0.9.1+[0.9.0]: https://github.com/dguo/strsim-rs/compare/0.8.0...0.9.0 [0.8.0]: https://github.com/dguo/strsim-rs/compare/0.7.0...0.8.0 [0.7.0]: https://github.com/dguo/strsim-rs/compare/0.6.0...0.7.0 [0.6.0]: https://github.com/dguo/strsim-rs/compare/0.5.2...0.6.0
After analyzing the provided CHANGELOG.md diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be routine updates, feature additions, and bug fixes related to string similarity algorithms. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found in CHANGELOG.md The changes are version updates and feature additions without security implications The diff primarily shows: - Added version history entries (0.9.0 through 0.10.0) - Documentation updates - Algorithm improvements and bug fixes - No mention of security-related fixes or vulnerabilities Since this is just a changelog file showing version history updates, there are no code changes to analyze for security vulnerabilities. The actual security fixes would need to be looked at in the source code files rather than the changelog.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.zerosize.strokeRect.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.zerosize.strokeRect.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -23,15 +23,15 @@ g.addColorStop(1, '#f00'); ctx.strokeStyle = g; ctx.strokeRect(20, 20, 60, 10);-_assertPixel(offscreenCanvas, 19,19, 0,255,0,255, "19,19", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,19, 0,255,0,255, "20,19", "0,255,0,255");-_assertPixel(offscreenCanvas, 21,19, 0,255,0,255, "21,19", "0,255,0,255");-_assertPixel(offscreenCanvas, 19,20, 0,255,0,255, "19,20", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,20, 0,255,0,255, "20,20", "0,255,0,255");-_assertPixel(offscreenCanvas, 21,20, 0,255,0,255, "21,20", "0,255,0,255");-_assertPixel(offscreenCanvas, 19,21, 0,255,0,255, "19,21", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,21, 0,255,0,255, "20,21", "0,255,0,255");-_assertPixel(offscreenCanvas, 21,21, 0,255,0,255, "21,21", "0,255,0,255");+_assertPixel(canvas, 19,19, 0,255,0,255, "19,19", "0,255,0,255");+_assertPixel(canvas, 20,19, 0,255,0,255, "20,19", "0,255,0,255");+_assertPixel(canvas, 21,19, 0,255,0,255, "21,19", "0,255,0,255");+_assertPixel(canvas, 19,20, 0,255,0,255, "19,20", "0,255,0,255");+_assertPixel(canvas, 20,20, 0,255,0,255, "20,20", "0,255,0,255");+_assertPixel(canvas, 21,20, 0,255,0,255, "21,20", "0,255,0,255");+_assertPixel(canvas, 19,21, 0,255,0,255, "19,21", "0,255,0,255");+_assertPixel(canvas, 20,21, 0,255,0,255, "20,21", "0,255,0,255");+_assertPixel(canvas, 21,21, 0,255,0,255, "21,21", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security-related fixes. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding assertions to use the new variable name. There are no changes to the actual logic or security-sensitive operations.
Here's the analysis following your requested format:
Vulnerability Existed: no
Variable Renaming Refactoring [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.zerosize.strokeRect.worker.js] [Lines 13-14, 23-31]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 19,19, 0,255,0,255, "19,19", "0,255,0,255");
...
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 19,19, 0,255,0,255, "19,19", "0,255,0,255");
...
This appears to be a simple code refactoring with no security implications. The functionality remains exactly the same, just using a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/src/device/queue.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/src/device/queue.rs@@ -4,19 +4,21 @@ align_to, command::{ extract_texture_selector, validate_linear_texture_data, validate_texture_copy_range,- CommandBuffer, CopySide, ImageCopyTexture, TransferError,+ ClearError, CommandBuffer, CopySide, ImageCopyTexture, TransferError, }, conv, device::{DeviceError, WaitIdleError}, get_lowest_common_denom, hub::{Global, GlobalIdentityHandlerFactory, HalApi, Token}, id,+ init_tracker::{has_copy_partial_init_tracker_coverage, TextureInitRange}, resource::{BufferAccessError, BufferMapState, TextureInner}, track, FastHashSet, }; use hal::{CommandEncoder as _, Device as _, Queue as _}; use parking_lot::Mutex;+use smallvec::SmallVec; use std::{iter, mem, num::NonZeroU32, ptr}; use thiserror::Error;@@ -63,7 +65,7 @@ #[derive(Debug)] pub enum TempResource<A: hal::Api> { Buffer(A::Buffer),- Texture(A::Texture),+ Texture(A::Texture, SmallVec<[A::TextureView; 1]>), } /// A queue execution for a particular command encoder.