645811 | Crash in mojo::internal::Router::OnConnectionError | - | 2016-12-31 |
648031 | Heap-use-after-free in pp::MacroExpander::expandMacro | - | 2016-12-31 |
647922 | Crash in SuperBlitter::blitH | - | 2016-12-31 |
648935 | Crash in FindBit | - | 2016-12-31 |
649826 | Heap-use-after-free in CPDF_ViewerPreferences::IsDirectionR2L | - | 2016-12-31 |
622271 | Security: Adobe Flash ContextMenu Use After Free | $3,000 | 2016-12-30 |
622634 | Security: use-after-free vulnerability in flash player 22.0.0.192 | $3,000 | 2016-12-30 |
630544 | Security: use-after-free vulnerability in flash player 22.0.0.209 | $3,000 | 2016-12-30 |
630547 | Security: use-after-free vulnerability in Adobe flash player | $3,000 | 2016-12-30 |
640177 | Security: use-after-free vulnerability in flash player latest version | $3,000 | 2016-12-30 |
647791 | Heap-buffer-overflow in gpu::gles2::ShaderTranslator::Translate | - | 2016-12-30 |
648620 | CRASH() writes to a fixed mappable address | - | 2016-12-30 |
649056 | Assertion failed: !object || (object->isBox()) | - | 2016-12-30 |
649095 | Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutBox::firstChildBox;blink::ThemePainterDefault::setupMenuListArrow | - | 2016-12-30 |
649058 | Use-of-uninitialized-value in blink::BoxPainter::paint | - | 2016-12-30 |
649599 | Crash in blink::ThemePainterDefault::setupMenuListArrow | - | 2016-12-30 |
502871 | Security: adobe flash NetStream.appendBytes ByteArray data Use-After-Free | $3,000 | 2016-12-29 |
646278 | Security: Address Bar URL Spoofing | $500 | 2016-12-29 |
648671 | Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl;webrtc::CongestionController::TimeUntilNextProcess;webrtc::ProcessThreadImpl::Process | - | 2016-12-29 |
647329 | Use-after-poison in fuzz_wasm_section | - | 2016-12-28 |
645540 | Update It2Me host to show confirmation prompt for incoming connections. | - | 2016-12-28 |
648373 | Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE | - | 2016-12-28 |
645028 | Web accessible resources checks should work with blob: and filesystem: URLs that have chrome-extension:// inner URLs | - | 2016-12-27 |
647612 | Heap-use-after-free in CPDF_RenderStatus::LoadSMask | - | 2016-12-27 |
647893 | Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp | - | 2016-12-27 |
647683 | Wrong security state when going back/forward after HTML5 history push | - | 2016-12-27 |
639750 | XSS using Dropjacking | - | 2016-12-26 |
646351 | Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE | - | 2016-12-26 |
640233 | Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase | - | 2016-12-25 |
645729 | Use-after-poison in blink::TimerBase::runInternal | $3,500 | 2016-12-25 |
646178 | Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor | - | 2016-12-25 |
647197 | Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule | - | 2016-12-24 |
647110 | Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule | - | 2016-12-24 |
647027 | Heap-use-after-free in v8::internal::wasm::ThreadImpl::Execute | - | 2016-12-24 |
647481 | Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase | - | 2016-12-24 |
647267 | Crash in blink::TopDocumentRootScrollerController::globalRootScroller | - | 2016-12-24 |
644674 | Attempting free in void v8::internal::LocalArrayBufferTracker::Free< | - | 2016-12-23 |
647269 | Bad-cast to blink::TopDocumentRootScrollerController from blink::RootScrollerController;blink::PaintLayerCompositor::updateClippingOnCompositorLayers;blink::PaintLayerCompositor::updateIfNeeded | - | 2016-12-23 |
646258 | Crash in ReadUnalignedValue<int> | - | 2016-12-23 |
627399 | Use-of-uninitialized-value in CCodec_TiffContext::Decode | - | 2016-12-22 |
621838 | Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData | - | 2016-12-22 |
645745 | Unable to block cookies | $500 | 2016-12-22 |
646786 | Use-of-uninitialized-value in SkMatrix44::computeTypeMask | - | 2016-12-22 |
646350 | Heap-use-after-free in ash::WmWindowAura::StackChildAbove | - | 2016-12-22 |
641239 | Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture | - | 2016-12-21 |
638159 | Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue | - | 2016-12-21 |
642070 | Use-of-uninitialized-value in update_current_folder_get_info_cb | - | 2016-12-21 |
643939 | Crash in v8::internal::Invoke | - | 2016-12-21 |
645839 | Heap-use-after-free in cc::Scheduler::BeginImplFrameWithDeadline | - | 2016-12-21 |
644733 | Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP | - | 2016-12-21 |
645777 | Use-of-uninitialized-value in base::time_internal::SaturatedSub | - | 2016-12-20 |
645186 | Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData | - | 2016-12-20 |
645201 | Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse | - | 2016-12-19 |
645770 | Heap-buffer-overflow in void std::vector<aura::Window*, std::allocator<aura::Window*> >::_M_insert_aux<a | - | 2016-12-18 |
644373 | Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer. | - | 2016-12-17 |
645034 | Use-of-uninitialized-value in blink::TraceMethodDelegate<blink::PersistentBase<blink::DOMArrayBuffer, | - | 2016-12-17 |
645657 | Use-of-uninitialized-value in base::Pickle::WriteBytes | - | 2016-12-17 |
641995 | value.isFunctionValue() | - | 2016-12-16 |
632709 | Heap-use-after-free in CPDFSDK_Widget::SetAppModified | - | 2016-12-15 |
642803 | Heap-use-after-free in cc::SurfaceManager::UnregisterBeginFrameSource | - | 2016-12-15 |
643726 | Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData | - | 2016-12-15 |
643173 | Wrong security state when redirecting to HTTP | $2,000 | 2016-12-15 |
644182 | Heap-buffer-overflow in unibrow::Utf8::Validate | - | 2016-12-15 |
648971 | Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink | $100,000 | 2016-12-14 |
632848 | !object || (object->isBox()) | - | 2016-12-14 |
637899 | Heap-buffer-overflow in Decode | - | 2016-12-14 |
640998 | Crash in CPDF_Parser::LoadCrossRefV5 | - | 2016-12-14 |
643431 | Crash in v8::internal::Object::SetPropertyInternal | - | 2016-12-14 |
643665 | Crash inside SuperBlitter::blitH | - | 2016-12-14 |
643933 | Crash in SuperBlitter::blitH | - | 2016-12-14 |
643935 | Heap-buffer-overflow in gpu::gles2::Texture::SetLevelInfo | - | 2016-12-14 |
640999 | Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver | - | 2016-12-13 |
642987 | Heap-buffer-overflow in unibrow::Utf8::Validate | - | 2016-12-13 |
643137 | Heap-use-after-free in blink::TimerBase::getTimerTaskRunner | - | 2016-12-13 |
643970 | Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor | - | 2016-12-13 |
644003 | Use-of-uninitialized-value in mojo::edk::ChannelPosix::WriteNoLock | - | 2016-12-13 |
624011 | Security: UAF with namespace nodes in XPointer ranges | $3,500 | 2016-12-11 |
638220 | Heap-buffer-overflow in test_runner::BoundsForCharacter | - | 2016-12-10 |
638166 | Heap-use-after-free in content::RenderFrameImpl::NavigateInternal | - | 2016-12-09 |
642867 | Crash in v8::internal::wasm::WasmFullDecoder::AnalyzeLoopAssignment | - | 2016-12-09 |
642639 | <no crash state available> | - | 2016-12-09 |
643071 | Crash in v8::internal::NewSpace::Verify | - | 2016-12-09 |
640576 | Heap-use-after-free in base::WaitableEvent::Signal | - | 2016-12-08 |
642028 | Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La | - | 2016-12-08 |
497302 | Integer-overflow in sfntly::FontData::Bound | $1,000 | 2016-12-06 |
642063 | Crash in v8::internal::HeapObject::SizeFromMap | - | 2016-12-06 |
641575 | Crash in v8::internal::InstantiateObject | - | 2016-12-05 |
623992 | Use-of-uninitialized-value in unicodetoupper | - | 2016-12-04 |
622197 | Heap-buffer-overflow in u16_u8 | - | 2016-12-03 |
633473 | Use-of-uninitialized-value in Hunspell::spell | - | 2016-12-03 |
638570 | Use-of-uninitialized-value in AffixMgr::compound_check | - | 2016-12-03 |
638562 | Stack-buffer-overflow in SfxEntry::checkword | - | 2016-12-03 |
625915 | Mac: 'Press Esc to exit fullscreen' covered up by permission prompts | - | 2016-12-02 |
638615 | Security: heap-buffer-overflow in ImageBitmap::ImageBitmap | $5,500 | 2016-12-02 |
619368 | Heap-buffer-overflow in content::WriteMemory | - | 2016-12-01 |
631375 | Security: mbspatch: Malform patch file may access heap out of bound | - | 2016-12-01 |
635602 | Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface | - | 2016-12-01 |
635879 | Security: Format String Vulnerability in Chrome OS | $1,000 | 2016-12-01 |
638223 | Use-of-uninitialized-value in Break | - | 2016-12-01 |
638742 | Security: Universal XSS using ThreadDebugger::setMonitorEventsCallback | $2,000 | 2016-12-01 |
617124 | Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32 | - | 2016-11-30 |
637594 | Security: Universal XSS using DevTools | $2,000 | 2016-11-30 |
639658 | Security: Navigating to "chrome://" URLs via 'about:' protocol | $500 | 2016-11-30 |
637546 | Security: UNKOWN in CFX_Edit_Provider::GetCharWidthW | $1,000 | 2016-11-29 |
639451 | Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje | - | 2016-11-29 |
639984 | Heap-use-after-free in FORM_DoDocumentAAction | - | 2016-11-29 |
639985 | Use-of-uninitialized-value in shell::internal::InterfaceFactoryBinder<IPC::mojom::ChannelBootstrap>::BindInter | - | 2016-11-29 |
633306 | CSP can be abused to disclose URIs cross-origin | - | 2016-11-25 |
638571 | Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered | - | 2016-11-25 |
638928 | !m_deletionHasBegun | - | 2016-11-25 |
628942 | Security: Universal XSS with ScopedPageLoadDeferrer and RemoteFrame | $17,500 | 2016-11-24 |
630654 | Heap-use-after-free in CPDFSDK_Document::KillFocusAnnot | $3,000 | 2016-11-24 |
633474 | Negative-size-param in blink::LayoutGrid::populateExplicitGridAndOrderIterator | - | 2016-11-24 |
638186 | Use-after-poison in blink::SVGLengthContext::convertValueToUserUnits | - | 2016-11-24 |
638192 | Use-after-poison in blink::ElementResolveContext::ElementResolveContext | - | 2016-11-24 |
638226 | Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits< | - | 2016-11-24 |
619381 | Crash in GrCircleBlurFragmentProcessor::CreateCircleBlurProfileTexture | - | 2016-11-23 |
633385 | CUPS domain socket should only be openable by user chonos | - | 2016-11-23 |
635848 | Security: Crash in CPDF_Dictionary::GetObjectBy | $1,000 | 2016-11-23 |
638185 | Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren | - | 2016-11-23 |
638219 | Bad-cast to blink::LayoutBox from blink::LayoutSVGEllipse;blink::LayoutObject::positionForPoint;blink::LayoutBox::clippingRect | - | 2016-11-23 |
622033 | Heap-buffer-overflow in sctp_send_deferred_reset_response | - | 2016-11-22 |
630870 | Security: Universal XSS by intercepting a UA shadow tree | $7,500 | 2016-11-22 |
636268 | Security: heap-buffer-overflow in SkColorSpace | $3,500 | 2016-11-22 |
634557 | Security: Blob file entries aren't checked against security policy | - | 2016-11-22 |
628999 | Crash in blink::Geolocation::onGeolocationPermissionUpdated | - | 2016-11-21 |
635577 | Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect | - | 2016-11-19 |
637320 | Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer | - | 2016-11-19 |
625404 | Security: use-after-free in AttachFilteredEvent on event_bindings.cc | $3,000 | 2016-11-18 |
628920 | Security: Address bar spoofing on iOS | - | 2016-11-18 |
625575 | Security: bypassing CORS by XHR + MemoryCache + ServiceWorker | - | 2016-11-18 |
633687 | Security: Full browser crash when trying to open missing 'downloaded' resource file. | - | 2016-11-18 |
626893 | Security: Arbitrary memory write in v8::internal::GlobalHandles::IterateNewSpaceWeakUnmodifiedRoots() | $3,000 | 2016-11-17 |
628542 | Heap-buffer-overflow in unibrow::Utf8::Validate | - | 2016-11-17 |
631368 | Crash in blink::getPropertyNameString | - | 2016-11-17 |
634954 | Security: Address bar spoofing with itunes page on iOS | - | 2016-11-17 |
636194 | Crash in void SkLinearGradient::LinearGradientContext::shade4_dx_clamp<false, false> | - | 2016-11-17 |
635571 | Crash in blink::EventTarget::fireEventListeners | - | 2016-11-17 |
622420 | Security: Type confusion in StylePropertySerializer::getCustomPropertyText. | - | 2016-11-16 |
632124 | Global-buffer-overflow in silk_NLSF2A | - | 2016-11-16 |
635574 | Use-after-poison in blink::CrossThreadPersistentRegion::shouldTracePersistentNode | $3,500 | 2016-11-16 |
600352 | Security: Cross-Protocol Theft from non-HTTP services via DNS rebinding + HTTP/0.9 | - | 2016-11-15 |
611955 | //components/filesystem/public/interfaces/*.mojom files need security review | - | 2016-11-15 |
618037 | Security: Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings | $1,000 | 2016-11-15 |
633472 | Use-of-uninitialized-value in segment | - | 2016-11-15 |
632849 | Heap-buffer-overflow in SkA8_Blitter::blitH | - | 2016-11-13 |
628890 | Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate | $3,500 | 2016-11-12 |
628304 | Security: heap-buffer-overflow in opj_v4dwt_interleave_h | $3,500 | 2016-11-12 |
634238 | Security: Adobe Flash Button.blendMode setter uninitialized stack variable | - | 2016-11-12 |
635045 | Use-of-uninitialized-value in blink::ImagePattern::isLocalMatrixChanged | - | 2016-11-12 |
619429 | Security: Able to bypass permission prompt on keypress | - | 2016-11-11 |
624514 | Heap-buffer-overflow in CWeightTable::Calc | $3,500 | 2016-11-11 |
634114 | Heap-use-after-free in blink::LayoutFieldset::adjustInnerStyle | - | 2016-11-11 |
634394 | Security: UAF in PDFium's TimerProc() | - | 2016-11-11 |
627355 | Crash in _platform_memmove$VARIANT$Nehalem | - | 2016-11-10 |
632965 | Security: OOB read with CallSite and wasm | - | 2016-11-10 |
633585 | Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer | - | 2016-11-10 |
633471 | Use-of-uninitialized-value in GrPipeline::CreateAt | - | 2016-11-08 |
633486 | Tracking bug for internal fixes: Chrome M52, release 1 | - | 2016-11-08 |
479961 | Apply wpa_supplicant P2P vulnerability fixes | - | 2016-11-07 |
632634 | Security: Universal XSS with static methods and ScriptState::forHolderObject | $7,500 | 2016-11-07 |
610644 | Heap-buffer-overflow in ps_table_add | $1,500 | 2016-11-06 |
632850 | Crash in CPDFSDK_InterForm::GetWidget | - | 2016-11-06 |
632851 | Heap-use-after-free in CJS_Timer::KillJSTimer | - | 2016-11-06 |
632860 | Heap-buffer-overflow in copy | - | 2016-11-05 |
616429 | Security: Saving WebPage with file: resources access SMB resources | $1,000 | 2016-11-04 |
631052 | Use-after-poison in blink::CompositorAnimationPlayer::NotifyAnimationStarted | $3,500 | 2016-11-04 |
631320 | Heap-use-after-free in content::WebRTCEventLogHost::PeerConnectionRemoved | - | 2016-11-04 |
629919 | Security: heap-buffer-overflow in opj_tcd_update_tile_data | $5,000 | 2016-11-03 |
631050 | Crash in v8::internal::JSObject::UpdateAllocationSite | - | 2016-11-03 |
573131 | Security: some extension bindings incorrectly injected into about:blank frames | $7,500 | 2016-11-02 |
627414 | Crash in MaskSuperBlitter::blitH | - | 2016-11-02 |
630377 | Heap-use-after-free in ProfileIOData::FromResourceContext | - | 2016-11-02 |
629455 | Heap-buffer-overflow in SuperBlitter::blitH | - | 2016-11-02 |
631319 | Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM | - | 2016-11-02 |
631752 | Tracking bug for internal fixes: Chrome OS 52.0.2743.85 (Platform version: 8350.60.0) | - | 2016-11-02 |
628992 | Heap-use-after-free in SuperBlitter::blitH | - | 2016-11-01 |
627454 | Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture | - | 2016-11-01 |
630736 | Crash in segment | - | 2016-11-01 |
630369 | Use-of-uninitialized-value in GrShape::attemptToSimplifyPath | - | 2016-10-31 |
630749 | Heap-use-after-free in mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding | - | 2016-10-31 |
623195 | Use-of-uninitialized-value in base::Pickle::WriteData | - | 2016-10-29 |
630649 | Stack-buffer-overflow in SkDCubic::searchRoots | - | 2016-10-29 |
399951 | Security: Cross-origin information leak via ECMAScript harmony proxies | $1,000 | 2016-10-28 |
614647 | Use-of-uninitialized-value in get_advance | - | 2016-10-28 |
621362 | Security: Universal XSS with Flash calling into JavaScript inside Node::removedFrom | $7,500 | 2016-10-28 |
629962 | Use-of-uninitialized-value in segment | - | 2016-10-28 |
628117 | Heap-use-after-free in blink::PaintController::commitNewDisplayItems | $3,500 | 2016-10-28 |
630378 | Use-of-uninitialized-value in SkDPoint::approximatelyEqual | - | 2016-10-28 |
624213 | Security: Address bar RTL character spoofing on Mac | - | 2016-10-27 |
624214 | Security: Address bar RTL character spoofing on iOS | - | 2016-10-27 |
629795 | Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::HandleGetBufferParameteriv | - | 2016-10-27 |
626186 | Crash in SkOpAngle::setSpans | - | 2016-10-26 |
627401 | Crash in SkOpCoincidence::mark | - | 2016-10-26 |
628995 | Use-of-uninitialized-value in CPWL_List_Notify::IOnInvalidateRect | - | 2016-10-26 |
629452 | Crash in segment | - | 2016-10-26 |
629454 | Use-of-uninitialized-value in containsCoincidence | - | 2016-10-26 |
616623 | Use-of-uninitialized-value in walk_convex_edges | - | 2016-10-25 |
629004 | Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::DoDrawBuffersEXT | - | 2016-10-25 |
629008 | Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::WaitSyncTokenCHROMIUM | - | 2016-10-25 |
629435 | Crash in v8::internal::Invoke | - | 2016-10-25 |
623319 | URL Spoof due to subframes and NavigationEntry corruption | $2,000 | 2016-10-21 |
627436 | Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications | - | 2016-10-21 |
627756 | Security: SEGV on unknown address in toCSSValuePair | $3,000 | 2016-10-21 |
627443 | Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper | - | 2016-10-21 |
628113 | Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty | - | 2016-10-21 |
628130 | Stack-buffer-overflow in saturated_add | - | 2016-10-21 |
626790 | Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining | - | 2016-10-20 |
627354 | Negative-size-param in content::WebRTCEventLogHost::PeerConnectionRemoved | - | 2016-10-20 |
627434 | Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque | - | 2016-10-20 |
627447 | Use-of-uninitialized-value in ProfileChooserView::ButtonPressed | - | 2016-10-20 |
627457 | Use-after-poison in content::WebMessagePortChannelImpl::OnMessage | $3,500 | 2016-10-20 |
611957 | //components/leveldb/public/interfaces/leveldb.mojom needs a security review | - | 2016-10-19 |
618295 | Security: [PDFium]AddressSanitizer: negative-size-param | - | 2016-10-19 |
623168 | Use-of-uninitialized-value in v8::internal::Factory::NewNumber | - | 2016-10-19 |
626182 | Heap-use-after-free in blink::PaintController::commitNewDisplayItems | - | 2016-10-19 |
623365 | Heap Buffer Overflow in iframe URL Parse | - | 2016-10-17 |
579934 | Chromium allows to open popup window from Flash object without user gesture or blocking | $1,000 | 2016-10-15 |
610986 | ASSERTION FAILED: !object || (object->isBox()) | - | 2016-10-15 |
617648 | Heap-use-after-free in content::FilteringNetworkManager::Initialize | - | 2016-10-15 |
626562 | Crash in v8::internal::HandleBase::IsDereferenceAllowed | - | 2016-10-15 |
626792 | Heap-use-after-free in GURL::GURL | - | 2016-10-15 |
617105 | Security: use-after-free vulnerability in flash player | $3,000 | 2016-10-14 |
623072 | Use-of-uninitialized-value in containsCoincidence | - | 2016-10-14 |
625541 | Security: heap-buffer-overflow in opj_tcd_init_tile | $3,000 | 2016-10-14 |
625823 | Security: SEGV in blink::DOMWindowV8Internal::blurMethodCallback | $1,000 | 2016-10-14 |
625945 | Security: browser history sniffing via HSTS + CSP (bypass previous fix) | $1,000 | 2016-10-14 |
613949 | Extension install crashes browser at onDownloadProgress and onInstallStageChanged | $500 | 2016-10-13 |
625903 | Security: heap-use-after-free in blink::LayoutBox::pixelSnappedOffsetHeight | $2,000 | 2016-10-13 |
624818 | Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper | - | 2016-10-13 |
623378 | Security: UAF related to XPointer range-to function | $3,500 | 2016-10-12 |
625752 | Crash in v8::internal::LocalArrayBufferTracker::Free<1> | - | 2016-10-12 |
625393 | Security: Heap-use-after-free in ScriptInjector | $1,000 | 2016-10-11 |
616907 | Security: Universal XSS using a ScopedPageLoadDeferrer bypass | $8,000 | 2016-10-10 |
619379 | CharacterData::setData() should handle first-letter correctly | - | 2016-10-06 |
620952 | i < m_len | - | 2016-10-06 |
624713 | Security: Calling from WASM to JS should not pass the global object | - | 2016-10-06 |
291417 | Security: <webview>/App Request Contexts may not be so isolated | - | 2016-10-05 |
561978 | Vulnerability reported in media-libs/libpng | - | 2016-10-05 |
609382 | Security: Use after free of task_struct in Mali Midgard driver. | - | 2016-10-05 |
612050 | Heap-use-after-free in views::Widget::OnNativeWidgetDestroying | - | 2016-10-05 |
609680 | Chrome For Android Address Bar Spoofing Issue Due To Mishandling Of RTL Characters | $3,000 | 2016-10-05 |
617882 | Crash in v8::internal::PointerUpdateJobTraits< | - | 2016-10-05 |
618333 | Security: Parameter sanitization failure in DevTools leads to privileged script execution | $2,000 | 2016-10-05 |
619414 | Security: Devtools has Insuffient sanitization of remoteBase parameter | $2,000 | 2016-10-05 |
620981 | Crash in _platform_bzero$VARIANT$Merom | - | 2016-10-05 |
621843 | Heap-buffer-overflow in float blink::ShapeResultSpacing::computeSpacing<unsigned short> | - | 2016-10-05 |
623985 | Use-after-poison in blink::PersistentBase<blink::WorkerWebSocketChannel::Bridge, | $3,500 | 2016-10-05 |
623996 | Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes | - | 2016-10-05 |
617084 | Crash in v8::internal::HandleBase::IsDereferenceAllowed | - | 2016-10-04 |
619377 | Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup | - | 2016-10-04 |
621095 | SIGSEGV, RIP = 0x0 | - | 2016-10-04 |
118642 | Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor | $1,000 | 2016-10-02 |
118662 | Regression(r109014): Heap-use-after-free in WebCore::InlineTextBox::isLineBreak | $500 | 2016-10-02 |
118593 | Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded | $1,000 | 2016-10-02 |
118490 | Heap-use-after-free in WebCore::RenderObject::containingBlock | $1,000 | 2016-10-02 |
118467 | open.call(other_window) circumvents check in other_window.open() | - | 2016-10-02 |
118633 | Security: Frame sniffing is not fixed | - | 2016-10-02 |
118414 | Heap use after free on chrome_content_browser_client.cc with webrtc | $1,000 | 2016-10-02 |
118374 | Long autofilled value causes render issue | - | 2016-10-02 |
118273 | ZDI-CAN-1528: Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability | - | 2016-10-02 |
118227 | Security: cross-origin iframes can be resized from within in M18 | - | 2016-10-02 |
118018 | Heap-buffer-overflow in S32_opaque_D32_nofilter_DXDY | - | 2016-10-02 |
118317 | Popup blocker bypass triggering mouse event on tag with rel=noreferrer | - | 2016-10-02 |
118185 | Heap-use-after-free in WebCore::V8HTMLBodyElement::wrapSlow | - | 2016-10-02 |
117890 | Use-after-free in CrashGenerationServer | - | 2016-10-02 |
117912 | Heap-buffer-overflow in memcmp | - | 2016-10-02 |
117794 | [LangFuzz] Crash on heap with invalid read through GetPropertyWithCallback | $500 | 2016-10-02 |
117736 | No permission prompt when loading unpacked extension with NPAPI plugin | - | 2016-10-02 |
117728 | Heap-use-after-free in WebCore::InlineBox::root | $1,000 | 2016-10-02 |
117724 | Event handlers firing during Text::splitText trigger use-after-free. | - | 2016-10-02 |
118009 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> | - | 2016-10-02 |
117889 | Dangerous download warnings are suppressed for a larger class of downloads than are handled by SafeBrowsing | - | 2016-10-02 |
117698 | Heap-use-after-free in WebCore::RenderLayer::addChild | $1,000 | 2016-10-02 |
117696 | Heap-use-after-free in WebCore::RenderBlock::addPositionedFloats | - | 2016-10-02 |
117674 | Heap-use-after-free in WebCore::GraphicsContext3D::getExtensions | - | 2016-10-02 |
117672 | Uptake angle security fix | - | 2016-10-02 |
117656 | Pwnium bug: GPU memory corruption | - | 2016-10-02 |
117627 | Security: IPC Channel does not validate the listener. | - | 2016-10-02 |
117620 | Pwnium bug: Prerendering issues with NACL | $60,000 | 2016-10-02 |
117715 | LoadExtension binding in chrome://extensions/ is too permissive | - | 2016-10-02 |
117583 | Iframe hijacking from Pwnium | - | 2016-10-02 |
117588 | Security: Memory Corruption in MaskSuperBlitter | $1,000 | 2016-10-02 |
117545 | ICU lang buffer overflow | - | 2016-10-02 |
117471 | Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled | $1,000 | 2016-10-02 |
117446 | App popup user gesture exemption should be based on process type, not just extent | - | 2016-10-02 |
117418 | Security: Don't grant WebUI bindings to a process shared with normal views | - | 2016-10-02 |
117417 | Security: Don't let a normal web renderer navigate to a privileged URL | - | 2016-10-02 |
117413 | Heap-use-after-free in WebCore::RenderScrollbar::getScrollbarPseudoStyle | - | 2016-10-02 |
117409 | Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS... | - | 2016-10-02 |
117400 | Uptake fixes on weak node iteration patterns | - | 2016-10-02 |
117511 | Heap-use-after-free in WTF::equal | - | 2016-10-02 |
117335 | Occasional heap-use-after-free in non-virtual thunk to AudioDevice::OnStateChanged | $500 | 2016-10-02 |
117341 | Heap-use-after-free in MessageLoop::AddToIncomingQueue | $1,000 | 2016-10-02 |
117230 | Part 2 of Pwnium Bug | - | 2016-10-02 |
117226 | Part 1 of Pwnium Bug: UXSS | $60,000 | 2016-10-02 |
117150 | REGRESSION(wk109285): Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved | $1,000 | 2016-10-02 |
117110 | Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren | - | 2016-10-02 |
116994 | Heap-use-after-free in chrome::ChromeContentBrowserClient::RequestMediaAccessPermission | - | 2016-10-02 |
116967 | Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement | - | 2016-10-02 |
116927 | Heap-buffer-overflow in av_freep | $1,000 | 2016-10-02 |
116806 | Heap-use-after-free in WebCore::RenderInline::continuationBefore | - | 2016-10-02 |
116746 | Heap-use-after-free in WebCore::RenderBlock::splitBlocks | $1,000 | 2016-10-02 |
116637 | Renderer process crash when doing WebGL canvas to 2D canvas drawImage() | - | 2016-10-02 |
116524 | Security: Off-by-one in OTS resulting in arbitrary code execution | - | 2016-10-02 |
116461 | Heap-use-after-free in WebCore::CSSCrossfadeValue::~CSSCrossfadeValue | $1,000 | 2016-10-02 |
116405 | Mitigate stale layout root bugs | - | 2016-10-02 |
116398 | Security: SSL proxy seems to not care about the cert | - | 2016-10-02 |
116474 | Merge SVG use fix to stable | - | 2016-10-02 |
121926 | Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware | - | 2016-10-02 |
121937 | glGetProgramInfoLog regression in ANGLE | - | 2016-10-02 |
121734 | Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener | - | 2016-10-02 |
121726 | Sandbox IPC length checking race | - | 2016-10-02 |
121703 | Crash in NSMutableRLEArray replaceObjectsInRange:withObject:length with long URL | - | 2016-10-02 |
121692 | Heap-use-after-free in WebCore::SelectorChecker::checkOneSelector | - | 2016-10-02 |
121645 | Heap-use-after-free in WebCore::RenderBlock::removeFloatingObject | - | 2016-10-02 |
121899 | Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer() | $1,000 | 2016-10-02 |
121736 | Heap-use-after-free in WebCore::EventDispatcher::dispatchEvent | - | 2016-10-02 |
121347 | Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak | $500 | 2016-10-02 |
121524 | Use after free with reflections and composited layers | - | 2016-10-02 |
121206 | Heap-buffer-overflow in WebCore::HTMLSelectElement::setRecalcListItems | - | 2016-10-02 |
121128 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short> | - | 2016-10-02 |
120977 | Crash in texSubImage2D on Mozilla's WebGL performance regression tests | - | 2016-10-02 |
121269 | invalid cast in WebCore::toHTMLElement / WebCore::HTMLFieldSetElement::disabledAttributeChanged | - | 2016-10-02 |
121223 | Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadCreateWebSocketChannel | $500 | 2016-10-02 |
121407 | [LangFuzz] Invalid write in v8::internal::ElementsAccessorBase<...>::CopyElements | $1,000 | 2016-10-02 |
120648 | UNKNOWN in SkARGB32_Blitter::blitV | $500 | 2016-10-02 |
120457 | Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak | - | 2016-10-02 |
120711 | Heap-use-after-free in WebCore::Element::recalcStyle | $1,000 | 2016-10-02 |
120944 | Use-after-free due to issues in counter layout. | $1,000 | 2016-10-02 |
120912 | Heap-use-after-free in WebCore::RenderText::removeTextBox | $1,000 | 2016-10-02 |
120320 | Flash Broker Bypass 0x2B (CVE-2012-0724) | - | 2016-10-02 |
120318 | Flash Broker Bypass 0x2D (CVE-2012-0725) | - | 2016-10-02 |
120222 | Heap-use-after-free in WebCore::RenderTableSection::paintCell | $1,000 | 2016-10-02 |
120205 | Security: <svg:use> elements in the parser can create elements not marked as created by the parser | - | 2016-10-02 |
120404 | Heap-buffer-overflow in WebCore::Font::codePath | - | 2016-10-02 |
120037 | Heap-use-after-free in WebCore::ContainerNode::resumePostAttachCallbacks | $1,000 | 2016-10-02 |
120007 | Heap-use-after-free in WebCore::WorkerEventQueue::close | - | 2016-10-02 |
120403 | Heap-use-after-free in WebCore::ContainerNode::insertBefore | - | 2016-10-02 |
120189 | Heap-use-after-free in WebCore::V8RecursionScope::didLeaveScriptContext | - | 2016-10-02 |
119926 | Use after free in v8::internal::IncrementalMarking::Step | $1,000 | 2016-10-02 |
119501 | Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded | $1,000 | 2016-10-02 |
119429 | UNKNOWN in v8::Message::GetScriptResourceName | $500 | 2016-10-02 |
120006 | Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo | - | 2016-10-02 |
119525 | Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange | $1,000 | 2016-10-02 |
119281 | Heap-use-after-free in WebCore::GenericEventQueue::~GenericEventQueue | $500 | 2016-10-02 |
119230 | Heap-use-after-free in WebCore::RenderBlock::splitBlocks | - | 2016-10-02 |
119150 | Sandboxed processes should not be able to open other sandboxed processes | - | 2016-10-02 |
119084 | Heap-use-after-free in utext_setNativeIndex_46 | - | 2016-10-02 |
118970 | GPU process crash below DoDrawArrays (Nvidia) | $500 | 2016-10-02 |
119305 | Heap-use-after-free in WebCore::Node::~Node | $1,000 | 2016-10-02 |
119250 | GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes | - | 2016-10-02 |
118803 | Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap | - | 2016-10-02 |
118784 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short> | - | 2016-10-02 |
118853 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
118664 | Security: Swapped out URL must be a unique origin | - | 2016-10-02 |
118721 | Extensions resources can be fetched across incognito | - | 2016-10-02 |
116162 | Heap-buffer-overflow in wk_png_inflate | - | 2016-10-02 |
116128 | Content scripts should never be run in the webstore isolate | - | 2016-10-02 |
116093 | Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget | $1,000 | 2016-10-02 |
116069 | WebCore::MediaStreamListInternal::itemCallback | $500 | 2016-10-02 |
116224 | Heap-use-after-free in WebCore::FrameLoader::urlSelected | - | 2016-10-02 |
115998 | Heap-use-after-free in WebCore::RenderMenuList::addChild | - | 2016-10-02 |
115862 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
115756 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
115754 | Heap-use-after-free in WebCore::RenderLayer::addChild | $1,000 | 2016-10-02 |
115695 | Heap-buffer-overflow in WebCore::StaticNodeList::itemWithName | $1,000 | 2016-10-02 |
115681 | Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer | $1,000 | 2016-10-02 |
115680 | Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation | - | 2016-10-02 |
115807 | Heap-use-after-free in WebCore::RenderMenuList::addChild | - | 2016-10-02 |
116027 | Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine | - | 2016-10-02 |
115159 | Security: Setting innerText allows DOMSubtreeModified listeners to cause crashes | - | 2016-10-02 |
115028 | Bad cast in splitAnonymousBlocksAroundChild (part 3) | $1,000 | 2016-10-02 |
115003 | Heap-use-after-free in WebCore::RenderObject::previousInPreOrder | - | 2016-10-02 |
115299 | Use-after-free in AudioDeviceThread::Callback::InitializeOnAudioThread | $500 | 2016-10-02 |
115471 | Heap-buffer-overflow in SkAlphaRuns::add | $1,000 | 2016-10-02 |
114924 | Bad cast in splitAnonymousBlocksAroundChild | $1,000 | 2016-10-02 |
114911 | Heap-buffer-overflow in WebCore::Element::setAttribute | - | 2016-10-02 |
114858 | Heap-use-after-free in WebCore::RenderTableSection::willBeDestroyed | - | 2016-10-02 |
114960 | Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap | - | 2016-10-02 |
114219 | Heap-use-after-free in WebCore::RenderTableSection::nodeAtPoint | $1,000 | 2016-10-02 |
114152 | Heap-use-after-free in WebCore::InspectorStyleSheet::deleteRule | - | 2016-10-02 |
114144 | Crash by clicking the time field of maps.google.com | - | 2016-10-02 |
114068 | Heap-use-after-free in WebCore::HTMLElement::isPresentationAttribute | $1,000 | 2016-10-02 |
114056 | Heap-buffer-overflow in WebCore::previousBoundary | $500 | 2016-10-02 |
114054 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> | $500 | 2016-10-02 |
113924 | [LangFuzz] Crash at v8::internal::HashTable<...>::FindEntry with invalid read | $1,000 | 2016-10-02 |
114342 | Stack-buffer-overflow at strcpy | $1,000 | 2016-10-02 |
113837 | Heap-use-after-free in WebCore::Document::unregisterForPageCacheSuspensionCallbacks | $1,000 | 2016-10-02 |
113800 | Heap-use-after-free in WebCore::RenderBlock::computeOverflow | - | 2016-10-02 |
113902 | Heap-use-after-free in WebCore::InlineBox::root | $1,000 | 2016-10-02 |
113799 | Heap-use-after-free in WebCore::RenderTable::layout | - | 2016-10-02 |
113801 | Heap-use-after-free in WebCore::RenderBlock::outlineStyleForRepaint | - | 2016-10-02 |
113733 | Security: Flash deployed via component updater runs outside the sandbox | - | 2016-10-02 |
113755 | Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren | - | 2016-10-02 |
113707 | Heap-use-after-free in WebCore::RenderQuote::placeQuote | $1,000 | 2016-10-02 |
113690 | Heap-use-after-free in WebCore::RenderButton::removeChild | - | 2016-10-02 |
113567 | Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle | - | 2016-10-02 |
113562 | Heap-use-after-free in WebCore::NavigationScheduler::schedule | - | 2016-10-02 |
113730 | Integer wrap in CSSParser::quoteCSSString() can cause a buffer overflow | - | 2016-10-02 |
113497 | Heap-use-after-free in WebCore::InlineFlowBox::computeUnderAnnotationAdjustment | $1,000 | 2016-10-02 |