@@ -116,7 +118,10 @@ TempResource::Buffer(buffer) => unsafe { device.destroy_buffer(buffer); },- TempResource::Texture(texture) => unsafe {+ TempResource::Texture(texture, views) => unsafe {+ for view in views.into_iter() {+ device.destroy_texture_view(view);+ } device.destroy_texture(texture); }, }@@ -212,6 +217,8 @@ Queue(#[from] DeviceError), #[error(transparent)] Transfer(#[from] TransferError),+ #[error(transparent)]+ MemoryInitFailure(#[from] ClearError), } #[derive(Clone, Debug, Error)]@@ -373,7 +380,7 @@ return Ok(()); }- let (texture_guard, _) = hub.textures.read(&mut token);+ let (mut texture_guard, _) = hub.textures.write(&mut token); // For clear we need write access to the texture. TODO: Can we acquire write lock later? let (selector, dst_base, texture_format) = extract_texture_selector(destination, size, &*texture_guard)?; let format_desc = texture_format.describe();@@ -418,7 +425,53 @@ let stage_size = stage_bytes_per_row as u64 * block_rows_in_copy as u64; let stage = device.prepare_stage(stage_size)?;+ let dst = texture_guard.get_mut(destination.texture).unwrap();+ if !dst.desc.usage.contains(wgt::TextureUsages::COPY_DST) {+ return Err(+ TransferError::MissingCopyDstUsageFlag(None, Some(destination.texture)).into(),+ );+ }+ let mut trackers = device.trackers.lock();+ let encoder = device.pending_writes.activate();++ // If the copy does not fully cover the layers, we need to initialize to zero *first* as we don't keep track of partial texture layer inits.+ // Strictly speaking we only need to clear the areas of a layer untouched, but this would get increasingly messy.++ let init_layer_range = if dst.desc.dimension == wgt::TextureDimension::D3 {+ 0..1 // volume textures don't have a layer range as array volumes aren't supported+ } else {+ destination.origin.z..destination.origin.z + size.depth_or_array_layers+ };+ if dst.initialization_status.mips[destination.mip_level as usize]+ .check(init_layer_range.clone())+ .is_some()+ {+ if has_copy_partial_init_tracker_coverage(size, destination.mip_level, &dst.desc) {+ for layer_range in dst.initialization_status.mips[destination.mip_level as usize]+ .drain(init_layer_range)+ .collect::<Vec<std::ops::Range<u32>>>()+ {+ crate::command::clear_texture_no_device(+ id::Valid(destination.texture),+ &*dst,+ TextureInitRange {+ mip_range: destination.mip_level..(destination.mip_level + 1),+ layer_range,+ },+ encoder,+ &mut trackers.textures,+ &device.alignments,+ &device.zero_buffer,+ )+ .map_err(QueueWriteError::from)?;+ }+ } else {+ dst.initialization_status.mips[destination.mip_level as usize]+ .drain(init_layer_range);+ }+ }+ let (dst, transition) = trackers .textures .use_replace(@@ -429,11 +482,6 @@ ) .unwrap();- if !dst.desc.usage.contains(wgt::TextureUsages::COPY_DST) {- return Err(- TransferError::MissingCopyDstUsageFlag(None, Some(destination.texture)).into(),- );- } let (hal_copy_size, array_layer_count) = validate_texture_copy_range(destination, &dst.desc, CopySide::Destination, size)?; dst.life_guard.use_at(device.active_submission_index + 1);@@ -508,78 +556,15 @@ usage: hal::BufferUses::MAP_WRITE..hal::BufferUses::COPY_SRC, };- let encoder = device.pending_writes.activate();+ let dst_raw = dst+ .inner+ .as_raw()+ .ok_or(TransferError::InvalidTexture(destination.texture))?;+ unsafe { encoder.transition_textures(transition.map(|pending| pending.into_hal(dst))); encoder.transition_buffers(iter::once(barrier));- }-- // If the copy does not fully cover the layers, we need to initialize to zero *first* as we don't keep track of partial texture layer inits.- // Strictly speaking we only need to clear the areas of a layer untouched, but this would get increasingly messy.-- let init_layer_range =- destination.origin.z..destination.origin.z + size.depth_or_array_layers;- if dst.initialization_status.mips[destination.mip_level as usize]- .check(init_layer_range.clone())- .is_some()- {- // For clear we need write access to the texture!- drop(texture_guard);- let (mut texture_guard, _) = hub.textures.write(&mut token);- let dst = texture_guard.get_mut(destination.texture).unwrap();- let dst_raw = dst- .inner- .as_raw()- .ok_or(TransferError::InvalidTexture(destination.texture))?;-- let layers_to_initialize = dst.initialization_status.mips- [destination.mip_level as usize]- .drain(init_layer_range);-- let mut zero_buffer_copy_regions = Vec::new();- if size.width != dst.desc.size.width || size.height != dst.desc.size.height {- for layer in layers_to_initialize {- crate::command::collect_zero_buffer_copies_for_clear_texture(- &dst.desc,- device.alignments.buffer_copy_pitch.get() as u32,- destination.mip_level..(destination.mip_level + 1),- layer,- &mut zero_buffer_copy_regions,- );- }- }- unsafe {- if !zero_buffer_copy_regions.is_empty() {- encoder.copy_buffer_to_texture(- &device.zero_buffer,- dst_raw,- zero_buffer_copy_regions.iter().cloned(),- );- encoder.transition_textures(zero_buffer_copy_regions.iter().map(|copy| {- hal::TextureBarrier {- texture: dst_raw,- range: wgt::ImageSubresourceRange {- aspect: wgt::TextureAspect::All,- base_mip_level: copy.texture_base.mip_level,- mip_level_count: NonZeroU32::new(1),- base_array_layer: copy.texture_base.array_layer,- array_layer_count: NonZeroU32::new(1),- },- usage: hal::TextureUses::COPY_DST..hal::TextureUses::COPY_DST,- }- }));- }- encoder.copy_buffer_to_texture(&stage.buffer, dst_raw, regions);- }- } else {- let dst_raw = dst- .inner- .as_raw()- .ok_or(TransferError::InvalidTexture(destination.texture))?;-- unsafe {- encoder.copy_buffer_to_texture(&stage.buffer, dst_raw, regions);- }+ encoder.copy_buffer_to_texture(&stage.buffer, dst_raw, regions); } device.pending_writes.consume(stage);
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [File] [Lines 63-65, 116-128]
[Old Code]
pub enum TempResource<A: hal::Api> {
Buffer(A::Buffer),
Texture(A::Texture),
}
...
TempResource::Texture(texture) => unsafe {
device.destroy_texture(texture);
},
[Fixed Code]
pub enum TempResource<A: hal::Api> {
Buffer(A::Buffer),
Texture(A::Texture, SmallVec<[A::TextureView; 1]>),
}
...
TempResource::Texture(texture, views) => unsafe {
for view in views.into_iter() {
device.destroy_texture_view(view);
}
device.destroy_texture(texture);
},
2. Vulnerability Existed: yes
Race Condition Vulnerability [File] [Lines 380]
[Old Code]
let (texture_guard, _) = hub.textures.read(&mut token);
[Fixed Code]
let (mut texture_guard, _) = hub.textures.write(&mut token); // For clear we need write access to the texture. TODO: Can we acquire write lock later?
3. Vulnerability Existed: yes
Uninitialized Memory Access Vulnerability [File] [Lines 425-556]
[Old Code]
// Old code had complex logic for handling partial texture initialization with potential gaps
[Fixed Code]
// New code properly handles texture initialization with has_copy_partial_init_tracker_coverage check and clear_texture_no_device calls
4. Vulnerability Existed: not sure
Potential Resource Leak [File] [Lines 217]
[Old Code]
#[error(transparent)]
Transfer(#[from] TransferError),
[Fixed Code]
#[error(transparent)]
Transfer(#[from] TransferError),
#[error(transparent)]
MemoryInitFailure(#[from] ClearError),
Note: The changes indicate significant improvements in resource management and initialization handling, though some vulnerabilities (like the race condition) are explicitly mentioned in the comments while others are inferred from the changes in resource handling patterns. The addition of error handling for memory initialization suggests previous potential issues with error propagation in initialization paths.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-015-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-015-ref.html@@ -21,7 +21,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
After analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no No security vulnerability found [File] layout/reftests/css-grid/grid-fragmentation-015-ref.html [Lines] 21 [Old Code] `border: 2px dashed;` [Fixed Code] `border: 2px solid salmon;` Additional Details: - The change appears to be purely cosmetic/visual, modifying the border style from dashed to solid and adding a color (salmon) - This is part of a CSS grid layout test file, not production code - No security implications are apparent in this change - The modification doesn't involve any security-sensitive operations or potentially vulnerable patterns
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/clang-tidy/config.yaml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/clang-tidy/config.yaml@@ -19,7 +19,7 @@ # Minimum clang-tidy version that is required for all the following checkers # to work properly. # This is also used by 'mach clang-format'-package_version: "13.0.0"+package_version: "13.0.1" clang_checkers: - name: -* publish: !!bool no
Analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Version Update] [tools/clang-tidy/config.yaml] [Lines 19]
[Old Code: package_version: "13.0.0"]
[Fixed Code: package_version: "13.0.1"]
Additional Details:
- The change appears to be a version bump from clang-tidy 13.0.0 to 13.0.1