113496 | Links in settings page (like learn more, google dashboard) are opened in the webui renderer process | - | 2016-10-02 |
113439 | Bad casts due to issues in splitAnonymousBlocksAroundChild | $1,000 | 2016-10-02 |
113415 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
113258 | Bad cast in WebCore::RenderBlock::createLineBoxes | $1,000 | 2016-10-02 |
113178 | Adding a ShadowRoot to a SELECT element causes crashes | - | 2016-10-02 |
113174 | Attaching a ShadowRoot to a VIDEO element causes heap-use-after-free | - | 2016-10-02 |
113160 | Security: Tracking bug for WK77971 - Replaces the [CheckNodeSecurity] IDL attribute | - | 2016-10-02 |
113119 | Security: Report bad translation link uses http:// | - | 2016-10-02 |
112976 | Heap-use-after-free in vorbis_decode_frame | - | 2016-10-02 |
112961 | TCP and UDP IPCs should not be exposed to arbitrary renderers | - | 2016-10-02 |
112983 | Browser crash with FTP video source | - | 2016-10-02 |
125462 | Security: libxml2 1-byte heap-buffer-overflow in xmlXPtrEvalXPtrPart | $1,500 | 2016-10-02 |
125436 | Heap-use-after-free in WebCore::HTMLFormControlElement::disabled | - | 2016-10-02 |
125249 | Heap-buffer-overflow in seg_to | - | 2016-10-02 |
125225 | Domui process can be ptraced from a compromised renderer leading to sandbox escape, take 2 | - | 2016-10-02 |
125159 | Chrome chrashes when pressing back button on a page that is still downloading a big gif image | $1,337 | 2016-10-02 |
125151 | Heap-use-after-free in WebCore::Node::compareDocumentPosition | - | 2016-10-02 |
125010 | Stealing AutoFill data with window.getSelection() before users actually select form contents | - | 2016-10-02 |
125494 | Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag | - | 2016-10-02 |
125374 | Heap-use-after-free in WebCore::RenderSVGContainer::paint | $1,000 | 2016-10-02 |
124992 | Heap-use-after-free in WebCore::swapInNodePreservingAttributesAndChildren | - | 2016-10-02 |
124923 | Heap-use-after-free in WebCore::parseToDoubleForNumberType | - | 2016-10-02 |
124919 | Heap-use-after-free in WebCore::RenderBlock::addOverflowFromFloats | - | 2016-10-02 |
124895 | Heap-use-after-free in WebCore::ScriptController::executeIfJavaScriptURL | - | 2016-10-02 |
124893 | Heap-buffer-overflow in WebCore::HTMLOptionElement::selected | - | 2016-10-02 |
124870 | Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply | - | 2016-10-02 |
124868 | Heap-use-after-free in WebCore::RenderObject* WebCore::bidiNextShared<WebCore::BidiResolver<WebCore::InlineIterator, WebCor | - | 2016-10-02 |
124836 | NSS should reject DH public values equal to one | - | 2016-10-02 |
125000 | Heap-buffer-overflow in WTF::VectorMover<false, WebCore::Attribute>::move | - | 2016-10-02 |
124924 | Heap-buffer-overflow in WebCore::XPath::sortBlock | - | 2016-10-02 |
124652 | Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect | - | 2016-10-02 |
124625 | Chrome: Crash Report - Stack Signature: WebCore::npObjectNamedGetter<WebCore::V8HTM... | - | 2016-10-02 |
124617 | Heap-buffer-overflow in WebCore::RenderBlock::createLineBoxes | - | 2016-10-02 |
124669 | Heap-use-after-free in WebCore::SVGLength::value | - | 2016-10-02 |
124530 | Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects | - | 2016-10-02 |
124594 | UNKNOWN in v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing | $500 | 2016-10-02 |
124479 | Use after free in PDF with corrupt CID font encoding name | - | 2016-10-02 |
124356 | Heap-use-after-free in WebCore::GraphicsContext::restore | $1,000 | 2016-10-02 |
124263 | OOB read with PDF in cell sorting | - | 2016-10-02 |
124228 | Security: Component updater parses unauthenticated XML with libxml in the browser process | - | 2016-10-02 |
124216 | Security: MSVR:159 - Google Chrome NPAPI Plugin Insecure Loading Elevation of Privilege Vulnerability | - | 2016-10-02 |
124191 | OOB read in PDF when parsing / processing text | - | 2016-10-02 |
124190 | OOB read, off-by-one in PDF predictor code with specific decode parameters | - | 2016-10-02 |
124184 | OOB read with 1bpp image and ICC profile | - | 2016-10-02 |
124183 | OOB read in PDF fax codec | - | 2016-10-02 |
124389 | Heap-use-after-free in WebCore::TargetListener::clear | - | 2016-10-02 |
124182 | Out of bounds write in PDF with sample function with lots of inputs | - | 2016-10-02 |
124179 | PDF crash under ASAN with character maps | - | 2016-10-02 |
123929 | Out-of-bounds read in PDF with undersized "O" key and revision 3 crypto | - | 2016-10-02 |
123858 | Use-after-free in WebPagePopupImpl instance | - | 2016-10-02 |
123735 | OOB reads in PDF AES support due to buffer mismanagement | - | 2016-10-02 |
123733 | Out-of-bounds reads with bad parameters to PDF "sampled function" function | - | 2016-10-02 |
123709 | Breakpad ClientInfo::PopulateCustomInfo() integer wrap leads to heap overflow | - | 2016-10-02 |
123656 | OOB read in PDF whilst scanning for "startxref" | - | 2016-10-02 |
123631 | Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled | - | 2016-10-02 |
123544 | Heap-use-after-free in WebCore::CachedResource::checkNotify | - | 2016-10-02 |
123530 | Heap-use-after-free in AutocompleteMatch::AutocompleteMatch | - | 2016-10-02 |
123484 | Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak | - | 2016-10-02 |
123481 | Security: ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fde15ff9890 at pc 0x7fde364c5034 | $1,000 | 2016-10-02 |
123105 | Heap-buffer-overflow in Color32_SSE2 | - | 2016-10-02 |
123054 | Security: renderer can grant itself read permissions to arbitrary files | - | 2016-10-02 |
123029 | OOB write in SkARGB32_Black_Blitter::blitAntiH -> sk_memset32_SSE2 | $1,000 | 2016-10-02 |
123012 | Chrome: Crash Report - Stack Signature:WebCore::V8BindingPerContextData::constructorForType(WebCore::WrapperTypeInfo *) | - | 2016-10-02 |
122925 | Security: Autofill info can be captured by innocuous social engineering | $1,000 | 2016-10-02 |
122865 | Heap-use-after-free in SkCanvas::internalDrawBitmapRect | - | 2016-10-02 |
122760 | Heap-use-after-free in WebCore::RenderTable::computePreferredLogicalWidths | - | 2016-10-02 |
122692 | UNKNOWN in /lib/libc-2.11.1.so+Unknown | - | 2016-10-02 |
122681 | [LangFuzz] CHECK(fixed_size + height_in_bytes == input_frame_size) failed or crash with invalid read | $500 | 2016-10-02 |
122654 | Chrome: Crash Report: SocketStreamDispatcherHost::CancelSSLRequest | - | 2016-10-02 |
122586 | Global-buffer-overflow in HB_TibetanShape | - | 2016-10-02 |
122585 | Security: stack-buffer-overflow in WebCore::GlyphPage::fill with surrogate characters | $500 | 2016-10-02 |
122573 | Heap-use-after-free in WebCore::CachedRawResource::didAddClient | - | 2016-10-02 |
122854 | Security: Potential (racy) use after free error in DownloadResourceHandler::OnResponseCompletedInternal | - | 2016-10-02 |
122503 | Heap-buffer-overflow in erode | - | 2016-10-02 |
122337 | [LangFuzz] Crash on heap with invalid write (32 bit only). | $1,000 | 2016-10-02 |
122208 | GCing a node observed by a WebKitMutationObserver can cause an invalid HashSet iterator | - | 2016-10-02 |
122029 | Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine | - | 2016-10-02 |
122014 | Heap-use-after-free in WorkerEventQueue::close | - | 2016-10-02 |
121968 | Heap-use-after-free in WebCore::GraphicsLayer::willBeDestroyed | - | 2016-10-02 |
122562 | Heap-use-after-free in ModuleSystem::LazyFieldGetter | $1,000 | 2016-10-02 |
112847 | Bad cast in addChildToAnonymousColumnBlocks | $1,000 | 2016-10-02 |
112833 | Heap-use-after-free in webkit_media::BufferedResourceLoader::Start | $1,000 | 2016-10-02 |
112822 | Security: Heap-buffer-overflow in png_decompress_chunk | $1,337 | 2016-10-02 |
112814 | Safe Browsing client doesn't always check for MAC field in response | - | 2016-10-02 |
112775 | Heap-use-after-free in WebCore::Node::traverseNextNode | - | 2016-10-02 |
112764 | Heap-use-after-free in RendererAccessibility::SendPendingAccessibilityNotifications | - | 2016-10-02 |
112738 | Security: User Interface - infobar confusion, spamming, and spoofing | - | 2016-10-02 |
112735 | Bad cast in FormSubmission::create | - | 2016-10-02 |
112694 | Heap-use-after-free in WebCore::Node::normalize | - | 2016-10-02 |
112670 | avcodec_53!ff_h264_get_profile - crash | $500 | 2016-10-02 |
112451 | X509UserCertResourceHandler::OnResponseCompleted crash | - | 2016-10-02 |
112443 | [Mac] Regular SSL certificate incorrectly displayed with EV color badge | - | 2016-10-02 |
112542 | Heap-use-after-free in WebCore::TextIterator::rangeFromLocationAndLength | - | 2016-10-02 |
112411 | Heap-use-after-free in WebCore::SVGUseElement::expandSymbolElementsInShadowTree | $1,000 | 2016-10-02 |
112391 | Heap-use-after-free in ExtensionHost | - | 2016-10-02 |
112339 | Security: chrome allows TDR looping leading to win7 OS crash through page refresh html tag + WebGL | - | 2016-10-02 |
112325 | Security: Copy-paste preserves <embed> tags containing active content | - | 2016-10-02 |
112317 | Heap-buffer-overflow in WebCore::Font::codePath | $500 | 2016-10-02 |
112259 | Heap-use-after-free in WebCore::EventTarget::dispatchEvent | $500 | 2016-10-02 |
112236 | Security: Chrome translation script downloaded over HTTP | - | 2016-10-02 |
112212 | Heap-use-after-free in WebCore::ContainerNode::appendChild | $2,000 | 2016-10-02 |
112151 | Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle | $1,000 | 2016-10-02 |
112093 | Heap-use-after-free in WebCore::Node::dispatchSubtreeModifiedEvent | - | 2016-10-02 |
112055 | Heap-buffer-overflow in WebCore::CSSParser::lex | - | 2016-10-02 |
111779 | Heap-use-after-free in WebCore::SubframeLoader::loadSubframe | $1,000 | 2016-10-02 |
111748 | Heap-use-after-free in WebCore::SVGElement::removedFromDocument | $1,000 | 2016-10-02 |
111656 | Security: Accessibility bad cast | - | 2016-10-02 |
111575 | Security: NaCl dynamic code modification allows direct calls inside existing super instructions. | - | 2016-10-02 |
111491 | AddressSanitizer reports a heap-use-after-free in icu_46::RuleBasedBreakIterator::handleNext in DownloadTest.CrxLargeTheme (browser_tests) on Chrome OS | - | 2016-10-02 |
111088 | Heap-use-after-free in WebCore::FrameLoader::checkTimerFired | - | 2016-10-02 |
111467 | Heap-buffer-overflow in WebCore::SVGSVGElement::currentViewBoxRect | $1,000 | 2016-10-02 |
110849 | Heap-buffer-overflow in matroska_parse_block | - | 2016-10-02 |
110764 | Heap-use-after-free in WebCore::DocumentLoader::detachFromFrame | $1,000 | 2016-10-02 |
110723 | Heap-use-after-free in WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation | - | 2016-10-02 |
111342 | Heap-use-after-free in AudioDevice::FireRenderCallback | - | 2016-10-02 |
110559 | Heap-buffer-overflow in GPU ShaderTranslator | - | 2016-10-02 |
110374 | Heap-use-after-free in WebCore::EventHandler::mouseMoved | $1,000 | 2016-10-02 |
110360 | Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled | - | 2016-10-02 |
110277 | Heap-buffer-overflow in xsltCompilePatternInternal | $500 | 2016-10-02 |
110172 | Heap-buffer-overflow in SkAlphaRuns::add | $1,000 | 2016-10-02 |
110545 | Security: AssociatedURLLoader exposes non-whitelisted response headers when loading with access control (CORS) | - | 2016-10-02 |
110076 | Heap-use-after-free in WebCore::CompositeEditCommand::ensureComposition | - | 2016-10-02 |
109743 | Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList | $1,000 | 2016-10-02 |
109717 | Security: crash when viewing a certificate without issuer signature | - | 2016-10-02 |
109716 | Heap-use-after-free in xsltParseGlobalVariable | $1,000 | 2016-10-02 |
109691 | Security: Losing user-set pin data on HSTS header receipt | - | 2016-10-02 |
110112 | Heap-use-after-free in WebCore::FrameView::forceLayoutParentViewIfNeeded | $1,000 | 2016-10-02 |
109912 | Security: read sandbox escape: NaCl validator for x86-64 allow REP string instructions to have out-of-bound source addresses | - | 2016-10-02 |
109623 | Chrome: Crash Report - Stack Signature: WebKit::WebMediaPlayerClientImpl::loadInter... | - | 2016-10-02 |
109574 | Potential XSS attack with [0x8E][0xE3] in EUC-JP page | $500 | 2016-10-02 |
109556 | Heap-buffer-overflow in WebCore::HTMLTreeBuilder::HTMLTreeBuilder | $1,000 | 2016-10-02 |
109411 | Regression: Crash in WebCore::DynamicSubtreeNodeList::length() | - | 2016-10-02 |
109245 | Security: Chrome Drag Spoofing | - | 2016-10-02 |
109664 | safe_browsing::SignatureUtil::CheckSignature() - crash | - | 2016-10-02 |
109094 | Possible wild read in internal PDF-reader | - | 2016-10-02 |
108958 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
129158 | Heap-use-after-free in WebCore::AccessibilityObject::getAttribute | - | 2016-10-02 |
129191 | UNKNOWN in WebCore::HTMLDocumentParser::prepareToStopParsing | $1,000 | 2016-10-02 |
128971 | Heap-use-after-free in WebCore::InlineBox::deleteLine | - | 2016-10-02 |
128711 | Run-in UAF crashes relating to generated content and inline line box tree not clearing. | - | 2016-10-02 |
128704 | Crash when opening and closing chrome://chrome | - | 2016-10-02 |
128688 | Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl | - | 2016-10-02 |
128800 | Use after free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap | - | 2016-10-02 |
128597 | RenderViewImpl's shared_popup_counter_ isn't incremented properly | - | 2016-10-02 |
128498 | Heap-buffer-overflow in WebCore::CSSSelector::specificityForOneSelector | - | 2016-10-02 |
128497 | CachedImage does not clear the ImageObserver pointer when dropping its Image ref | - | 2016-10-02 |
128458 | Security: NTP Promo data is downloaded via HTTP, but then rendered on the NTP | - | 2016-10-02 |
128665 | Heap-use-after-free in WebCore::Node::isInShadowTree | - | 2016-10-02 |
128342 | Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement | - | 2016-10-02 |
128336 | Heap-buffer-overflow in WebCore::SubframeLoader::createJavaAppletWidget | - | 2016-10-02 |
128256 | tabs permission exploit on the Chrome RSS Extension | - | 2016-10-02 |
128204 | Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot() | - | 2016-10-02 |
128178 | Heap-use-after-free in fileapi::FileSystemOperation::DidGetUsageAndQuotaAndRunTask | $3,133 | 2016-10-02 |
128163 | Heap-buffer-overflow in GIFImageReader::read | - | 2016-10-02 |
128159 | Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait | - | 2016-10-02 |
128157 | Heap-use-after-free in WebCore::HTMLFormControlElement::disabled | - | 2016-10-02 |
128151 | Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks::didSucceed | - | 2016-10-02 |
128146 | UNKNOWN in v8::internal::DescriptorArray::Set | - | 2016-10-02 |
128018 | [LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read | $1,000 | 2016-10-02 |
127889 | Use after free in WebCore::Font::characterRangeCodePath / WebCore::Font::codePath | - | 2016-10-02 |
127764 | Heap-use-after-free in WebCore::RenderBlock::xPositionForFloatIncludingMargin | - | 2016-10-02 |
127701 | Heap-use-after-free in WebCore::RenderObject::repaint | - | 2016-10-02 |
127648 | Out of bounds read in WebCore::Region::Shape::compareShapes | - | 2016-10-02 |
127624 | Security: pepper plugins - protect plugin's data files from other plugins and the renderer itself. | - | 2016-10-02 |
127525 | Dragging a file into a web renderer exposes the file: scheme | $500 | 2016-10-02 |
127522 | Security: Chrome Allows "Carpet Bomb" from File Download | - | 2016-10-02 |
127727 | Heap-use-after-free in WebCore::ContextDestructionObserver::contextDestroyed | - | 2016-10-02 |
127449 | PPAPI processes hold privileged process handles | - | 2016-10-02 |
127418 | Heap-use-after-free in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath | $1,000 | 2016-10-02 |
127417 | Security: Arbitrary memory read in libxslt | $500 | 2016-10-02 |
127371 | Heap-use-after-free in WebCore::AXObjectCache::postNotification | - | 2016-10-02 |
127368 | Heap-use-after-free in WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal | - | 2016-10-02 |
127367 | Heap-use-after-free in WebCore::ApplyStyleCommand::joinChildTextNodes | - | 2016-10-02 |
127366 | Heap-use-after-free in WebCore::ReplaceSelectionCommand::performTrivialReplace | - | 2016-10-02 |
127424 | Heap-use-after-free in WebKit::WebPagePopupImpl::closePopup | $1,000 | 2016-10-02 |
127234 | Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::FloatRect>::commitChange | - | 2016-10-02 |
126723 | Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine | - | 2016-10-02 |
126652 | Heap-buffer-overflow in bool WebCore::Region::Shape::compareShapes<WebCore::Region::Shape::CompareIntersectsOperation> | - | 2016-10-02 |
126475 | Heap-use-after-free in WebCore::InlineBox::root | - | 2016-10-02 |
126414 | [LangFuzz] Crash on heap with invalid read from random address (32 bit) | $500 | 2016-10-02 |
126406 | Heap-use-after-free in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks | - | 2016-10-02 |
126343 | OOB write in PDF character code mapping | - | 2016-10-02 |
126337 | Stack buffer overflow in character range parsing | - | 2016-10-02 |
126296 | Security: Browser crash document.createEvent("MouseEvents").initMouseEvent in background tab | $1,000 | 2016-10-02 |
125730 | Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved | - | 2016-10-02 |
126105 | Global-buffer-overflow in RgnOper::addSpan | - | 2016-10-02 |
126074 | Heap-use-after-free in WebCore::SpellChecker::didCheckSucceeded | - | 2016-10-02 |
126048 | Heap-use-after-free in SpeechRecognitionManagerImpl::DispatchEvent | $1,000 | 2016-10-02 |
126040 | Heap-use-after-free in WebCore::ContainerNode::insertBefore | - | 2016-10-02 |
126015 | Heap-use-after-free in WebCore::HTMLFormControlElement::disabled | - | 2016-10-02 |
125921 | Heap-buffer-overflow in WebCore::FontCache::releaseFontData | - | 2016-10-02 |
125919 | Heap-buffer-overflow in WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue | $500 | 2016-10-02 |
125821 | The Linux setuid sandbox has becomre (even more) insanely complex | - | 2016-10-02 |
126075 | Stack-buffer-overflow in SuggestMgr::forgotchar_utf | - | 2016-10-02 |
125563 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
125557 | Heap-use-after-free in WebCore::AudioParam::disconnect | - | 2016-10-02 |
125555 | Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait | - | 2016-10-02 |
125529 | Heap-use-after-free in WebCore::HTMLLinkElement::setCSSStyleSheet | - | 2016-10-02 |
125515 | [LangFuzz] Crash on heap with invalid write to random address | $1,000 | 2016-10-02 |
108918 | Heap-use-after-free in WebCore::RenderTableSection::rowLogicalHeightChanged | - | 2016-10-02 |
108901 | Heap-buffer-overflow in compute_pos_tan | $500 | 2016-10-02 |
108894 | Heap-use-after-free in WebCore::HTMLCollection::length | - | 2016-10-02 |
108871 | IndexedDB with autoincrement fails on object put and crashes chrome | $1,000 | 2016-10-02 |
108605 | Use of uninitialized value in SkAlphaRuns::Break | $1,000 | 2016-10-02 |
108798 | Heap-use-after-free in WebCore::(anonymous namespace)::AllowFileSystemMainThreadBridge::signalCompleted | - | 2016-10-02 |
108695 | Heap-use-after-free in WebKit::WebFrameImpl::viewImpl | $1,000 | 2016-10-02 |
108648 | Security: Malicious extension could avoid being blacklisted via extension blacklist | - | 2016-10-02 |
108476 | Heap-buffer-overflow in WebCore::Font::codePath | $500 | 2016-10-02 |
108544 | Heap-use-after-free in SubresourceLoader::didFinishLoading | $1,000 | 2016-10-02 |
108579 | Heap-buffer-overflow in void WTF::Vector<WTF::RefPtr<WebCore::TextTrack>, 0ul>::insert<WTF::RefPtr<WebCore::TextTrack> > | - | 2016-10-02 |
108461 | Heap-use-after-free in WebCore::HTMLInputElement::copyNonAttributeProperties | - | 2016-10-02 |
108416 | Global-buffer-overflow in render_line | $500 | 2016-10-02 |
108071 | Browser process heap-use-after-free with indexeddb cursors | $3,133 | 2016-10-02 |
108037 | Heap-buffer-overflow in WebCore::SVGLength::valueAsString | $1,000 | 2016-10-02 |
108006 | Stack-buffer-overflow in HB_MyanmarShape | - | 2016-10-02 |
108267 | Heap-use-after-free in WebCore::RenderBlock::selectionGaps | - | 2016-10-02 |
108207 | Heap-use-after-free in WebCore::RenderTable::borderBefore | $1,000 | 2016-10-02 |
107758 | Heap-use-after-free in WebCore::RenderRegion::offsetFromLogicalTopOfFirstPage | $1,000 | 2016-10-02 |
107565 | Security: dragging a file URL between two http-spawned windows goes remote->local | - | 2016-10-02 |
107873 | Heap-use-after-free in WebCore::DatabaseTracker::interruptAllDatabasesForContext | - | 2016-10-02 |
107616 | UXSS in v8 bindings npCreateV8ScriptObject() | - | 2016-10-02 |
107939 | Heap-buffer-overflow in WebCore::RenderBlock::layoutRunsAndFloatsInRange | - | 2016-10-02 |
107258 | Freed m_renderer used in InlineBox::deleteLine | - | 2016-10-02 |
107244 | Heap-use-after-free in DatabaseObserver | $1,000 | 2016-10-02 |
107376 | Memory corruption crash in ExtensionPrefs::MigrateAppIndex. | - | 2016-10-02 |
107128 | Heap-buffer-overflow in xmlStringLenDecodeEntities | $4,000 | 2016-10-02 |
107277 | Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed | - | 2016-10-02 |
107182 | Heap use after free with malware blocking page | $3,133 | 2016-10-02 |
106672 | Security: Crash in requestAnimationFrame when removing a frame | $1,000 | 2016-10-02 |
106671 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
106577 | Heap-buffer-overflow in SkAAClipBlitter::blitAntiH | $500 | 2016-10-02 |
107032 | Sad tab when visiting https://code.google.com and --no-displaying-insecure-content | - | 2016-10-02 |
106441 | Stack-buffer-overflow in _canonicalize | $1,000 | 2016-10-02 |
106419 | Global-buffer-overflow in SkFileDescriptorStream::read | - | 2016-10-02 |
106413 | Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine | - | 2016-10-02 |
106340 | Heap-use-after-free in WebCore::RenderTable::outerBorderAfter | $3,000 | 2016-10-02 |
106336 | Heap-use-after-free in WebCore::CounterNode::insertAfter | $500 | 2016-10-02 |
106334 | Security: Popupblocker is ignored, downloads are invisible | - | 2016-10-02 |
106484 | Heap-use-after-free in WebCore::RenderObject::childAt | $1,000 | 2016-10-02 |
106309 | Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine (regions issue) | - | 2016-10-02 |
106165 | Heap-buffer-overflow in safe_browsing protocol parser | - | 2016-10-02 |
105867 | Use after free in V8HTMLElementWrapperFactory.cpp | $1,000 | 2016-10-02 |
105803 | PDF missing integer validation for Flate / LZW / Fax prediction codes and other parameters | - | 2016-10-02 |
106200 | Heap-use-after-free in WebCore::InlineBox::deleteLine | $500 | 2016-10-02 |
106316 | Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag | - | 2016-10-02 |
105482 | Security: CSP connect-src and script-src not enforced on workers | - | 2016-10-02 |
105459 | Use-after frees and bad casts with -webkit-column-span | $2,000 | 2016-10-02 |
105714 | Nasty looking INVALID_POINTER_READ in internal PDF-reader | $500 | 2016-10-02 |
134123 | Heap-use-after-free in WebCore::VisibleSelection::rootEditableElement | - | 2016-10-02 |
105162 | Stack-buffer-overflow in base::files::(anonymous namespace)::InotifyReaderTask::Run | - | 2016-10-02 |
134305 | Heap-use-after-free in WebCore::RenderObject::absoluteBoundingBoxRect | - | 2016-10-02 |
133725 | Security: public chromium site is leaking internal Google DNS names | - | 2016-10-02 |
134088 | Use-after-free: LabelsNodeList isn't updated properly after its owner node is adopted into a new document | - | 2016-10-02 |
133892 | Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation | - | 2016-10-02 |
133288 | Heap-buffer-overflow in WebCore::CSPSourceList::parseSource | - | 2016-10-02 |
133571 | Heap-use-after-free in SkARGB32_Black_Blitter::blitAntiH | $1,000 | 2016-10-02 |
133418 | Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects | - | 2016-10-02 |
134101 | Security: webRequest API allows extensions to XSS chrome.google.com and gain access to webstorePrivate API | $2,000 | 2016-10-02 |
133214 | UNKNOWN in WebCore::RenderTableSection::addCell | $1,000 | 2016-10-02 |
133196 | Heap-use-after-free in WebCore::RenderInline::willBeDestroyed | - | 2016-10-02 |
132806 | ChromeContentBrowserClient::AllowSocketAPI using allowed_socket_origins_ without scheme check | - | 2016-10-02 |
132779 | Security: WebM heap-buffer-overflow in matroskadec.c:matroska_parse_block() | $1,000 | 2016-10-02 |
132699 | Update Java version metadata for Jun 2012 CPU | - | 2016-10-02 |
132690 | Heap-use-after-free in WebCore::RenderSVGModelObject::checkIntersection | - | 2016-10-02 |
132890 | Crash when using Web Audio + media element with no audio or when user navigates | - | 2016-10-02 |
131969 | Heap-use-after-free in WebCore::AccessibilityObject::getAttribute | - | 2016-10-02 |
132396 | Heap-use-after-free in WebCore::RenderBlock::layoutRunsAndFloats | - | 2016-10-02 |
132398 | Global-buffer-overflow in D_Clear_BitmapXferProc | - | 2016-10-02 |
132203 | UAF in ValueStoreFrontend::Backend::Get | - | 2016-10-02 |
132019 | Heap-use-after-free in WebCore::InlineFlowBox::deleteLine | - | 2016-10-02 |
132270 | Global-buffer-overflow in WebCore::mediaControlElementType | - | 2016-10-02 |
131968 | Heap-use-after-free in WebCore::AccessibilityTable::isDataTable | - | 2016-10-02 |
132241 | Heap-use-after-free in WebCore::DocumentThreadableLoader::cancel | - | 2016-10-02 |
131934 | Heap-use-after-free in WTF::Vector<WebCore::Attribute, 0ul>::~Vector | - | 2016-10-02 |
131348 | Security: Use-after-free in safe_browseing::DownloadProtectionService found by Valgrind | - | 2016-10-02 |
131347 | heap-use-after-free in DictionaryValue while closing chrome, requires extension. | - | 2016-10-02 |
131087 | UAF due to Document::removePendingSheet re-entering JavaScript during Document cleanup | - | 2016-10-02 |
130927 | Heap-use-after-free in WebCore::CompositeEditCommand::breakOutOfEmptyListItem | - | 2016-10-02 |
130824 | Security: Linux crash report generation code reads past the end of an unterminated string buffer. | - | 2016-10-02 |
130802 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> | - | 2016-10-02 |
130743 | Chromium is no more asking you for permissions to run WMP plugin via the Infobar. Is it intentional? | - | 2016-10-02 |
130723 | Use after free after setting -webkit-line-clamp to none | - | 2016-10-02 |
130722 | Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply | - | 2016-10-02 |
130595 | Heap-use-after-free in WebCore::RenderBlock::layoutBlockChildren | $1,000 | 2016-10-02 |
130356 | Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget | $1,000 | 2016-10-02 |
130276 | Chrome attempts to load metro_driver.dll when Metro is not supported | - | 2016-10-02 |
130241 | [crash] WebCore::RenderStyle::fontMetrics(void)+0xa | - | 2016-10-02 |
130240 | Heap-buffer-overflow WRITE in read_markers third_party/libjpeg_turbo/jdmarker | $1,000 | 2016-10-02 |
130237 | Heap-use-after-free in WebCore::RenderObject::arenaDelete | - | 2016-10-02 |
130235 | Heap-use-after-free in WebCore::HTMLElement::adjustDirectionalityIfNeededAfterChildrenChanged | - | 2016-10-02 |
130369 | Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects | $1,000 | 2016-10-02 |
129826 | Chrome_Mac: Zombie <DownloadItemController: 0x1f1e6fd0> received -handleReveal: (via -performSelector:withObject:) | - | 2016-10-02 |
129947 | Heap-use-after-free in WebCore::RenderObject::setStyle | $1,000 | 2016-10-02 |
129942 | UNKNOWN in v8_i18n::IntlNumberFormat::JSInternalFormat | $1,000 | 2016-10-02 |
129936 | Heap-use-after-free in WebCore::InlineTextBox::nodeAtPoint | - | 2016-10-02 |
129930 | Security: libxml2 growBuffer integer overflow on 64-bit machines | $3,000 | 2016-10-02 |
129898 | Heap-use-after-free in WebCore::CounterNode::lastDescendant | $1,000 | 2016-10-02 |
129890 | Heap-use-after-free in WebCore::cancelAll | - | 2016-10-02 |
129951 | UNKNOWN in v8::Function::Call | $1,000 | 2016-10-02 |
129394 | Heap-use-after-free in WebCore::AccessibilityTable::isDataTable | - | 2016-10-02 |
129569 | Heap-use-after-free in WebCore::RenderLayer::updateCompositingLayersAfterScroll | - | 2016-10-02 |
129396 | Heap-buffer-overflow in WebCore::RenderTable::colElement | - | 2016-10-02 |
129357 | Heap-buffer-overflow in WebCore::RenderProgress::isDeterminate | - | 2016-10-02 |
129301 | Heap-use-after-free in WebCore::AXObjectCache::postPlatformNotification | - | 2016-10-02 |
129299 | Run-in UAFs part 2 | - | 2016-10-02 |
129360 | Heap-use-after-free in WebCore::InlineFlowBox::removeChild | - | 2016-10-02 |
105143 | Cross-origin drag-and-drop prevention ineffective | - | 2016-10-02 |
105157 | Heap-use-after-free in WebCore::InlineFlowBox::removeChild | - | 2016-10-02 |
105133 | Heap-use-after-free in WebCore::RenderObject::isDescendantOf | - | 2016-10-02 |
105012 | Global-buffer-overflow in WebCore::RenderFlexibleBox::mainAxisBorderAndPaddingExtentForChild | - | 2016-10-02 |
104935 | Security: HSTS "cookies" do not obey expected policy. | - | 2016-10-02 |
104863 | Heap-use-after-free in WebCore::SubresourceLoader::didFail | $1,000 | 2016-10-02 |
104859 | Heap-use-after-free in WebCore::InlineFlowBox::computeOverAnnotationAdjustment | $1,000 | 2016-10-02 |
104617 | Heap-use-after-free in WebCore::CSSImageGeneratorValue::addClient | - | 2016-10-02 |
104529 | PDF-reader tab-crash with editable crash address. | $2,000 | 2016-10-02 |
104959 | Nasty looking crash on internal pdf-reader | $500 | 2016-10-02 |
104461 | Security: chrome://workers/ crash | - | 2016-10-02 |
104325 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
104315 | Heap-use-after-free WebCore::RenderObject::container | - | 2016-10-02 |
104272 | Security: Directory traversal in extension docs | - | 2016-10-02 |
104266 | Heap-use-after-free in WebCore::nextBreakablePosition | - | 2016-10-02 |
104466 | Schema check on navigations to chrome/file schemas should be avoided | - | 2016-10-02 |
104317 | Stale RenderObject in RenderBlock::addChildIgnoringAnonymousColumnBlocks() | - | 2016-10-02 |
104056 | Crash with PDF at bad IP | $1,000 | 2016-10-02 |
104223 | Security: MHTML can be used to steal cookies | - | 2016-10-02 |
103867 | Security: chrome.test.resetQuota extension API exposed to all extensions | - | 2016-10-02 |
103750 | minor self-inflicted xss on chrome://tracking2 | - | 2016-10-02 |
103738 | Security: out of bounds array access in WebCore::RenderTableSection::rowLogicalHeightChanged | - | 2016-10-02 |
104011 | v8_i18n::BCP47ToICUFormat() - crash | $1,000 | 2016-10-02 |
104151 | Bad cast in WebCore::RenderThemeMac::paintMediaToggleClosedCaptionsButton | - | 2016-10-02 |
103921 | Use-after-free in DOM Range | $1,000 | 2016-10-02 |
103239 | Security: INVALID_POINTER_READ/WRITE_EXPLOITABLE_chrome!SkRgnBuilder::blitH | $1,000 | 2016-10-02 |
103259 | [LangFuzz] Crash at v8::internal::WriteQuoteJsonString with invalid write | $1,000 | 2016-10-02 |
102810 | Security: buffer overflow in link prefetching | $1,000 | 2016-10-02 |
103630 | Security: iFrame SandBox Unique Origin not enforced in extensions | - | 2016-10-02 |
103126 | Heap-use-after-free in WebCore::RenderTextFragment::styleDidChange | - | 2016-10-02 |
103244 | Pinning checks aren't enforced in the case of a minor error. | - | 2016-10-02 |
103058 | Security: missing xslt import causes crash w/preloading | $1,000 | 2016-10-02 |
102037 | Security: Use after free in CSSStyleDeclarationInternal::parentRuleAttrGetter | - | 2016-10-02 |
101900 | Security: bug rendering web pages with flash content | - | 2016-10-02 |
101835 | Exit full screen button crashs browser | - | 2016-10-02 |
101779 | OOB read with corrupt PDF; possible stability issue too | - | 2016-10-02 |
101624 | Security: buffer overrun leading to heap corruption in ANGLE shader translator | - | 2016-10-02 |
102242 | ZDI-CAN-1416: WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability | - | 2016-10-02 |
101901 | Security:scrolling web with flash content rendering bug | - | 2016-10-02 |
102628 | Security: Adobe regions use-after-free with multiple region css thingies | $1,000 | 2016-10-02 |
102461 | Failure to infobar JRE7 | - | 2016-10-02 |
102359 | Use-after-free in SVG renderer | $1,000 | 2016-10-02 |
101446 | Use after free in TextTrack::~TextTrack | - | 2016-10-02 |
101235 | Security: Location bar spoofing when using replaceState in unload event handler | - | 2016-10-02 |
101205 | Security: marketplace | - | 2016-10-02 |
101172 | Seeking on webm 1080p video causes crash | - | 2016-10-02 |
101580 | Heap-use-after-free in WebCore::RenderObject::enclosingLayer | - | 2016-10-02 |
101548 | Test: ABCD | - | 2016-10-02 |
101494 | OOB read in media::ScaleYUVToRGB32 | - | 2016-10-02 |
101458 | OOB read in WebM/vorbis vorbis_decode_frame() | $1,000 | 2016-10-02 |
101018 | Use after free in fullscreen unwraprenderer | - | 2016-10-02 |
101010 | Security: css/CSSParser.cpp memory corruption bug | - | 2016-10-02 |
100958 | Heap-use-after-free WebCore::RenderBlock::layoutPositionedObjects | - | 2016-10-02 |
100879 | Problem with full-screen infobar permission prompt | - | 2016-10-02 |
100863 | OOB read in SVG at WebCore::parseArcFlag | - | 2016-10-02 |
100543 | OOB read in WebM/vorbis at render_line() | $500 | 2016-10-02 |
101065 | Use after free with counters and inline-table and :before content | - | 2016-10-02 |
101127 | BlackBerryĂÂź | - | 2016-10-02 |
101136 | Security: Search terms hijacked to return only one site for search terms | - | 2016-10-02 |
138210 | Information and credential disclosure by file:// URLs (Android) | $500 | 2016-10-02 |
138035 | Security: Google Chrome for Android: Current-tab cross-application scripting (UXSS) | $500 | 2016-10-02 |
138012 | Heap-buffer-overflow in WebCore::FontCache::releaseFontData | - | 2016-10-02 |
137912 | Heap-buffer-overflow in WebCore::DelayDSPKernel::process | - | 2016-10-02 |
137891 | Security: HTTPS proxy can run JavaScript on requested HTTPS sites | - | 2016-10-02 |
137852 | Heap-use-after-free in WebKit::WebElement::document | - | 2016-10-02 |
137778 | Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer | - | 2016-10-02 |
138208 | Crash in SkGlyphCache::findImage | $1,000 | 2016-10-02 |
100492 | Use after free in WebM/matroska at matroska_execute_seekhead() | $3,000 | 2016-10-02 |
100465 | OOB read in OGV at unpack_vlcs | $500 | 2016-10-02 |
100464 | Use-after-free in WebM at decode_mb_mode | $1,000 | 2016-10-02 |
100459 | Use after free in RenderDeprecatedFlexibleBox::layoutHorizontalBox(bool) [and first-letter] | - | 2016-10-02 |
100447 | ClusterFuzz Account Check. | - | 2016-10-02 |
100322 | Security: Calling arbitrary V8 native functions from JavaScript | - | 2016-10-02 |
138196 | Stack-buffer-overflow in NPObjectProxy::NPNEvaluate | - | 2016-10-02 |
138192 | Heap-buffer-overflow in WebCore::HTMLInputElement::dataList | - | 2016-10-02 |
100526 | Use after free in floats and first-letter | - | 2016-10-02 |