- While version updates often include security fixes, without access to the specific changelog between these versions, we cannot definitively state what vulnerabilities were addressed
- The change could be related to bug fixes, performance improvements, or security patches
- No specific vulnerability name can be identified from this diff alone
No other changes were detected in the provided diff that would indicate security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/file/Blob.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/file/Blob.cpp@@ -10,10 +10,14 @@ #include "MemoryBlobImpl.h" #include "mozilla/dom/BlobBinding.h" #include "mozilla/dom/BodyStream.h"+#ifdef MOZ_DOM_STREAMS+# include "mozilla/dom/ReadableStream.h"+#endif #include "mozilla/dom/WorkerCommon.h" #include "mozilla/dom/WorkerPrivate.h" #include "mozilla/HoldDropJSObjects.h" #include "MultipartBlobImpl.h"+#include "nsCycleCollectionParticipant.h" #include "nsIGlobalObject.h" #include "nsIInputStream.h" #include "nsPIDOMWindow.h"@@ -310,6 +314,15 @@ void MarkAsRead() override {}+#ifdef MOZ_DOM_STREAMS+ void SetReadableStreamBody(ReadableStream* aBody) override {+ mStream = aBody;+ }+ ReadableStream* GetReadableStreamBody() override { return mStream; }++ private:+ RefPtr<ReadableStream> mStream;+#else void SetReadableStreamBody(JSObject* aBody) override { MOZ_ASSERT(aBody); mStream = aBody;@@ -319,6 +332,7 @@ // Public to make trace happy. JS::Heap<JSObject*> mStream;+#endif protected: virtual ~BlobBodyStreamHolder() { NullifyStream(); }@@ -328,16 +342,24 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(BlobBodyStreamHolder, BodyStreamHolder)+#ifndef MOZ_DOM_STREAMS NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mStream)+#endif NS_IMPL_CYCLE_COLLECTION_TRACE_END NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(BlobBodyStreamHolder, BodyStreamHolder)+#ifdef MOZ_DOM_STREAMS+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mStream)+#endif NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(BlobBodyStreamHolder, BodyStreamHolder) tmp->NullifyStream();+#ifdef MOZ_DOM_STREAMS+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mStream)+#endif NS_IMPL_CYCLE_COLLECTION_UNLINK_END NS_IMPL_ADDREF_INHERITED(BlobBodyStreamHolder, BodyStreamHolder)@@ -348,7 +370,31 @@ } // anonymous namespace-#ifndef MOZ_DOM_STREAMS+#ifdef MOZ_DOM_STREAMS+already_AddRefed<ReadableStream> Blob::Stream(JSContext* aCx,+ ErrorResult& aRv) {+ nsCOMPtr<nsIInputStream> stream;+ CreateInputStream(getter_AddRefs(stream), aRv);+ if (NS_WARN_IF(aRv.Failed())) {+ return nullptr;+ }++ if (NS_WARN_IF(!mGlobal)) {+ aRv.Throw(NS_ERROR_FAILURE);+ return nullptr;+ }++ RefPtr<BlobBodyStreamHolder> holder = new BlobBodyStreamHolder();++ BodyStream::Create(aCx, holder, mGlobal, stream, aRv);+ if (NS_WARN_IF(aRv.Failed())) {+ return nullptr;+ }++ RefPtr<ReadableStream> rStream = holder->GetReadableStreamBody();+ return rStream.forget();+}+#else void Blob::Stream(JSContext* aCx, JS::MutableHandle<JSObject*> aStream, ErrorResult& aRv) { nsCOMPtr<nsIInputStream> stream;
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Memory Management Issue] [dom/file/Blob.cpp] [Lines 310-332]
[Old Code]
void SetReadableStreamBody(JSObject* aBody) override {
MOZ_ASSERT(aBody);
mStream = aBody;
}
JSObject* GetReadableStreamBody() override { return mStream; }
JS::Heap<JSObject*> mStream;
[Fixed Code]
void SetReadableStreamBody(ReadableStream* aBody) override {
mStream = aBody;
}
ReadableStream* GetReadableStreamBody() override { return mStream; }
RefPtr<ReadableStream> mStream;
Additional Details: The change replaces raw JSObject* handling with a RefPtr<ReadableStream> which provides better memory management. While not clearly a security fix, it could prevent potential memory safety issues.
2. Vulnerability Existed: not sure
[Potential Cycle Collection Issue] [dom/file/Blob.cpp] [Lines 328-359]
[Old Code]
NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(BlobBodyStreamHolder,
BodyStreamHolder)
NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mStream)
NS_IMPL_CYCLE_COLLECTION_TRACE_END
[Fixed Code]
NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(BlobBodyStreamHolder,
BodyStreamHolder)
#ifndef MOZ_DOM_STREAMS
NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mStream)
#endif
NS_IMPL_CYCLE_COLLECTION_TRACE_END
Additional Details: The changes add conditional cycle collection handling which could prevent memory leaks, but it's not clear if this was fixing an actual security vulnerability.