137623 | Heap-buffer-overflow in WebPluginDelegateProxy::BackgroundChanged | - | 2016-10-02 |
137532 | Security: Android APIs exposed to JavaScript | $500 | 2016-10-02 |
137471 | Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren | - | 2016-10-02 |
137413 | Heap-buffer-overflow in WebCore::RenderTableSection::setCellLogicalWidths | - | 2016-10-02 |
137409 | Heap-use-after-free in WebCore::RenderObject::container | - | 2016-10-02 |
137407 | Security: Chrome for iOS security bug | - | 2016-10-02 |
137364 | Heap-use-after-free in WebCore::CSSFontSelector::beginLoadTimerFired | - | 2016-10-02 |
137707 | Security: Chrome extensions bug cause crash in all Chrome processes | $500 | 2016-10-02 |
137671 | Security: Bad cast in WebCore::CalendarPickerElement::hostInput() | $2,000 | 2016-10-02 |
137541 | Reproduceable crash. Changing tabs while a specific text field has focus. | - | 2016-10-02 |
137233 | Heap-buffer-overflow in WebCore::RenderBlock::handleTrailingSpaces | - | 2016-10-02 |
137125 | UNKNOWN in WebCore::StylePropertySet::addParsedProperties | $1,000 | 2016-10-02 |
137208 | Security: Mouse lock permission and iframe on different host | - | 2016-10-02 |
137174 | UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation | - | 2016-10-02 |
137147 | UNKNOWN in WebCore::RenderTable::cellBefore | - | 2016-10-02 |
137303 | Corrupted rendering with many MapsGL tabs open | - | 2016-10-02 |
137052 | Heap-use-after-free in WebCore::EllipsisBox::paint | - | 2016-10-02 |
137363 | Heap-use-after-free in WebCore::RenderBlock::removeChild | - | 2016-10-02 |
137362 | Heap-buffer-overflow in WebCore::CCLayerTreeHostImpl::CullRenderPassesWithNoQuads::shouldRemoveRenderPass | - | 2016-10-02 |
137232 | UNKNOWN in WebCore::ElementAttributeData::addAttribute | - | 2016-10-02 |
136497 | Security: XSS via Copy&Paste protection bypass using @formaction / General Iframe Sandbox Considerations regarding copy&paste / drag&drop | - | 2016-10-02 |
136881 | Security: race condition with workers and sync xmlhttprequests | $500 | 2016-10-02 |
136894 | Heap-buffer-overflow in UpsampleBgraLinePairSSE2 | $1,000 | 2016-10-02 |
136952 | Heap-use-after-free in WebCore::RenderLineBoxList::dirtyLinesFromChangedChild | - | 2016-10-02 |
136226 | Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine | - | 2016-10-02 |
136182 | Heap-use-after-free in WebCore::ImageLoader::updateRenderer | - | 2016-10-02 |
136344 | Heap-use-after-free in WebCore::FrameLoader::stopAllLoaders | - | 2016-10-02 |
136116 | Heap-use-after-free in WebCore::RenderLayer::enclosingFilterLayer | - | 2016-10-02 |
136046 | Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass | - | 2016-10-02 |
136296 | Heap-use-after-free in WebCore::SVGSMILElement::resetTargetElement | - | 2016-10-02 |
136235 | Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList | $1,000 | 2016-10-02 |
136145 | Security: Heap-buffer-overflow on TextFieldDecorationElement::defaultEventHandler | - | 2016-10-02 |
135697 | Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps | - | 2016-10-02 |
135658 | Turn off <iframe> seamless for m21 | - | 2016-10-02 |
135595 | Heap-use-after-free in WebCore::ImageLoader::notifyFinished | - | 2016-10-02 |
135705 | Heap-buffer-overflow in WebCore::TextIterator::handleTextBox | - | 2016-10-02 |
135432 | Heap-buffer-overflow in skia::BGRAConvolve2D | $1,000 | 2016-10-02 |
135698 | Heap-use-after-free in WebCore::HTMLInputElement::isPresentationAttribute | - | 2016-10-02 |
135485 | SPDY - Pushed stream - crash accessing https://jetty.intalio.com:10111/spdy | - | 2016-10-02 |
135071 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short> | - | 2016-10-02 |
134897 | Bad cast with run-ins and <input> | $1,000 | 2016-10-02 |
135173 | Heap-use-after-free in WebCore::RenderQuote::rendererRemovedFromTree | - | 2016-10-02 |
135043 | Heap-use-after-free in media_stream:: | $3,133 | 2016-10-02 |
134429 | Heap-use-after-free in WebCore::Document::clearNodeListCaches | - | 2016-10-02 |
134639 | Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers | - | 2016-10-02 |
134428 | Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget | - | 2016-10-02 |
134519 | Security: memory address disclosure through JavaScript in WebUI's cookies page | - | 2016-10-02 |
134402 | Heap buffer overflows in WebCore::CSSParser::lex | - | 2016-10-02 |
134324 | Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects | - | 2016-10-02 |
134325 | Security: Use after free with mouse lock and window.open | $1,000 | 2016-10-02 |
100177 | Use after free in first-letter container destruction handling. | - | 2016-10-02 |
100149 | Use after free in AX Scrollbars | - | 2016-10-02 |
99991 | Use after free in ImageBuffer::toDataURL | - | 2016-10-02 |
100059 | Generic fix: Register custom fonts at creation time, rather than retire time. | $1,337 | 2016-10-02 |
99652 | OOB read in vp8_decode_frame | $1,000 | 2016-10-02 |
99732 | Use after free in table parts. | - | 2016-10-02 |
99603 | Use after free due to flexible box not laying some of its children. | - | 2016-10-02 |
99597 | Use after free in tables, float, :after content | - | 2016-10-02 |
99840 | Windows OpenGL performance drops by 2/3 with GPU sandbox on | - | 2016-10-02 |
99880 | Use after free in table :before, :after content. | $1,000 | 2016-10-02 |
99901 | BinScope reports SafeSEH not supported on video DLLs | - | 2016-10-02 |
99615 | Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled | - | 2016-10-02 |
99465 | Security: AccessibilityImageMapLink holds onto it's parent even after it's been freed | - | 2016-10-02 |
99348 | Use after free in tables | - | 2016-10-02 |
99338 | Use after free in RenderTableSection::splitColumn | - | 2016-10-02 |
99596 | Use after free in media::FFmpegDemuxerStream::Read | - | 2016-10-02 |
99553 | repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources | - | 2016-10-02 |
99480 | OOB read in media::ScaleYUVToRGB32 | - | 2016-10-02 |
99294 | Use after free with :after in display table and :first-letter | $1,000 | 2016-10-02 |
99167 | [LangFuzz] Crash on Heap involving GC (invalid write) | $1,000 | 2016-10-02 |
99104 | WebKit: invalid cast in WebCore::toRenderBlock / WebCore::RenderBlock::blockSelectionGaps | - | 2016-10-02 |
99016 | Security: HTTPS Address Bar Spoofing Using View-source And Redirection | $1,000 | 2016-10-02 |
99003 | changing proxy | - | 2016-10-02 |
99229 | WebKit: Use after free in ~Node because ~HTMLLinkElement triggers script execution | - | 2016-10-02 |
99211 | Heap buffer overflow in Webaudio FFTFrame::doFFT | $2,000 | 2016-10-02 |
99138 | Use-after-free with plugin and editing | $1,000 | 2016-10-02 |
98556 | Use after free with first-letter | $1,000 | 2016-10-02 |
98262 | Chrome 16 crash when resizing window | - | 2016-10-02 |
98161 | Bug 68816 - Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption | - | 2016-10-02 |
98773 | [LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read | $1,000 | 2016-10-02 |
98809 | Renderer crash with PDF at isalnum | $500 | 2016-10-02 |
98582 | Security: invalid memory reference to window object | - | 2016-10-02 |
97994 | Use after free due to stale fonts | - | 2016-10-02 |
97952 | Stale layout root generic fix from Mitz | - | 2016-10-02 |
97898 | Regression: Use after free in RenderBlock::linkToEndLineIfNeeded | - | 2016-10-02 |
97867 | Security: Major Google Plus and Google Chrome Problem | - | 2016-10-02 |
98089 | memory corruption in ANGLE shader translator | - | 2016-10-02 |
98064 | Use-after-free when font is missing | $1,000 | 2016-10-02 |
97784 | [v8] Stale pointer in CSSStyleSheet, Invalid cast in V8ListenerList::doFindWrapper | $1,500 | 2016-10-02 |
97608 | Use after free in counters in :before, :after content | $500 | 2016-10-02 |
97596 | Security: anonymous proxy | - | 2016-10-02 |
97553 | Clicking a link on a page that has been fullscreened by JS doesn't exit fullscreen | - | 2016-10-02 |
97546 | Use after free in ruby text :after, :before content due to stale styles. | - | 2016-10-02 |
97278 | Security: Tracking bug for CachedResourceLoader::canRequest in a redirect chain | - | 2016-10-02 |
97148 | Crashes in PhishingDOMFeatureExtractor::ExtractFeaturesWithTimeout | - | 2016-10-02 |
97092 | Stale canvas used in WebCore::PlatformContextSkia::save() | $1,000 | 2016-10-02 |
97674 | Security: Extension can get at tabs details (url/title) without requesting tabs permission | - | 2016-10-02 |
97599 | More stale styles in listmarkers | $1,000 | 2016-10-02 |
96747 | Security: Magic iframe transfer vulnerability for Pepper/NaCl plugins | - | 2016-10-02 |
96902 | Use-after-free in findPlaceForCounter | $1,000 | 2016-10-02 |
97006 | Use after free due to issues in element detachment when entering fullscreen | - | 2016-10-02 |
96665 | Use after free in Element::recalcStyle due to reparenting issues in treebuilder | - | 2016-10-02 |
96382 | out-of-bounds access in Gradient::sortStopsIfNecessary | - | 2016-10-02 |
96292 | Use after free in media BufferedResourceLoader::Start | - | 2016-10-02 |
141815 | Heap-use-after-free in WebCore::RenderQuote::detachQuote | - | 2016-10-02 |
141651 | Heap-buffer-overflow in SkA8_Blitter::blitAntiH | $500 | 2016-10-02 |
141564 | Heap-use-after-free in WebCore::HTMLLinkElement::removedFrom | - | 2016-10-02 |
141462 | Extension resources that are not web accessible should not be able to be linked to from the web | - | 2016-10-02 |
141444 | Security: Support pinning for Google ccTLDs | - | 2016-10-02 |
141395 | UNKNOWN in v8::internal::SemiSpaceIterator::Next | $1,000 | 2016-10-02 |
96499 | Heap-use-after-free in WebCore::RenderLayer::updateVisibilityStatus | - | 2016-10-02 |
96444 | Freed scrollbar used in RenderScrollbarPart::imageChanged [not related to previous stale m_owner issues] | - | 2016-10-02 |
96149 | Use after free in WebCore::AudioChannel::sumFrom | - | 2016-10-02 |
141093 | Security: Dev only restriction for declarativeWebRequest does not seem to work | - | 2016-10-02 |
96150 | Use after free in OfflineAudioDestinationNode::notifyCompleteDispatch | - | 2016-10-02 |
140805 | Heap-use-after-free in WebCore::RenderRegion::restoreRegionObjectsOriginalStyle | - | 2016-10-02 |
140803 | Heap-buffer-overflow in SkA8_Blitter::blitH | $1,000 | 2016-10-02 |
140720 | Heap-use-after-free in WebCore::RenderBlock::removeChild | - | 2016-10-02 |
140656 | Heap-use-after-free in WebCore::CachedResource::didAddClient | $1,000 | 2016-10-02 |
140647 | UNKNOWN in ogg_calc_pts | - | 2016-10-02 |
140642 | Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect | - | 2016-10-02 |
96131 | Closing parent then child in gmail = sad tab | - | 2016-10-02 |
96170 | Use after free in InspectorPageAgent::resourceContent | - | 2016-10-02 |
140495 | Text box fails to render contents and does not accept user input. | - | 2016-10-02 |
140484 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
140368 | Security: heap-use-after-free in xsltGenerateIdFunction | - | 2016-10-02 |
140165 | Heap-buffer-overflow in vorbis_decode_frame | - | 2016-10-02 |
140142 | Heap-use-after-free in base::internal::WeakReference::is_valid | - | 2016-10-02 |
140532 | Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer | - | 2016-10-02 |
140544 | Security: CSP doesn't turn off eval, etc. in Web Workers | - | 2016-10-02 |
140083 | [LangFuzz] Crash on heap trying to execute address 0x0000000200000000. | $1,000 | 2016-10-02 |
140045 | REGRESSION(r122498): Assertion failure: m_nodeListCounts is sometimes not zero in the Document destructor | - | 2016-10-02 |
139961 | Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale target] | - | 2016-10-02 |
139814 | UAF in DOMContentLoaded | $2,000 | 2016-10-02 |
139789 | Heap-buffer-overflow in WebCore::CSSParser::updateLastSelectorLineAndPosition | - | 2016-10-02 |
139772 | AddressSanitizer reports a global buffer underflow in swizzle_for_size() in Mesa | - | 2016-10-02 |
139744 | Security: SSL compression infoleak | $5,337 | 2016-10-02 |
140085 | UNKNOWN in /mnt/scratch0/clusterfuzz/slave-bot/builds/revisions/asan-linux-release-149416/chrome+Unknown | - | 2016-10-02 |
139685 | OOB read atleast in WebCore::SVGListProperty<WebCore::SVGTransformList>::getItemValuesAndWrappers | - | 2016-10-02 |
139690 | Heap-use-after-free in WebCore::GenericEventQueue::timerFired | - | 2016-10-02 |
139646 | Heap-use-after-free in WebCore::DynamicNodeList::itemWithName | - | 2016-10-02 |
139679 | Bad cast in RenderFrameSet::computeEdgeInfo | - | 2016-10-02 |
139530 | Heap-use-after-free in WebCore::Node::~Node | - | 2016-10-02 |
139475 | Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale event listener] | - | 2016-10-02 |
139462 | Heap-use-after-free in SkCanvas::updateDeviceCMCache | - | 2016-10-02 |
139541 | UNKNOWN in v8::HandleScope::CreateHandle | - | 2016-10-02 |
139464 | Heap-use-after-free in WebCore::RenderSVGShape::calculateStrokeBoundingBox | - | 2016-10-02 |
139321 | Heap-use-after-free in WebCore::InlineBox::extractLine | - | 2016-10-02 |
139402 | Heap-use-after-free in D_Clear_BitmapXferProc | - | 2016-10-02 |
139215 | Heap-use-after-free in WebCore::StyleResolver::collectMatchingRules | - | 2016-10-02 |
139168 | Security: Creating a loop in the DOM tree (99% a DoS) | $500 | 2016-10-02 |
139131 | Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList | - | 2016-10-02 |
139290 | Heap-use-after-free in WebCore::StyleResolver::loadPendingImage | - | 2016-10-02 |
139383 | Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer | - | 2016-10-02 |
139240 | Heap-buffer-overflow in WebCore::TextTrackCueList::add | - | 2016-10-02 |
138738 | Crash in extensions::SetContentSettingFunction | - | 2016-10-02 |
138915 | Heap-use-after-free in WebCore::ContainerNode::cloneChildNodes | - | 2016-10-02 |
138422 | Heap-use-after-free in WebCore::Font::glyphDataAndPageForCharacter | - | 2016-10-02 |
138404 | Heap-use-after-free in WebCore::Document::page | - | 2016-10-02 |
138673 | Heap-buffer-overflow in xsltApplyTemplates | $1,000 | 2016-10-02 |
138990 | Heap-use-after-free in WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible | - | 2016-10-02 |
138672 | Heap-double-free in xsltCompileStepPattern | - | 2016-10-02 |
138901 | Heap-use-after-free in ProfileKeyedBaseFactory::GetProfileToUse | - | 2016-10-02 |
138302 | Stack-buffer-overflow in NPObjectProxy::NPInvokePrivate | - | 2016-10-02 |
138318 | UXSS with pointer lock | - | 2016-10-02 |
138382 | Heap-use-after-free in WebCore::AutoTableLayout::recalcColumn | - | 2016-10-02 |
138316 | Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer | - | 2016-10-02 |
95849 | Security: any Chrome committer (or parhaps even any user with Google account?) can compromise Google Chrome | - | 2016-10-02 |
95842 | Security: Chrome Gives Unreliable Security Info | - | 2016-10-02 |
95761 | Use after free in ContainerNode::removeChild (looks related to plugin) | - | 2016-10-02 |
95672 | Use after free in ListIterms and RunIns rendering (from bug 88680) | $1,000 | 2016-10-02 |
95669 | Regression(r93913): Use after free in ScriptController::executeScript | - | 2016-10-02 |
95992 | Security: header injection when using embeded \0 in headerline | - | 2016-10-02 |
95920 | [LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read | $1,000 | 2016-10-02 |
95917 | Security: Chrome does not ask for approval when "not trusted" SSL cert. changes | - | 2016-10-02 |
95563 | OOB read in tibetan_nextSyllableBoundary | - | 2016-10-02 |
95625 | OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays | - | 2016-10-02 |
95499 | Use after free due to style not updated and having stale fonts. | - | 2016-10-02 |
95485 | [LangFuzz] Crash at v8::internal::Object::Lookup | $1,000 | 2016-10-02 |
95639 | Use after free in Document::fullScreenChangeDelayTimerFired | - | 2016-10-02 |
95620 | use-after-free in browser_tests | - | 2016-10-02 |
95520 | Child not placed correctly when :before, :after placed in same table part container causing stale style | - | 2016-10-02 |
95359 | Use after free in WebCore::SVGTRefElement::updateReferencedText | - | 2016-10-02 |
95360 | use after free in WebCore::ContainerNode::removeChild via Range.deleteContents() | - | 2016-10-02 |
95083 | Security: Reveal stored passwords using the Developer Tool | - | 2016-10-02 |
95072 | Use after free due to style not updated for svg text runs. | $1,000 | 2016-10-02 |
95012 | Add defensive bounds checking in AudioNode | - | 2016-10-02 |
94834 | Security: Thread safety with AudioChannelMerger | - | 2016-10-02 |
95374 | Redirect to chrome:// URIs via Location: header | $2,337 | 2016-10-02 |
95465 | 4 OOB reads in XMLDocumentParser::doWrite | - | 2016-10-02 |
95333 | ERROR:the following pages have become unresponsive. you can wait to become responsive or kill them | - | 2016-10-02 |
94820 | Don't allow nodes of one context to be connected to nodes of another context | - | 2016-10-02 |
94743 | Regression(r93913): Use after free in ScheduledAction::execute(WebCore::V8Proxy*) | - | 2016-10-02 |
94578 | Security: Brute forcing Intranet WWW-Auth with script element | - | 2016-10-02 |
94487 | Security: JSC::Yarr regexp 32/48 to the left of 768 with workers | $1,000 | 2016-10-02 |
94464 | Security: e | - | 2016-10-02 |
94463 | Security: e | - | 2016-10-02 |
94462 | Security: e | - | 2016-10-02 |
94461 | Security: e | - | 2016-10-02 |
94460 | Security: e | - | 2016-10-02 |
94459 | Security: e | - | 2016-10-02 |
94458 | Security: e | - | 2016-10-02 |
94810 | Use after free with Floats and Ruby | - | 2016-10-02 |
94809 | Use after free in ruby overhang. | - | 2016-10-02 |
94456 | Security: | - | 2016-10-02 |
94275 | Make sure that AudioArray is 16-byte aligned | - | 2016-10-02 |
94273 | V8 custom bindings for AudioNode must do proper object checking and throw exception in case of error | - | 2016-10-02 |
94186 | WebAudio node lifetype crash when tearing down audio nodes / media element node | - | 2016-10-02 |
94025 | WebAudio: Integer overflows in AudioArray | - | 2016-10-02 |
93978 | Out of bounds reads and writes when FFT size is changed. | - | 2016-10-02 |
93918 | Regression(93122): Use after free in InspectorCSSAgent::clearFrontend | - | 2016-10-02 |
94457 | Security: e | - | 2016-10-02 |
94278 | Fix thread-safety of AudioNode deletion | - | 2016-10-02 |
93596 | Bad read in bundled PDF viewer | - | 2016-10-02 |
93497 | Security: Accessibility of the chrome.webstorePrivate-API | - | 2016-10-02 |
93472 | Yet another double-free caused by malformed XPath expression in XSLT | $1,000 | 2016-10-02 |
93420 | Use after free in FocusController::advanceFocusInDocumentOrder | $1,000 | 2016-10-02 |
93788 | Use after free in RenderText lineboxes. | $1,000 | 2016-10-02 |
93587 | Use after free in WebCore::Text::recalcStyle due to before after content issue in table parts | $1,000 | 2016-10-02 |
93856 | Use after free in RenderFlowThread::nextRendererForNode | - | 2016-10-02 |
93146 | Security: Possible race condition in Windows Policy reading that can lead to stale policy. | - | 2016-10-02 |
93106 | Failing assertion in IDBTransaction.cpp | - | 2016-10-02 |
93097 | Defensively null out danging pointers in the NaCl browser plugin memory safety for M14 | - | 2016-10-02 |
93059 | OOB read in EventDispatcher::adjustToShadowBoundaries | - | 2016-10-02 |
93416 | Security: Arbitrary cross-origin bypass using __defineGetter__ prototype override | $2,000 | 2016-10-02 |
93236 | Stale Pointer Crash in PrintWebViewHelper::PrintPreviewContext::CreatePreviewDocument | - | 2016-10-02 |
92959 | Stale node in StyleSheetCandidateListHashSet | $1,000 | 2016-10-02 |
92769 | Use after free in TreeBuilder | - | 2016-10-02 |
92651 | Use after free due to style not updated for ANONYMOUS boxes (e.g RenderRow), inline-blocks (e.g. RenderRubyRun) | $1,000 | 2016-10-02 |
92621 | Use after free in VisibleSelection::selectionFromContentsOfNode | - | 2016-10-02 |
92550 | Chrome (main process) crashes when setVersion is called when all (Indexed) database name space is used up | - | 2016-10-02 |
92226 | Use after free in CounterNode::lastDescendant | - | 2016-10-02 |
92840 | Use after free in HarfbuzzFace::~HarfbuzzFace | - | 2016-10-02 |
146433 | Chrome_Mac: Crash Report - base::::CrMallocErrorBreak / invalid free in SkWriter32::rewindToOffset | - | 2016-10-02 |
146235 | WTF::equal is too aggressive and may trigger ASan reports | - | 2016-10-02 |
146208 | Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint | - | 2016-10-02 |
146145 | Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths | - | 2016-10-02 |
146144 | Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath | - | 2016-10-02 |
146111 | Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer | - | 2016-10-02 |
145976 | Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer | - | 2016-10-02 |
145921 | AddressSanitizer reports a UAF in WebCore::RenderStyle::letterSpacing | - | 2016-10-02 |
146146 | Heap-buffer-overflow in WebCore::FlowThreadController::unregisterNamedFlowContentNode | - | 2016-10-02 |
145867 | Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath | - | 2016-10-02 |
145915 | Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face | - | 2016-10-02 |
145530 | Mitigation: Kill OOB reads(or few writes) by preventing access to harmful locals in dirty text lineboxes | - | 2016-10-02 |
145525 | Security: heap buffer overflow in gpu process with webgl | $3,500 | 2016-10-02 |
145492 | Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (UAF) | - | 2016-10-02 |
145544 | Security: integer overflow in gpu process with webgl | $1,000 | 2016-10-02 |
145272 | Heap-use-after-free in WebCore::nextBreakablePosition | - | 2016-10-02 |
145018 | Heap-use-after-free in WebCore::StyleSheetContents::checkLoadCompleted | - | 2016-10-02 |
144886 | Security: webgl crash on mesa | $3,133 | 2016-10-02 |
144866 | Security: Chrome for Android Bypassing SOP for Local Files By Symlinks | $500 | 2016-10-02 |
144831 | Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom | - | 2016-10-02 |
145363 | Security: Chrome extension DEP crash | - | 2016-10-02 |
144899 | SkPaint::SkPaint - crash | $1,000 | 2016-10-02 |
144799 | Heap-double-free in xmlFreeNodeList | - | 2016-10-02 |
144813 | Security: UXSS via com.android.browser.application_id Intent extra | $500 | 2016-10-02 |
144671 | Heap-use-after-free in WebCore::GCPrologueVisitor<void, WebCore::SpecialCasePrologueObjectHandler>::visitDOMWrapper | - | 2016-10-02 |
144466 | Crash when verifying ECDSA certificate on XP | - | 2016-10-02 |
144734 | Heap-buffer-overflow in WebCore::RenderTable::removeCaption | - | 2016-10-02 |
144810 | Heap-use-after-free in WebCore::RenderTable::calcBorderEnd | - | 2016-10-02 |
144704 | Tracking bug for fixing rel=noreferrer aslr bypass | - | 2016-10-02 |
143761 | Heap-use-after-free in WebCore::GraphicsContext::restore | $1,000 | 2016-10-02 |
143672 | Flapper Crash in BrokerProcessDispatcher::GetSitesWithData | - | 2016-10-02 |
143859 | Security: World-writable shared memory segments for X/Linux UI | - | 2016-10-02 |
144051 | Security: Memory address disclosure through JavaScript in Print Preview WebUI | - | 2016-10-02 |
143846 | Security: Chromoting creates a world-writable shared memory segment | - | 2016-10-02 |
143609 | Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter | $1,000 | 2016-10-02 |
143604 | Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextLineBreak [SVG text] | - | 2016-10-02 |
143593 | Heap-buffer-overflow in WebCore::SurrogatePairAwareTextIterator::consume | - | 2016-10-02 |
143582 | Heap-use-after-free in WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener, 1ul> >::~OwnPtr | - | 2016-10-02 |
143551 | Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope | - | 2016-10-02 |
143656 | Heap-use-after-free in WebCore::SVGTRefElement::updateReferencedText | $1,000 | 2016-10-02 |
143648 | Heap-buffer-overflow in WebCore::StyleResolver::applyProperty | - | 2016-10-02 |
143176 | Heap-use-after-free in WebCore::AccessibilityNodeObject::document | - | 2016-10-02 |
143409 | Heap-buffer-overflow in SkScalerContext_FreeType::generateImage | - | 2016-10-02 |
142956 | Security: XSS in SSL Certificate error page | $500 | 2016-10-02 |
142876 | Heap-buffer-overflow in WebCore::HarfBuzzShaperBase::isWordEnd | - | 2016-10-02 |
143329 | Bad cast in RenderGrid::layoutGridItems | - | 2016-10-02 |
143004 | Security: Untrustworthy Chrome OS user-wallpaper png's are loaded pre-login (in the sandboxed utility process) | - | 2016-10-02 |
142310 | ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test | - | 2016-10-02 |
142395 | Bad cast in computeReplacedLogicalHeightUsing | - | 2016-10-02 |
142145 | Heap-use-after-free in WebCore::RenderBlock::removeChild | - | 2016-10-02 |
142746 | Security: Potential use after destruction in ui/gfx/image | - | 2016-10-02 |
142169 | Heap-buffer-overflow in SkAlphaRuns::add | $500 | 2016-10-02 |
142088 | UNKNOWN in v8::internal::Invoke | - | 2016-10-02 |
142087 | UNKNOWN in void v8::internal::String::WriteToFlat<char> | - | 2016-10-02 |
141901 | Security: mesa stack scribbling thingamadoo | $3,133 | 2016-10-02 |
141889 | Security: Cookie theft from Chrome by malicious Android app | $500 | 2016-10-02 |
91972 | Regression(85705): Use after free on m_originatingLine in floats | - | 2016-10-02 |
91940 | Security: Romanian colloquialism meaning penis when viewing YouTube channels | - | 2016-10-02 |
91939 | Security: Romanian colloquialism meaning penis when viewing YouTube channels | - | 2016-10-02 |
91921 | Use after free in RenderRubyBase | - | 2016-10-02 |
91911 | Freed m_renderer used in InlineBox::deleteLine | - | 2016-10-02 |
91973 | Regression(90971): Use after free in Textarea placeholder | - | 2016-10-02 |
91665 | Crash on bad rip when opening a PDF | $1,000 | 2016-10-02 |
91801 | Use after free of RootInlineBox | - | 2016-10-02 |
91577 | file:// URL access is defaulting to opt-in | - | 2016-10-02 |
91554 | Possible use-after-free in AddToConsole | - | 2016-10-02 |
91633 | Security: When upgrade to 13.0.782.107, chrome will run js and load image which had be disabled in chrome | - | 2016-10-02 |
91502 | Security: Malware Page forbids user from closing a tab.(window.onunload hijack) | - | 2016-10-02 |
91362 | Regression(91331): Bad cast due to html renderer created for svg glyphref | - | 2016-10-02 |
91312 | Security: Native Client app can crash trusted code. | - | 2016-10-02 |
91218 | XSS in chrome://appcache-internals | - | 2016-10-02 |
91517 | Security: V8 asserts (crashes) when entering simple JS snippit | - | 2016-10-02 |
91321 | Regression(91788): Bad cast in WebCore::blockWithNextLineBox | - | 2016-10-02 |
91020 | Use after free in MediaTest.FLAKY_VideoBearWebm on Mac OS | - | 2016-10-02 |
91099 | OOB read in RenderScrollbarPart::computeScrollbarWidth | - | 2016-10-02 |
91120 | [LangFuzz] Crash at Runtime_QuoteJSONString with invalid write | $500 | 2016-10-02 |
91082 | Security: Major Privacy Loop Hole ! | - | 2016-10-02 |
91079 | where to submit Google account bug | - | 2016-10-02 |
91093 | Bad cast in paintMediaPlayButton | - | 2016-10-02 |
91016 | Security: Canvas toDataURL security error: It is taking page information and not the canvas when making the image | $500 | 2016-10-02 |
91013 | [LangFuzz] Crash at RootMarkingVisitor::VisitPointers (32 bit) | $1,000 | 2016-10-02 |
91010 | [LangFuzz] Crash at JSObject::SetDictionaryElement with invalid read (32 bit) | $1,000 | 2016-10-02 |
91197 | Use after free or bad cast with empty .swf file | - | 2016-10-02 |
91092 | Use after free in SVGUseElement::buildShadowTree | - | 2016-10-02 |
90978 | read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData (WEBKIT 65352) | - | 2016-10-02 |
90668 | Use after free in WebCore::findPlainText | $1,000 | 2016-10-02 |
90498 | Security: automatically downloading of .crdownload-files | - | 2016-10-02 |
91008 | [LangFuzz] Crash at JSObject::PrepareElementsForSort with invalid read | $1,000 | 2016-10-02 |
90357 | OOB read in WebCore::previousBoundary | - | 2016-10-02 |
90217 | Prevent silent truncation of trailing characters in downloaded file names | - | 2016-10-02 |
90173 | OOB read in media::ScaleYUVToRGB32 due to failure to account for zero source width and accessing negative indices | - | 2016-10-02 |
90134 | OOB read in harfbuzz with khmer character | - | 2016-10-02 |
90105 | Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak | - | 2016-10-02 |
89991 | Regression(82144): OOB InlineIterator read in TrailingObjects::updateMidpointsForTrailingBoxes | $500 | 2016-10-02 |
90175 | Security: remove any site from Google Index | - | 2016-10-02 |
89795 | Browser crash in net::WebSocketJob::SendPending | - | 2016-10-02 |
89580 | Use after free due to continuation splitting issues in -webkit-column-span | - | 2016-10-02 |
89599 | Freed SVGTRefElement used in SVGStyledElement::buildPendingResourcesIfNeeded | - | 2016-10-02 |
89836 | Tracking bug for ANGLE memory corruption on Windows | $1,337 | 2016-10-02 |
89575 | Use after free of markers in CompositeEditCommand::replaceTextInNodePreservingMarkers | - | 2016-10-02 |
89564 | Possible URL Bar Spoofing when history.forward() is ignored using forward button | $500 | 2016-10-02 |
89678 | Use after free in ReplacementFragment::removeUnrenderedNodes | - | 2016-10-02 |
89552 | Use after free in CSSStyleSheet::checkLoaded | - | 2016-10-02 |
89522 | SVG animation API crashes on SVGAnimateTransform | - | 2016-10-02 |
89511 | Use after free in IDBRequest::abort | - | 2016-10-02 |
89493 | Use after free in SVG foreignobject rendering. | - | 2016-10-02 |
89422 | Two use after frees in NPObjectStub | - | 2016-10-02 |
89558 | Use after free in SVGUseElement::buildShadowTree | $500 | 2016-10-02 |
89402 | Memory corruption (double free) caused by malformed XPath expression in XSLT | $1,000 | 2016-10-02 |
89330 | DocumentLoader use after free in KURL::strippedForUseAsReferrer | $1,000 | 2016-10-02 |
89219 | Use after free due to document destruction within unload event | $1,000 | 2016-10-02 |
89142 | PDF viewer crash | $500 | 2016-10-02 |
89020 | Security: ftp | - | 2016-10-02 |
88976 | possible use after free WebCore::FontCache::getFontDataForCharacters | - | 2016-10-02 |
88949 | Security: Location Bar Spoofing using very long string on a web address in the location bar | - | 2016-10-02 |
88944 | Use-after free in leveldb | $3,133 | 2016-10-02 |
88932 | Security: Exploit in google+ | - | 2016-10-02 |
152691 | chrome!std::_Tree<std::_Tmap_traits<tracked_objects::Location,tracked_objects::Births *,std::less<tracked_objects::Location>,std::allocator<std::pair<tracked_objects::Location const ,tracked_objects::Births *> >,0> >::find+15 - crash | $2,000 | 2016-10-02 |
152585 | Heap-use-after-free in WebCore::ContainerNode::removeAllChildren | - | 2016-10-02 |
152420 | Heap-use-after-free in content::P2PSocketClient::OnDataReceived | - | 2016-10-02 |
152354 | Mask RenderArena freelist entries. | - | 2016-10-02 |
152569 | Chrome_Mac: Crash Report - Stack Signature: CompositorOutputSurface::OnMessageReceived-... | $500 | 2016-10-02 |
152442 | Heap-use-after-free in icu_46::RuleBasedCollator::RuleBasedCollator | - | 2016-10-02 |
151895 | Defense to throw "unauthorized" infobar for excessively crashing plug-in does not work for Pepper Flash! | - | 2016-10-02 |
151888 | Crash in v8::internal::SlotsBuffer::UpdateSlotsRecordedIn | - | 2016-10-02 |
151854 | Heap-use-after-free in WebCore::CachedResource::addClientToSet | - | 2016-10-02 |
151795 | Security: remove chrome.experimental.offscreenTabs API | - | 2016-10-02 |
152104 | out of bounds array access in WTF::TypedArrayBase<unsigned char>::item(unsigned int) / WebCore::FEMorphology::platformApplyGeneric | - | 2016-10-02 |
151992 | Heap-use-after-free in VideoCaptureImpl::RemoveClient | - | 2016-10-02 |
151860 | Heap-use-after-free in WebCore::DateTimeFieldElement::didBlur | $1,000 | 2016-10-02 |
151008 | Heap-use-after-free in WebCore::CanvasRenderingContext2D::setFont | $1,000 | 2016-10-02 |
151424 | Chrome: Crash Report - Stack Signature: WebCore::CachedImage::likelyToBeUsedSoon()-... | - | 2016-10-02 |
151449 | Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue | - | 2016-10-02 |
150966 | Heap-use-after-free in WebCore::Node::~Node | - | 2016-10-02 |
151049 | Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers | - | 2016-10-02 |
150571 | Global-buffer-overflow in v128_copy_octet_string | - | 2016-10-02 |
150067 | Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxesInInlineDirection | - | 2016-10-02 |
149999 | Heap-use-after-free in WebCore::WebKitCSSSVGDocumentValue::load | - | 2016-10-02 |
150842 | Heap-use-after-free in content::P2PSocketClient::DeliverOnSocketCreated | - | 2016-10-02 |
150545 | UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer | - | 2016-10-02 |
150650 | MSI installer ships an out-of-date GoogleUpdate.exe with no ASLR or DEP (and may not be updating) | - | 2016-10-02 |
150729 | UNKNOWN in v8::internal::Invoke | $1,500 | 2016-10-02 |
150737 | IndexedDB causes V8 heap corruption | $1,000 | 2016-10-02 |
149717 | Security: integer overflow in webgl on osx | $1,000 | 2016-10-02 |
149877 | Security: Omnibox drop target enables navigation to restricted URLs | - | 2016-10-02 |
149904 | Security: webgl - after running out of memory, buffer can still be written | $1,000 | 2016-10-02 |
149840 | Heap-use-after-free in WebCore::StyleRuleImport::setCSSStyleSheet | - | 2016-10-02 |
149871 | Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing | - | 2016-10-02 |
148612 | Heap-use-after-free in WebCore::pushFullyClippedState | - | 2016-10-02 |
148896 | UNKNOWN in v8::internal::ElementsAccessorBase<v8::internal::ExternalUnsignedByteElementsAccessor, v8::internal: | - | 2016-10-02 |
148378 | [LangFuzz] Crash due to invalid free in v8::internal::Runtime_RegExpExecMultiple | $1,000 | 2016-10-02 |
148692 | Heap-buffer-overflow in ucstrTextExtract | $500 | 2016-10-02 |
148638 | Heap-buffer-overflow in SkAAClipBlitter::blitAntiH | $500 | 2016-10-02 |
148567 | Touch events allow cross-origin access | $500 | 2016-10-02 |
147625 | Security: UXSS/SOP bypass with document.write (Chrome on iOS) | $500 | 2016-10-02 |
147499 | Heap-use-after-free in media::AudioOutputDevice::AudioThreadCallback::Process | $3,133 | 2016-10-02 |
147475 | UNKNOWN in v8::internal::Deoptimizer::DoComputeOutputFrames | - | 2016-10-02 |
147459 | Heap-use-after-free in WebCore::ImageLoader::updateRenderer | - | 2016-10-02 |
148376 | [LangFuzz] Crash at v8::internal::MarkCompactCollector::EvacuateNewSpace with invalid read | $1,000 | 2016-10-02 |
147700 | Heap-use-after-free in WebCore::Document::fullScreenChangeDelayTimerFired | - | 2016-10-02 |
147592 | Chrome_ChromeOS: Crash Report - Stack Signature: WebKit::WebWorkerClientImpl::openFileSystem... | - | 2016-10-02 |