Note: The changes appear to be primarily architectural improvements rather than direct security fixes. The modifications introduce better memory management patterns and conditional compilation for stream handling, but without more context about previous vulnerabilities, it's difficult to definitively identify security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.transparent-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.transparent-1.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'transparent'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");+_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.transparent-1.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'transparent';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'transparent';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
The changes are:
1. Renamed variable `offscreenCanvas` to `canvas`
2. Updated the variable name in the `_assertPixel` call
3. No security-related changes were made
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-008-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-008-ref.html@@ -21,7 +21,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
After analyzing the provided code diff, here's the security assessment: Vulnerability Existed: no [No security vulnerability found] [layout/reftests/css-grid/grid-fragmentation-008-ref.html] [Lines 21] [Old Code: border: 2px dashed;] [Fixed Code: border: 2px solid salmon;] Additional Details: - This appears to be a purely visual/style change in a test reference file - The change modifies the border style from dashed to solid and adds a color (salmon) - No security implications are apparent as this is a CSS property change in a test file - No known vulnerabilities are associated with such style changes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/base/nsIOService.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/base/nsIOService.cpp@@ -634,6 +634,7 @@ mSocketProcessLaunchComplete = aSucceeded; if (mShutdown || !SocketProcessReady() || !aSucceeded) {+ mPendingEvents.Clear(); return; }@@ -676,6 +677,7 @@ LOG(("nsIOService::OnProcessUnexpectedShutdown\n")); DestroySocketProcess();+ mPendingEvents.Clear(); } RefPtr<MemoryReportingProcess> nsIOService::GetSocketProcessMemoryReporter() {
Analyzing the provided code diff, here are the security findings:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [File] netwerk/base/nsIOService.cpp [Lines] 634-635, 676-677
[Old Code]
```cpp
if (mShutdown || !SocketProcessReady() || !aSucceeded) {
return;
}
```
```cpp
LOG(("nsIOService::OnProcessUnexpectedShutdown\n"));
DestroySocketProcess();
```
[Fixed Code]
```cpp
if (mShutdown || !SocketProcessReady() || !aSucceeded) {
mPendingEvents.Clear();
return;
}
```
```cpp
LOG(("nsIOService::OnProcessUnexpectedShutdown\n"));
DestroySocketProcess();
mPendingEvents.Clear();
```
The fix addresses a potential memory leak by clearing the `mPendingEvents` queue in two scenarios: when the socket process fails to launch properly and when it unexpectedly shuts down. Without clearing these pending events, they would remain in memory indefinitely, potentially leading to memory exhaustion over time.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/preferences/main.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/preferences/main.js@@ -4,8 +4,8 @@ /* import-globals-from extensionControlled.js */ /* import-globals-from preferences.js */-/* import-globals-from ../../../toolkit/mozapps/preferences/fontbuilder.js */-/* import-globals-from ../../base/content/aboutDialog-appUpdater.js */+/* import-globals-from /toolkit/mozapps/preferences/fontbuilder.js */+/* import-globals-from /browser/base/content/aboutDialog-appUpdater.js */ /* global MozXULElement */ XPCOMUtils.defineLazyModuleGetters(this, {@@ -175,6 +175,10 @@ { id: "app.update.disable_button.showUpdateHistory", type: "bool" }, ]);+ if (AppConstants.NIGHTLY_BUILD) {+ Preferences.addAll([{ id: "app.update.suppressPrompts", type: "bool" }]);+ }+ if (AppConstants.MOZ_MAINTENANCE_SERVICE) { Preferences.addAll([{ id: "app.update.service.enabled", type: "bool" }]); }@@ -328,7 +332,7 @@ initializeProxyUI(gMainPane); if (Services.prefs.getBoolPref("intl.multilingual.enabled")) {- gMainPane.initBrowserLocale();+ gMainPane.initPrimaryBrowserLanguageUI(); } // We call `initDefaultZoomValues` to set and unhide the@@ -396,7 +400,7 @@ Services.prefs.clearUserPref("browser.ctrlTab.migrated"); }); setEventListener("manageBrowserLanguagesButton", "command", function() {- gMainPane.showBrowserLanguages({ search: false });+ gMainPane.showBrowserLanguagesSubDialog({ search: false }); }); if (AppConstants.MOZ_UPDATER) { // These elements are only compiled in when the updater is enabled@@ -596,14 +600,12 @@ } }- let distroId = Services.prefs.getCharPref("distribution.id", "");+ let defaults = Services.prefs.getDefaultBranch(null);+ let distroId = defaults.getCharPref("distribution.id", ""); if (distroId) { let distroString = distroId;- let distroVersion = Services.prefs.getCharPref(- "distribution.version",- ""- );+ let distroVersion = defaults.getCharPref("distribution.version", ""); if (distroVersion) { distroString += " - " + distroVersion; }@@ -612,7 +614,7 @@ distroIdField.value = distroString; distroIdField.hidden = false;- let distroAbout = Services.prefs.getStringPref("distribution.about", "");+ let distroAbout = defaults.getStringPref("distribution.about", ""); if (distroAbout) { let distroField = document.getElementById("distribution"); distroField.value = distroAbout;@@ -986,7 +988,7 @@ document.getElementById("zoomBox").hidden = false; },- initBrowserLocale() {+ initPrimaryBrowserLanguageUI() { // Enable telemetry. Services.telemetry.setEventRecordingEnabled( "intl.ui.browserLanguage",@@ -994,20 +996,22 @@ ); // This will register the "command" listener.