146882 | Heap-use-after-free in WebCore::InlineBox::adjustPosition | - | 2016-10-02 |
146760 | Security: URL bar spoofing with SSL error messages (Chrome on iOS) | $500 | 2016-10-02 |
146725 | AddressSanitizer reports a use-after-free in WebKit::DateTimeChooserImpl::didClosePopup | - | 2016-10-02 |
147435 | Heap-use-after-free in WebCore::InlineBox::root | - | 2016-10-02 |
147436 | UNKNOWN in sk_memset32_SSE2 | - | 2016-10-02 |
147290 | Heap-use-after-free in WebCore::DateTimeEditElement::setEmptyValue | $1,000 | 2016-10-02 |
146492 | Check behavior of "," in "content_security_policy" manifest attribute. | - | 2016-10-02 |
88850 | Use after free with fuzzed ogv file | $1,000 | 2016-10-02 |
88846 | Use-after-free in FrameLoader with no form post method | $1,000 | 2016-10-02 |
88889 | Stale pointer due to floats not removed (flexible box display) | $1,000 | 2016-10-02 |
88858 | [LangFuzz] Crash at JSObject::LocalLookupRealNamedProperty with invalid read on gc | $1,000 | 2016-10-02 |
88757 | AudioContext GainNode memory corruption | - | 2016-10-02 |
88730 | Use after free in SVGUseElement::invalidateShadowTree / SVGElementInstance::invalidateAllInstancesOfElement | - | 2016-10-02 |
88723 | REGRESSION (r85964): Use after free in WebCore::RenderObject::localToAbsolute | - | 2016-10-02 |
88684 | Stale m_owner in RenderScrollbar (m_owner is deleted body element) | - | 2016-10-02 |
88670 | ZDI-CAN-1283: Webkit fontface Invalid Font Family Remote Code Execution Vulnerability | - | 2016-10-02 |
88649 | HRTFDatabaseLoader memory corruption | - | 2016-10-02 |
88647 | webkitAudioContext can be called as a function instead of a constructor. | - | 2016-10-02 |
88827 | OOB read due to Integer overflow in SkDashPathEffect constructor (len and phase) | - | 2016-10-02 |
88729 | Security: PPB_Graphics2D_Create will lead to integer overflow in shm alloc | - | 2016-10-02 |
88436 | Ogg memory corruption | - | 2016-10-02 |
88337 | The beforeload event allows tracking URI changes in a frame | $500 | 2016-10-02 |
88131 | Aw, Snap! with context.createBuffer(request.response, false) on certain files | - | 2016-10-02 |
88093 | Security: out-of-bounds read in v8 with defineProperty and arguments | $1,000 | 2016-10-02 |
88591 | [LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell | $1,000 | 2016-10-02 |
88531 | Use-after-free in SafeBrowsingResourceHandler::OnBrowseUrlCheckResult | - | 2016-10-02 |
88216 | Regression: Use-after-free in CounterNode::insertAfter | $1,000 | 2016-10-02 |
87861 | Security: OOB read in svg text run | - | 2016-10-02 |
87815 | chrome-devtools:// can be navigated from http | - | 2016-10-02 |
87746 | Security: Chrome content script listener | - | 2016-10-02 |
87925 | Use after free in range extract contents | $1,000 | 2016-10-02 |
87965 | webkitAudioContext multiple issues | - | 2016-10-02 |
87862 | Security: Use after free in svg text | - | 2016-10-02 |
87701 | Stale pointer in WebCore::PlatformContextSkia::save | - | 2016-10-02 |
87548 | use after free in skia blitter | - | 2016-10-02 |
87520 | Security: Webpage can gain access to extension content-script variables when content-script triggers events | - | 2016-10-02 |
87478 | [LangFuzz] Crash on heap with invalid read | $1,000 | 2016-10-02 |
87339 | XSS injection via prototype chain | $500 | 2016-10-02 |
87298 | OOB read due to iterating over wrong textbox in TextIterator::emitText (first-letter + RTL) | $500 | 2016-10-02 |
87729 | Use after free in third_party/WebKit/LayoutTests/fast/dom/HTMLLinkElement/link-and-subresource-test.html | $1,000 | 2016-10-02 |
87728 | Regression(89733): Use after free in fast/forms/text-control-intrinsic-widths.html | $1,000 | 2016-10-02 |
87120 | Use after free on 2-Step-Authentication-method-change | $500 | 2016-10-02 |
87148 | use after free due to floats not removed | $1,000 | 2016-10-02 |
86758 | URL Bar Spoofing using History.back() and History.forward | $500 | 2016-10-02 |
86705 | Use after free in Geolocation::fatalErrorOccurred | - | 2016-10-02 |
87227 | Use after free due to refcounting issue in MediaQueryMatcher::prepareEvaluator | $1,000 | 2016-10-02 |
86900 | Heap memory corruption in web database support (SQLite/ICU) | $1,000 | 2016-10-02 |
86502 | Use after free due to floats not cleared from parent's next siblings blocks (on losing ability to intrude floats) | $1,000 | 2016-10-02 |
86191 | Security: web-exposed manifest from Chrome extensions diverges from the real manifest in regards to NPAPI | - | 2016-10-02 |
86304 | Google Chrome Acess Violation in Frame manipulation | - | 2016-10-02 |
86609 | OOB read in fontfallbacklist due to issue in CSSPrimitiveValues clamping | - | 2016-10-02 |
86178 | URL bar introduces NUMEROUS vulnerabilities. | - | 2016-10-02 |
86648 | Use after free in formassociatedelement not removed from m_formElementsWithFormAttribute | - | 2016-10-02 |
86367 | Use after free of frame in Document::finishedParsing | - | 2016-10-02 |
85992 | Renderers can have registry handle which would allow a Windows sandbox escape | - | 2016-10-02 |
85943 | Use after free in Stylesheet due to issue in CLONE nodes | - | 2016-10-02 |
85808 | chrome_1c30000!webkit::ppapi::PPB_Widget_Impl::Invalidate crash | $500 | 2016-10-02 |
85559 | Web Inspector: Crash by buffer overrun crash when serializing inspector object tree. | - | 2016-10-02 |
86133 | Add GRP to dangerous file list | - | 2016-10-02 |
86108 | Security: FileSystem API can be used to learn about installed software on the user's computer | - | 2016-10-02 |
85418 | Use-after-free in WebCore::RenderTextControl::isSelectableElement | $1,000 | 2016-10-02 |
85309 | Crash when closing a child window that uses a canvas | - | 2016-10-02 |
85302 | Crasher in WebCore::StyleBase::stylesheet | - | 2016-10-02 |
85256 | OOB read in UniscribleController::advance | - | 2016-10-02 |
85211 | Use after free in SVGUseElement::buildShadowTree | $1,000 | 2016-10-02 |
85177 | Renderer crash with javascript + setInterval | $500 | 2016-10-02 |
85158 | Content script can gain access to the "window" object of the page using custom events | - | 2016-10-02 |
85350 | Browser Crash in ~TabContents caused by PrerenderManager::PeriodicCleanup | - | 2016-10-02 |
156906 | Heap-use-after-free in WebCore::XMLDocumentParser::doEnd | - | 2016-10-02 |
156826 | UNKNOWN in S32A_Blend_BlitRow32_SSE2 | - | 2016-10-02 |
156828 | UNKNOWN in WebCore::Font::drawGlyphs | - | 2016-10-02 |
156669 | Origin.com somehow manages to open its result page in the previous tab (which was gmail) | - | 2016-10-02 |
156619 | Heap-use-after-free in WebCore::ApplyStyleCommand::cleanupUnstyledAppleStyleSpans | - | 2016-10-02 |
156431 | Security: Use after free in IDBDatabaseCallbacksImpl::onVersionChange | - | 2016-10-02 |
156418 | Heap-use-after-free in SpellCheckHostImpl::SaveDictionaryData | - | 2016-10-02 |
156689 | Heap-buffer-overflow in WTF::StringImpl::findIgnoringCase | - | 2016-10-02 |
156567 | Security: use-after-free in WebCore::GraphicsContext::paintingDisabled | $1,000 | 2016-10-02 |
156282 | Heap-use-after-free in WebCore::StyleResolver::pseudoStyleRulesForElement | - | 2016-10-02 |
156383 | Security: chrome_to_device makes use of HTTP for cloudprint | - | 2016-10-02 |
156096 | Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak | - | 2016-10-02 |
156231 | UNKNOWN in _wordcopy_fwd_aligned | $1,000 | 2016-10-02 |
156366 | Heap-use-after-free in PluginPlaceholder::ReplacePlugin | - | 2016-10-02 |
156152 | Issues with HSTS / public key pins state tracking | - | 2016-10-02 |
155977 | Security: remove uses of innerHTML in commented code for Getting Started Guide. | - | 2016-10-02 |
155860 | WebCore::SharedBuffer::append(data, 0) can cause unitialized memory to be added to the SharedBuffer | - | 2016-10-02 |
155711 | Security: forced oom in browser process due to indefinitely growing buffer in chunked decoder | - | 2016-10-02 |
155643 | Heap-use-after-free in content::RenderWidgetHostImpl::OnMsgInputEventAck | - | 2016-10-02 |
156015 | Heap-use-after-free in WebCore::FontPlatformData::uniqueID | - | 2016-10-02 |
156051 | Heap use-after-free in ExtensionFunctionDispatcher::Dispatch caught by ASan when using "Screen Capture by Google" | - | 2016-10-02 |
155877 | Chrome: RenderViewImpl::OnContextMenuClosed(content::CustomContextMenuContext const &) | - | 2016-10-02 |
155293 | Heap-use-after-free in WebCore::ContextMenu::appendItem | - | 2016-10-02 |
155285 | Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc | - | 2016-10-02 |
155117 | Security: GetReadonlyPnaclFD IPC security issues | - | 2016-10-02 |
154987 | Pwnium SVG use after free | - | 2016-10-02 |
154983 | Security: Pwnium 2 TCMalloc profile bug | $60,000 | 2016-10-02 |
155421 | Security: javascript scheme links auto-generated in devtools console | - | 2016-10-02 |
154617 | Heap-use-after-free in WebCore::Node::~Node | - | 2016-10-02 |
155323 | Out of bounds array access in GPU process | - | 2016-10-02 |
154926 | Heap-use-after-free in WebIntentPickerGtk::OnDestroyThunk | - | 2016-10-02 |
154488 | Heap-use-after-free in WebCore::FrameLoader::stopLoading | - | 2016-10-02 |
154465 | Bad cast in webkit_glue::GetSubResourceLinkFromElement | - | 2016-10-02 |
154460 | Heap-use-after-free in WebCore::ScrollableArea::scroll | - | 2016-10-02 |
154448 | Heap-use-after-free in TransportDIB::DecreaseInFlightCounter | - | 2016-10-02 |
154362 | Heap-buffer-overflow in WebCore::HTMLSelectElement::typeAheadFind | - | 2016-10-02 |
154590 | Stack-buffer-overflow in SkFontHost::GetAdvancedTypefaceMetrics | - | 2016-10-02 |
154485 | Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >: | - | 2016-10-02 |
154158 | Security: ensure that a user has willing-fully logged-in to his Google account before triggering the one click Chrome login feature | - | 2016-10-02 |
154055 | Heap-use-after-free in WebCore::RenderLayerBacking::paintIntoLayer | $1,000 | 2016-10-02 |
153793 | Heap-use-after-free in WebCore::EventHandler::mouseMoved | - | 2016-10-02 |
153666 | Security: Bypass for consumable user gesture on pop-up | - | 2016-10-02 |
153592 | Heap-use-after-free in WebCore::RenderObject::isDescendantOf | - | 2016-10-02 |
154284 | Heap-use-after-free in WebCore::SVGTextRunRenderingContext::glyphDataForCharacter | - | 2016-10-02 |
154283 | Heap-buffer-overflow in _HB_GDEF_Check_Property | - | 2016-10-02 |
153469 | Security: Nvidia - Kernel Panic - [@ gpu::gles2::GLES2DecoderImpl::ResizeOffscreenFrameBuffer] | - | 2016-10-02 |
153239 | Heap-use-after-free in WebCore::GCEpilogueVisitor<void, WebCore::SpecialCaseEpilogueObjectHandler, &WebCore::DOMDataStore:: | - | 2016-10-02 |
153228 | Heap-use-after-free in WebCore::SVGImage::drawSVGToImageBuffer | - | 2016-10-02 |
153211 | Heap-use-after-free in webrtc::ThreadPosix::Run | - | 2016-10-02 |
153566 | Heap-use-after-free in WebCore::FontCache::purgeInactiveFontData | - | 2016-10-02 |
153128 | Buffer overrun in Harfbuff | - | 2016-10-02 |
153184 | Heap-use-after-free in WebCore::computeNonFastScrollableRegion | - | 2016-10-02 |
153048 | Invalid pointer read in std::basic_string | - | 2016-10-02 |
152916 | Security: browser process jump to bad address on osx with getUserMedia() and crazyness | - | 2016-10-02 |
152707 | Invalid pointer write in GrGpu::clear | $1,000 | 2016-10-02 |
152921 | Browser crash, navigator.geolocation.watchPosition issue | - | 2016-10-02 |
85102 | Use after free in WebCore::ContainerNode::parserAddChild | $500 | 2016-10-02 |
85041 | Memory Corruption in video decoding | - | 2016-10-02 |
84946 | Merge http://trac.webkit.org/changeset/87959 and http://trac.webkit.org/changeset/87756 for documentloader use after frees | - | 2016-10-02 |
85003 | Parsing issue with -webkit-calc | $1,000 | 2016-10-02 |
84950 | Merge http://trac.webkit.org/changeset/87856 | - | 2016-10-02 |
84885 | ASSERT obj->parentObject() == this in accessibility tree | - | 2016-10-02 |
84919 | Memory corruption in browser process with interstitial that goes back | - | 2016-10-02 |
84805 | Flash/GPU memory corruption in critical section. | $500 | 2016-10-02 |
84797 | Click Reload this page button after Conway's Game of Life starts causes Aw Snap error | - | 2016-10-02 |
84763 | POssible mac use after free in drag & drop code | - | 2016-10-02 |
84933 | Browser crash with IndexedDB and very long database names | - | 2016-10-02 |
84819 | Bad cast in cloning elements with shadow DOM | - | 2016-10-02 |
84597 | use-after-free in WebCore::LevelDBTransaction::commit | - | 2016-10-02 |
84584 | Invalid memory access caused by ThumbnailGenerator | - | 2016-10-02 |
84452 | Bad cast in HTMLMediaElement::mediaControls | $1,000 | 2016-10-02 |
84418 | Shockwave crashed | - | 2016-10-02 |
84402 | Extensions permission elevevation using javascript: in homepage_url | - | 2016-10-02 |
84355 | use-after-free in svg fontfacelement | $1,000 | 2016-10-02 |
84600 | Security: Web page can initiate speech recognition without user knowing about it | - | 2016-10-02 |
84234 | [LangFuzz] Crash @ MarkCompactCollector::SweepSpaces() or SeqTwoByteString::SeqTwoByteStringReadBlockIntoBuffer() (64 bit) | $1,000 | 2016-10-02 |
84160 | Use after free in accessibility notifications. | - | 2016-10-02 |
84016 | Use after free in BrowserAccessibility::DetachTree | - | 2016-10-02 |
84002 | OOB read in ComplexTextController constructor (ComplexTextControllerLinux.cpp) + OOB read in WidthIterator | - | 2016-10-02 |
83917 | OOB Write in Skia Shader Blitter | - | 2016-10-02 |
83903 | Vai | - | 2016-10-02 |
83848 | Use after free in LayerChromium::~LayerChromium | - | 2016-10-02 |
83841 | User information leakage esp local paths, username in webgl getProgramInfoLog | - | 2016-10-02 |
84333 | use after free in WebCore::ContainerNode::firstChild / WebCore::XMLDocumentParser::insertErrorMessageBlock | - | 2016-10-02 |
83672 | Stale layout root set as input element when child of a keygen with autofocus | - | 2016-10-02 |
83598 | OOB read in WebCore::parseColorIntOrPercentage | - | 2016-10-02 |
83275 | UXSS with window.execScript | $3,133 | 2016-10-02 |
83273 | Browser prompt when installing unpacked npapi extensions | - | 2016-10-02 |
83270 | oob read in WebCore::ImageBufferData::getData | - | 2016-10-02 |
83743 | Universal XSS using contentWindow.eval | $1,000 | 2016-10-02 |
83235 | Bad cast in RenderBlock::createLineBoxes due to double attach in htmlformelement | - | 2016-10-02 |
83012 | Use after free in XMLDocumentParser | - | 2016-10-02 |
83010 | An extension can access and modify all chrome:// pages, options, etc. | $1,000 | 2016-10-02 |
82903 | OOB write in BlobURLRequestJob::HeadersCompleted | - | 2016-10-02 |
82873 | Memory corruption in GPU command buffer | - | 2016-10-02 |
83031 | Chrome spoof on 302 redirect | - | 2016-10-02 |
82841 | Browser crash @ closing chrome://settings/syncSetup | - | 2016-10-02 |
82817 | buffer overflow marshalling data from sandbox | - | 2016-10-02 |
82653 | Use after free due to incorrectly setting document.body to non body elements, elements from other docs. | - | 2016-10-02 |
82633 | Bad cast in CSSParser::createFontFaceRule | - | 2016-10-02 |
82597 | document.execCommand('copy') return always false | - | 2016-10-02 |
82552 | REGRESSION (83075): Use after free in line box culling optimization | - | 2016-10-02 |
82546 | Stale pointer in WebCore::RenderBlock::marginBeforeForChild | $1,000 | 2016-10-02 |
82516 | write-after-free in third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.h:58 | - | 2016-10-02 |
82438 | OOB read in media::FFmpegVideoDecodeEngine::Initialize | - | 2016-10-02 |
82416 | IndexedDB crash on index.getKey | - | 2016-10-02 |
82309 | CRASH @ DownloadItem::UpdateObservers() | - | 2016-10-02 |
82184 | Renderer crash @ GrTHashTable<GrGpuGLShaders::ProgramCache::Entry,GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32>,8>::remove(GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32> const &,GrGpuGLShaders::ProgramCache::Entry const *) | - | 2016-10-02 |
82161 | Google Chrome (Pwned) | - | 2016-10-02 |
82154 | out-of-bound access in third_party/WebKit/Source/WebKit/chromium/src/WebFrameImpl.cpp | - | 2016-10-02 |
82152 | Need to merge WebKit 64-bit issue http://trac.webkit.org/changeset/86106 | - | 2016-10-02 |
82096 | Merge http://trac.webkit.org/changeset/85693 | - | 2016-10-02 |
82444 | Local file disclosure when pasting stuff from Excel, etc. | - | 2016-10-02 |
82018 | TEST TEST IGNORE | - | 2016-10-02 |
81949 | use-after-free in imageloader with fallbackcontent | $1,000 | 2016-10-02 |
82083 | Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass | - | 2016-10-02 |
161077 | Invalid pointer write in GrRenderTarget::onRelease | $1,000 | 2016-10-02 |
161089 | Indexeddb createIndex() crashes the page | - | 2016-10-02 |
161015 | Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement | - | 2016-10-02 |
161239 | Heap-use-after-free in WebCore::IDBTransactionBackendImpl::taskTimerFired | - | 2016-10-02 |
160926 | Security:Check for integer wrap in PPB_ImageData_Impl::Init() is insufficient | - | 2016-10-02 |
160480 | Security: Integer overflow in opus_packet_parse_impl | - | 2016-10-02 |
160450 | Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxRangeInInlineDirection | - | 2016-10-02 |
160380 | Heap-use-after-free in WebKit::ChromePrintContext::spoolPage | - | 2016-10-02 |
160760 | Security: NaCl sandbox escape; missing register check across a superinstruction | - | 2016-10-02 |