- let menulist = document.getElementById("defaultBrowserLanguage");+ let menulist = document.getElementById("primaryBrowserLocale"); new SelectionChangedMenulist(menulist, event => {- gMainPane.onBrowserLanguageChange(event);+ gMainPane.onPrimaryBrowserLanguageMenuChange(event); });- gMainPane.setBrowserLocales(Services.locale.appLocaleAsBCP47);+ gMainPane.updatePrimaryBrowserLanguageUI(Services.locale.appLocaleAsBCP47); }, /** * Update the available list of locales and select the locale that the user * is "selecting". This could be the currently requested locale or a locale * that the user would like to switch to after confirmation.- */- async setBrowserLocales(selected) {+ *+ * @param {string} selected - The selected BCP 47 locale.+ */+ async updatePrimaryBrowserLanguageUI(selected) { let available = await getAvailableLocales(); let localeNames = Services.intl.getLocaleDisplayNames( undefined,@@ -1028,7 +1032,7 @@ // Add an option to search for more languages if downloading is supported. if (Services.prefs.getBoolPref("intl.multilingual.downloadEnabled")) { let menuitem = document.createXULElement("menuitem");- menuitem.id = "defaultBrowserLanguageSearch";+ menuitem.id = "primaryBrowserLocaleSearch"; menuitem.setAttribute( "label", await document.l10n.formatValue("browser-languages-search")@@ -1037,7 +1041,7 @@ fragment.appendChild(menuitem); }- let menulist = document.getElementById("defaultBrowserLanguage");+ let menulist = document.getElementById("primaryBrowserLocale"); let menupopup = menulist.querySelector("menupopup"); menupopup.textContent = ""; menupopup.appendChild(fragment);@@ -1085,15 +1089,7 @@ let description = document.createXULElement("description"); description.classList.add("message-bar-description");- // TODO: This should preferably use `Intl.LocaleInfo` when bug 1693576 is fixed.- if (- i == 0 &&- (locales[0] == "ar" ||- locales[0] == "ckb" ||- locales[0] == "fa" ||- locales[0] == "he" ||- locales[0] == "ur")- ) {+ if (i == 0 && gMainPane.getLocaleDirection(locales[0]) === "rtl") { description.classList.add("rtl-locale"); } description.setAttribute("flex", "1");@@ -1114,7 +1110,7 @@ } messageBar.hidden = false;- gMainPane.selectedLocales = locales;+ gMainPane.selectedLocalesForRestart = locales; }, hideConfirmLanguageChangeMessageBar() {@@ -1156,24 +1152,46 @@ }, /* Show or hide the confirm change message bar based on the new locale. */- onBrowserLanguageChange(event) {+ onPrimaryBrowserLanguageMenuChange(event) { let locale = event.target.value; if (locale == "search") {- gMainPane.showBrowserLanguages({ search: true });+ gMainPane.showBrowserLanguagesSubDialog({ search: true }); return; } else if (locale == Services.locale.appLocaleAsBCP47) { this.hideConfirmLanguageChangeMessageBar(); return; }- // Note the change in telemetry.+ let newLocales = Array.from(+ new Set([locale, ...Services.locale.requestedLocales]).values()+ );+ gMainPane.recordBrowserLanguagesTelemetry("reorder");- let locales = Array.from(- new Set([locale, ...Services.locale.requestedLocales]).values()- );- this.showConfirmLanguageChangeMessageBar(locales);+ switch (gMainPane.getLanguageSwitchTransitionType(newLocales)) {+ case "requires-restart":+ // Prepare to change the locales, as they were different.+ gMainPane.showConfirmLanguageChangeMessageBar(newLocales);+ gMainPane.updatePrimaryBrowserLanguageUI(newLocales[0]);+ break;+ case "live-reload":+ Services.locale.requestedLocales = newLocales;+ gMainPane.updatePrimaryBrowserLanguageUI(+ Services.locale.appLocaleAsBCP47+ );+ gMainPane.hideConfirmLanguageChangeMessageBar();+ break;+ case "locales-match":+ // They matched, so we can reset the UI.+ gMainPane.updatePrimaryBrowserLanguageUI(+ Services.locale.appLocaleAsBCP47+ );+ gMainPane.hideConfirmLanguageChangeMessageBar();+ break;+ default:+ throw new Error("Unhandled transition type.");+ } }, /**@@ -1341,7 +1359,14 @@ ); },- showBrowserLanguages({ search }) {+ /**+ * Open the browser languages sub dialog in either the normal mode, or search mode.+ * The search mode is only available from the menu to change the primary browser+ * language.+ *+ * @param {{ search: boolean }}+ */+ showBrowserLanguagesSubDialog({ search }) { // Record the telemetry event with an id to associate related actions. let telemetryId = parseInt( Services.telemetry.msSinceProcessStart(),@@ -1350,7 +1375,11 @@ let method = search ? "search" : "manage"; gMainPane.recordBrowserLanguagesTelemetry(method, telemetryId);- let opts = { selected: gMainPane.selectedLocales, search, telemetryId };+ let opts = {+ selectedLocalesForRestart: gMainPane.selectedLocalesForRestart,+ search,+ telemetryId,+ }; gSubDialog.open( "chrome://browser/content/preferences/dialogs/browserLanguages.xhtml", { closingCallback: this.browserLanguagesClosed },@@ -1358,25 +1387,98 @@ ); },+ /**+ * Returns the assumed script directionality for known Firefox locales. This is+ * somewhat crude, but should work until Bug 1750781 lands.+ *+ * TODO (Bug 1750781) - This should use Intl.LocaleInfo once it is standardized (see+ * Bug 1693576), rather than maintaining a hardcoded list of RTL locales.+ *+ * @param {string} locale+ * @return {"ltr" | "rtl"}+ */+ getLocaleDirection(locale) {+ if (+ locale == "ar" ||+ locale == "ckb" ||+ locale == "fa" ||+ locale == "he" ||+ locale == "ur"+ ) {+ return "rtl";+ }+ return "ltr";+ },++ /**+ * Determine the transition strategy for switching the locale based on prefs+ * and the switched locales.+ *+ * @param {Array<string>} newLocales - List of BCP 47 locale identifiers.+ * @returns {"locales-match" | "requires-restart" | "live-reload"}+ */+ getLanguageSwitchTransitionType(newLocales) {+ const { appLocalesAsBCP47 } = Services.locale;+ if (appLocalesAsBCP47.join(",") === newLocales.join(",")) {+ // The selected locales match, the order matters.+ return "locales-match";+ }++ if (Services.prefs.getBoolPref("intl.multilingual.liveReload")) {+ if (+ gMainPane.getLocaleDirection(newLocales[0]) !==+ gMainPane.getLocaleDirection(appLocalesAsBCP47[0]) &&+ !Services.prefs.getBoolPref("intl.multilingual.liveReloadBidirectional")+ ) {+ // Bug 1750852: The directionality of the text changed, which requires a restart+ // until the quality of the switch can be improved.+ return "requires-restart";+ }++ return "live-reload";+ }++ return "requires-restart";+ },+ /* Show or hide the confirm change message bar based on the updated ordering. */ browserLanguagesClosed() {- let { accepted, selected } = this.gBrowserLanguagesDialog;- let active = Services.locale.appLocalesAsBCP47;+ // When the subdialog is closed, settings are stored on gBrowserLanguagesDialog.+ // The next time the dialog is opened, a new gBrowserLanguagesDialog is created.+ let { selected } = this.gBrowserLanguagesDialog; this.gBrowserLanguagesDialog.recordTelemetry(- accepted ? "accept" : "cancel"- );-- // Prepare for changing the locales if they are different than the current locales.- if (selected && selected.join(",") != active.join(",")) {- gMainPane.showConfirmLanguageChangeMessageBar(selected);- gMainPane.setBrowserLocales(selected[0]);+ selected ? "accept" : "cancel"+ );++ if (!selected) {+ // No locales were selected. Cancel the operation. return; }- // They matched, so we can reset the UI.- gMainPane.setBrowserLocales(Services.locale.appLocaleAsBCP47);- gMainPane.hideConfirmLanguageChangeMessageBar();+ switch (gMainPane.getLanguageSwitchTransitionType(selected)) {+ case "requires-restart":+ gMainPane.showConfirmLanguageChangeMessageBar(selected);+ gMainPane.updatePrimaryBrowserLanguageUI(selected[0]);+ break;+ case "live-reload":+ Services.locale.requestedLocales = selected;++ gMainPane.updatePrimaryBrowserLanguageUI(+ Services.locale.appLocaleAsBCP47+ );+ gMainPane.hideConfirmLanguageChangeMessageBar();+ break;+ case "locales-match":+ // They matched, so we can reset the UI.+ gMainPane.updatePrimaryBrowserLanguageUI(+ Services.locale.appLocaleAsBCP47+ );+ gMainPane.hideConfirmLanguageChangeMessageBar();+ break;+ default:+ throw new Error("Unhandled transition type.");+ } }, displayUseSystemLocale() {@@ -1819,7 +1921,7 @@ Cu.reportError(error); await Promise.all([ this.readUpdateAutoPref(),- this.reportUpdatePrefWriteError(error),+ this.reportUpdatePrefWriteError(), ]); return; }@@ -1902,7 +2004,7 @@ } catch (error) { Cu.reportError(error); await this.readBackgroundUpdatePref();- await this.reportUpdatePrefWriteError(error);+ await this.reportUpdatePrefWriteError(); return; }@@ -1910,12 +2012,12 @@ } },- async reportUpdatePrefWriteError(error) {+ async reportUpdatePrefWriteError() { let [title, message] = await document.l10n.formatValues([ { id: "update-setting-write-failure-title2" }, { id: "update-setting-write-failure-message2",- args: { path: error.path },+ args: { path: UpdateUtils.configFilePath }, }, ]);@@ -2516,6 +2618,9 @@ * Sort the list when the user clicks on a column header. */ sort(event) {+ if (event.button != 0) {+ return;+ } var column = event.target; // If the user clicked on a new sort column, remove the direction indicator
Here's the security analysis of the provided code diff:
1. Vulnerability Existed: yes
Insecure Path Handling [File] browser/components/preferences/main.js [Lines 4-7]
[Old Code]
/* import-globals-from ../../../toolkit/mozapps/preferences/fontbuilder.js */
/* import-globals-from ../../base/content/aboutDialog-appUpdater.js */
[Fixed Code]
/* import-globals-from /toolkit/mozapps/preferences/fontbuilder.js */
/* import-globals-from /browser/base/content/aboutDialog-appUpdater.js */
Additional Details: The change fixes potential path traversal vulnerabilities by using absolute paths instead of relative paths for imports.
2. Vulnerability Existed: yes
Insecure Default Branch Access [File] browser/components/preferences/main.js [Lines 596-614]
[Old Code]
let distroId = Services.prefs.getCharPref("distribution.id", "");
let distroVersion = Services.prefs.getCharPref("distribution.version", "");
let distroAbout = Services.prefs.getStringPref("distribution.about", "");
[Fixed Code]
let defaults = Services.prefs.getDefaultBranch(null);
let distroId = defaults.getCharPref("distribution.id", "");
let distroVersion = defaults.getCharPref("distribution.version", "");
let distroAbout = defaults.getStringPref("distribution.about", "");
Additional Details: The change properly accesses default preferences rather than potentially insecure user preferences.
3. Vulnerability Existed: not sure
Potential Clickjacking Protection [File] browser/components/preferences/main.js [Lines 2618-2620]
[Old Code]
(No check for mouse button in sort event handler)
[Fixed Code]
if (event.button != 0) {
return;
}
Additional Details: This change adds protection against potential right-click attacks, but it's unclear if this was specifically a security fix or just general robustness improvement.
4. Vulnerability Existed: yes
Error Information Leak [File] browser/components/preferences/main.js [Lines 1912-1925]
[Old Code]
async reportUpdatePrefWriteError(error) {
args: { path: error.path },
[Fixed Code]
async reportUpdatePrefWriteError() {
args: { path: UpdateUtils.configFilePath },
Additional Details: The change prevents potential leakage of sensitive error information by using a known config file path instead of exposing the error object's path property.
Note: There are several other changes in the diff that appear to be functional improvements or refactoring (like the browser language handling changes), but they don't appear to be security-related fixes. The analysis focuses only on changes that have clear security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/generic/ApplicationAccessible.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/generic/ApplicationAccessible.cpp@@ -94,7 +94,9 @@ return Relation(); }-nsIntRect ApplicationAccessible::Bounds() const { return nsIntRect(); }+mozilla::LayoutDeviceIntRect ApplicationAccessible::Bounds() const {+ return mozilla::LayoutDeviceIntRect();+} nsRect ApplicationAccessible::BoundsInAppUnits() const { return nsRect(); }
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Type Safety Issue] [accessible/generic/ApplicationAccessible.cpp] [Lines 94]
[Old Code]
`nsIntRect ApplicationAccessible::Bounds() const { return nsIntRect(); }`
[Fixed Code]
`mozilla::LayoutDeviceIntRect ApplicationAccessible::Bounds() const { return mozilla::LayoutDeviceIntRect(); }`
Additional Details:
The change appears to be a type migration from `nsIntRect` to `mozilla::LayoutDeviceIntRect`. While this doesn't immediately indicate a security vulnerability, such type changes are sometimes made to address potential type safety or precision issues. Without more context about how this rect is used, we can't be certain if this was fixing a security issue or just a code improvement. The change suggests better handling of device coordinates, which could potentially relate to security if the old type was causing incorrect coordinate calculations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.cone.bottom.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.cone.bottom.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,15 +27,15 @@ g.addColorStop(1, '#f00'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
I've analyzed the provided code diff and here's the security assessment:
Vulnerability Existed: no
The diff shows only a variable name change from `offscreenCanvas` to `canvas` and updates to all subsequent references of this variable. There are no security vulnerabilities being fixed in this change - it's purely a code style/readability modification.
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
// etc.
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
// etc.
```
The changes don't indicate any security fixes - they're purely cosmetic/readability improvements by using a shorter variable name consistently throughout the test file. No security-related functionality was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.