160803 | Security: ugly crash with history.replaceState() while the window displays HTTPS interstitial | - | 2016-10-02 |
160456 | Security: Restrict chromoting viewer plugin to chromoting extension | - | 2016-10-02 |
160010 | [LangFuzz] Crash at v8::internal::BasicJsonStringifier::SerializeString | $1,000 | 2016-10-02 |
159829 | Heap-buffer-overflow in WebCore::HTMLInputElement::isImageButton | - | 2016-10-02 |
159828 | Heap-use-after-free in WebCore::RenderLayer::hitTest | - | 2016-10-02 |
159553 | Security: Integer overflow in remoting viewer AudioDecoderSpeex::Decode | - | 2016-10-02 |
159429 | Security: Use after free on ~AssociatedURLLoader with pdf plugin | $1,000 | 2016-10-02 |
159338 | Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget | $1,000 | 2016-10-02 |
160068 | Merge http://trac.webkit.org/changeset/133840 | - | 2016-10-02 |
160038 | Security: Unquoted Path vulnerability in GoogleCrashHandler | - | 2016-10-02 |
159165 | Heap-use-after-free in webkit::ppapi::PluginInstance::PrintBegin | - | 2016-10-02 |
159229 | Security: Integer overflow in remoting viewer AudioDecoderOpus::Decode | - | 2016-10-02 |
158992 | Heap-use-after-free in WebCore::RenderTextTrackCue::layout | - | 2016-10-02 |
158898 | Heap-use-after-free in WebCore::RenderBlock::removeChild | - | 2016-10-02 |
158897 | Heap-buffer-overflow in WebCore::RenderBlock::clone | - | 2016-10-02 |
159219 | Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent | - | 2016-10-02 |
159098 | Heap-buffer-overflow in WebCore::TextTrackCueList::add | - | 2016-10-02 |
158693 | Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer | - | 2016-10-02 |
158695 | Heap-use-after-free in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets | - | 2016-10-02 |
158533 | Heap-use-after-free in WebCore::RenderLayer::paintLayerContents [MathML] | - | 2016-10-02 |
158457 | Heap-use-after-free in non-virtual thunk to content::RenderViewImpl::createPopupMenu | - | 2016-10-02 |
158249 | Security: Heap-buffer-underflow in xmlParseAttValueComplex | - | 2016-10-02 |
158204 | Heap-use-after-free in WebCore::Frame::dispatchVisibilityStateChangeEvent | $1,500 | 2016-10-02 |
158199 | Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue | - | 2016-10-02 |
158707 | Heap-use-after-free in WebCore::RenderObject::isBody | - | 2016-10-02 |
158547 | Heap-use-after-free in WebCore::HTMLInputElement::setValue for type=range, type=date, and type=time with datalist | - | 2016-10-02 |
158060 | Heap-use-after-free in WebCore::CachedResource::checkNotify | - | 2016-10-02 |
157951 | Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup | - | 2016-10-02 |
157875 | Heap-use-after-free in WebCore::OpenTypeVerticalData::substituteWithVerticalGlyphs | - | 2016-10-02 |
157845 | Heap-use-after-free in skia::BGRAConvolve2D | $500 | 2016-10-02 |
157779 | Heap-use-after-free in WebKit::WebMediaStreamDescriptor::label | - | 2016-10-02 |
157778 | Heap-use-after-free in WebCore::CSSStyleRule::style | - | 2016-10-02 |
157585 | Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::~BaseMultipleFieldsDateAndTimeInputType | - | 2016-10-02 |
158065 | Stack-buffer-overflow in WebCore::SVGMaskElement::~SVGMaskElement | - | 2016-10-02 |
157463 | Heap-use-after-free in content::LocalVideoCapture::Stop | - | 2016-10-02 |
157516 | Security: XSS auditor can sometimes be used to maliciously alter form action property. | - | 2016-10-02 |
157363 | Heap-buffer-overflow in void std::__final_insertion_sort<WebCore::SMILTimeWithOrigin*> | - | 2016-10-02 |
157289 | Invalid cast in WebCore::toInsertionPoint / WebCore::ContentDistributor::distribute | - | 2016-10-02 |
157462 | Heap-use-after-free in webrtc::MediaStreamSignaling::UpdateRemoteStreams | - | 2016-10-02 |
157079 | Security: Integer overflow in libwebp "ParseOptionalChunks" allows memory disclosure | $3,500 | 2016-10-02 |
157071 | Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup | - | 2016-10-02 |
157019 | UNKNOWN in v8::internal::Invoke | - | 2016-10-02 |
157124 | UNKNOWN in v8::internal::ObjectHashTable::Put | - | 2016-10-02 |
157053 | Heap-use-after-free in WebCore::Element::attributeChanged | - | 2016-10-02 |
156977 | Heap-use-after-free in WebCore::RenderText::removeAndDestroyTextBoxes | - | 2016-10-02 |
156980 | Security: workers can initialize the sandbox multithreaded | - | 2016-10-02 |
157009 | Heap-use-after-free in WebCore::SubresourceLoader::willSendRequest | - | 2016-10-02 |
81947 | Use after free in WebCore::requiresLineBox | - | 2016-10-02 |
81753 | Valgrind reports issues in icu_46::RegexMatcher | - | 2016-10-02 |
81916 | Stale observer in BrowsingDataRemover's observer_list_ | $500 | 2016-10-02 |
81351 | CSSSelector double frees | - | 2016-10-02 |
81348 | Use after free when removing elements with reflections | - | 2016-10-02 |
81307 | Security: dropping file:/// URLs into gmail grants access to files | - | 2016-10-02 |
81803 | out-of-bounds use in SkBitmapOperations::CreateMaskedBitmap | - | 2016-10-02 |
81681 | Memory corruption in GraphicsContext::fillPath | - | 2016-10-02 |
80680 | Security: .keystone_install_lock is insecurely handled in install.py | - | 2016-10-02 |
80608 | Multiple integer overflows in SVG filter effects | - | 2016-10-02 |
80401 | Url bar spoof using onbeforeunload when user cancels navigation | - | 2016-10-02 |
80358 | WebCore::InspectorBackendDispatcher::Runtime_evaluate user after free | - | 2016-10-02 |
81234 | Flash content vulnerability | - | 2016-10-02 |
80255 | use after free in WebCore::RenderSVGInlineText::characterStartsNewTextChunk | - | 2016-10-02 |
80222 | Herror of chrome | - | 2016-10-02 |
80287 | Regression(81992): Stale node set as layout root | - | 2016-10-02 |
80116 | Stale pointer in WebCore::Document::recalcStyleSelector | - | 2016-10-02 |
79746 | Floats not cleared due to overflow (remaining usecase) | $1,000 | 2016-10-02 |
79726 | BrowserAccessibility browser process memory corruption | - | 2016-10-02 |
79668 | invalid read w/new skia update | - | 2016-10-02 |
79661 | Sandbox is broken (low integrity level) | - | 2016-10-02 |
79595 | Bad cast due to childrenInline assumption in RenderSVGText | - | 2016-10-02 |
79566 | Bypass extensions permission | $500 | 2016-10-02 |
79862 | Bypass extensions permission app launch web_url should not allow javascript: chrome: | - | 2016-10-02 |
79452 | H | - | 2016-10-02 |
79426 | HTTP Basic Auth Realm Spoof | - | 2016-10-02 |
79371 | Use after free in ImplicitAnimation::~ImplicitAnimation | - | 2016-10-02 |
79362 | Reproducible PDF crash (siryo3.pdf) | - | 2016-10-02 |
79266 | Bypass unsafe file types dialog | - | 2016-10-02 |
79075 | Stale node set as layout root, due to one caption not laid out in table with two captions | - | 2016-10-02 |
79055 | Freed m_viewportRenderer in FrameView::updateOverflowStatus | - | 2016-10-02 |
79025 | Use after free when inline runin precedes details tag | - | 2016-10-02 |
78948 | Integer underflow in HTMLFormElement::m_associatedElementsAfterIndex | - | 2016-10-02 |
78861 | Memory corruption in RenderViewHost related to observers code | - | 2016-10-02 |
78842 | proslor.co.be | - | 2016-10-02 |
78841 | invalid access with bad html | $1,000 | 2016-10-02 |
78798 | Security: XSS in dev tools HTML inspector | - | 2016-10-02 |
78639 | Memory corruption leading to OOB read symptom in PDF initialization | $1,000 | 2016-10-02 |
78576 | compareDocumentPosition memory corruption | - | 2016-10-02 |
78575 | Bad cast in reverseInlineBoxRangeAndValueListsIfNeeded | - | 2016-10-02 |
78572 | CounterNode memory corruption | - | 2016-10-02 |
78558 | chrome bug | - | 2016-10-02 |
78524 | ANGLE buffer overflow | $1,000 | 2016-10-02 |
78516 | Looks like a stale frame in UserScriptSlave::InjectScripts | - | 2016-10-02 |
78427 | url spoof through bookmark bar click | - | 2016-10-02 |
78401 | Stale node being set as layout root | - | 2016-10-02 |
78327 | Integer overflow in FilterEffect::copyImageBytes | - | 2016-10-02 |
78296 | False warning of Google Chrome / Fake Antimalware Tool | - | 2016-10-02 |
78270 | [LangFuzz] V8: Crash in HeapObject::map_word on GC | $1,000 | 2016-10-02 |
78559 | chrome bug | - | 2016-10-02 |
78106 | ZDI-CAN-1108: WebKit ContentEditable Inline Style Remote Code Execution | - | 2016-10-02 |
78071 | css parsing issue in calc | $1,000 | 2016-10-02 |
78038 | ThreadSanitizer reports a potential use after free in net::X509Certificate::Verify | - | 2016-10-02 |
78031 | Url bar spoof | $1,000 | 2016-10-02 |
78145 | Invalid write in SVGTextLayoutEngine | - | 2016-10-02 |
78053 | Stale m_fontList in svgFontAndFontFaceElementForFontData | - | 2016-10-02 |
165747 | IPC: renderer out-of-bounds crash creating 3D context from malformed PPAPI message | - | 2016-10-02 |
165836 | Information leak when sending messages cross process that use WriteData() on structures/objects which contain padding bytes. | - | 2016-10-02 |
165549 | Security: Sandbox isolation not working | - | 2016-10-02 |
165602 | Heap-use-after-free in WebCore::CSSStyleRule::style | - | 2016-10-02 |
165804 | Security: SnapshotProvider exposed to other applications on the device | - | 2016-10-02 |
165601 | Heap-use-after-free in matroska_parse_block | - | 2016-10-02 |
165456 | Heap-use-after-free in WebCore::Element::hasPendingResources | - | 2016-10-02 |
165430 | Heap-buffer-overflow in media::AudioRendererAlgorithm::OutputFasterPlayback | - | 2016-10-02 |
165102 | Security: devtool xss | - | 2016-10-02 |
165091 | Bypassing Chrome's XSS filter, XSSAuditor | - | 2016-10-02 |
165537 | PDF: off-by-one read when scanning for startxref | - | 2016-10-02 |
165538 | PDF: integer overflows in JS array handling | - | 2016-10-02 |
165432 | Use after free in SVG path | $500 | 2016-10-02 |
164958 | IPC: PPAPI messages have problems with use of signed integers for lengths | - | 2016-10-02 |
165015 | Heap-use-after-free in WebCore::Element::normalizeAttributes | $1,000 | 2016-10-02 |
164701 | PDF: regressions due to merge losing previous security fixes | - | 2016-10-02 |
164697 | PDF: regressions in JBIG2 codec | - | 2016-10-02 |
164682 | Input validation error in BrowserPluginEmbedderHelper::OnHandleInputEvent() leads to bad cast | - | 2016-10-02 |
164643 | Security: ASan reports a use-after-free while using SecureShell | - | 2016-10-02 |
165009 | Heap-use-after-free in WebCore::SVGSMILElement::disconnectConditions | - | 2016-10-02 |
164946 | IPC: GPU messages have integer truncation (bad use of size_t) and integer sign extension (bad use of signed type) issues | - | 2016-10-02 |
164582 | Heap-buffer-overflow in SkRectClipBlitter::blitAntiH | - | 2016-10-02 |
164581 | Heap-use-after-free in WebCore::TextTrackCue::isActive | - | 2016-10-02 |
164565 | Security: V8 bug may give out-of-bounds access to the stack | - | 2016-10-02 |
164490 | IPC: integer overflow in Windows' SharedMemory::Create | - | 2016-10-02 |
164454 | switch off mathml for m24 | - | 2016-10-02 |
164263 | Heap-use-after-free in WebCore::FrameSelection::directionOfSelection | - | 2016-10-02 |
164584 | Translate should load resources over HTTPS even if the original page is loaded via HTTP. | - | 2016-10-02 |
163593 | Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo [MathML] | - | 2016-10-02 |
163588 | IPC::Channel::ChannelImpl::ProcessOutgoingMessages - crash | - | 2016-10-02 |
163291 | Heap-buffer-overflow in WebCore::RenderGrid::layoutGridItems | - | 2016-10-02 |
163238 | Security: XSS in bug tracker? <script>alert(0)</script> again? | - | 2016-10-02 |
163218 | Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse | - | 2016-10-02 |
163994 | Heap-use-after-free in WebCore::CachedResource::checkNotify | - | 2016-10-02 |
163203 | IndexedDB: Assert hit in IDBObjectStoreBackendImpl::setIndexesReady | - | 2016-10-02 |
162896 | Out of bounds read in WTF::String::String / WebCore::WebVTTParser::constructTreeFromToken | - | 2016-10-02 |
163208 | Security: Workers don't initialize a sandbox on Mac | - | 2016-10-02 |
162835 | Heap-use-after-free in WebCore::MediaPlayer::sourceSetTimestampOffset [exploitable] | $7,331 | 2016-10-02 |
162778 | PDF: use-after-frees in field name tree again | - | 2016-10-02 |
162776 | PDF: out-of-bounds reads with crazy bits per component / num components values | - | 2016-10-02 |
163110 | Heap-use-after-free in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode | - | 2016-10-02 |
162620 | Heap-use-after-free in WebCore::RenderSVGResourcePattern::applyResource | - | 2016-10-02 |
162551 | Access violation write in _VEC_memcpy | $1,000 | 2016-10-02 |
162489 | Security: Small info leak in the SUID sandbox helper? | - | 2016-10-02 |
162156 | PDF: more out-of-bounds reads with mismatched colorspaces | - | 2016-10-02 |
162622 | Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed | - | 2016-10-02 |
162494 | Heap-use-after-free in WebCore::PopStateEvent::~PopStateEvent | $1,000 | 2016-10-02 |
162114 | Security: Renderer sandbox bypass by crafting LevelDB database in "profile/File System/" | - | 2016-10-02 |
162115 | Heap-buffer-overflow in SkA8_Blitter::blitH | - | 2016-10-02 |
162032 | Heap-use-after-free in udat_close_46 | - | 2016-10-02 |
161836 | Security: Possible directory traversal vulnerability in ExtensionResource::GetFilePath(). | - | 2016-10-02 |
161690 | Heap-use-after-free in WebCore::RenderSVGResourceContainer::markClientForInvalidation | - | 2016-10-02 |
161662 | Heap-use-after-free in media::BlockingUrlProtocol::SignalReadCompleted | - | 2016-10-02 |
162153 | PDF: bad cast if root page is not a dictionary object | - | 2016-10-02 |
162066 | LOGFONT IPC deserializer doesn't require NULL terminated lfFaceName | - | 2016-10-02 |
161564 | Security: Renderer sandbox bypass on ChildProcessSecurityPolicyImpl::SecurityState::HasPermissionsForFile() | - | 2016-10-02 |
161484 | UNKNOWN in WebCore::RenderObject::propagateStyleToAnonymousChildren | - | 2016-10-02 |
161478 | Heap-buffer-overflow in WebCore::Biquad::process | - | 2016-10-02 |
161458 | Heap-buffer-overflow in apply_kernel_interp | - | 2016-10-02 |
161420 | Heap-buffer-overflow in WTF::StringImpl::create | - | 2016-10-02 |
161639 | Security: ffmpeg oob write4 (222) | $2,000 | 2016-10-02 |
161340 | Security: GPU sandbox is always disabled because of watchdog thread on Linux | - | 2016-10-02 |
161240 | Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement | - | 2016-10-02 |
77633 | write-after-free in v8::internal::RegExpMacroAssemblerX64::~RegExpMacroAssemblerX64 | - | 2016-10-02 |
77917 | Looks like a bad cast in RenderInputSpeech::paintInputFieldSpeechButton | - | 2016-10-02 |
77786 | URL Bar Spoofing using redirection and location.reload(); | $500 | 2016-10-02 |
77765 | 12 bad cast in editing code relating to htmlelement conversions, isprimitivevalue problems. | - | 2016-10-02 |
77703 | Use-after-free in WebCore::isDeletableElement | - | 2016-10-02 |
77700 | Captured an attack used against Chrome on many google image links, uses chromes own error template against itself | - | 2016-10-02 |
77690 | Use after free in WebCore::ContainerNode::insertedIntoDocument / WebCore::SVGElement::insertedIntoDocument | - | 2016-10-02 |
77940 | ZDI-CAN-1021: Apple Safari Webkit SVG Marker Remote Code Execution Vulnerability | - | 2016-10-02 |
77812 | Security: Chrome Security Pop-up | - | 2016-10-02 |
77669 | Bad cast in WebCore::BreakBlockquoteCommand::doApply | - | 2016-10-02 |
77507 | URL Bar Spoof | $1,000 | 2016-10-02 |
77493 | OOB read with Flash | $1,000 | 2016-10-02 |
77349 | When object destroyed, its select file dialog is not informed to cleared its listener which can call back that destroyed object | - | 2016-10-02 |
77346 | Use After Free in Websockets - possible remote code execution within sandbox | $1,000 | 2016-10-02 |
77181 | OOB function pointer array call FEComponentTransfer::apply | - | 2016-10-02 |
77130 | stale entries in gPercentHeightDescendantsMap | $1,000 | 2016-10-02 |
77053 | Bad cast in HTMLTreeBuilder with closed </form> tags | - | 2016-10-02 |
77038 | repair | - | 2016-10-02 |
77026 | Bypass extension manifest permission | $1,337 | 2016-10-02 |
76966 | RIP goes to zero with select tag, and form validation message with position:relative | $1,000 | 2016-10-02 |
76955 | Renderer crash when visiting http://runescape.wikia.com/wiki/Special:Search | - | 2016-10-02 |
76784 | Bad cast to RenderBlock in accessibility assuming that anonymous blocks are renderblocks. | - | 2016-10-02 |
76771 | use after free in WebCore::ScriptWrappable::wrapper | - | 2016-10-02 |
76666 | URL bar spoof | $1,000 | 2016-10-02 |
76646 | OOB read in FEDisplacementMap::apply | - | 2016-10-02 |
76589 | Crash@ anonymous namespace'::PureCall() when navigate to previous page while speech input API fetching result text | - | 2016-10-02 |
76542 | Linux setuid sandbox allows local privilege escalation | $500 | 2016-10-02 |
76474 | crash in WebKit::WebPluginContainerImpl::handleEvent() | - | 2016-10-02 |
76202 | DownloadThrottlingResourceHandler::OnResponseCompleted NOTREACHED() | - | 2016-10-02 |
76198 | Bad cast in HTMLTreeBuilder::processStartTag | - | 2016-10-02 |
76528 | use after free in AnimationBase::next / AnimationControllerPrivate::styleAvailable | - | 2016-10-02 |
76194 | bad cast in WebCore::toRenderBoxModelObject / WebCore::RenderMathMLRoot::layout | - | 2016-10-02 |
76059 | WebCore::LayerTilerChromium::invalidateRect() - crash | $1,000 | 2016-10-02 |
76031 | Crash when visiting http://kikafriends.forumcommunity.net/ | - | 2016-10-02 |
76029 | Crash in webcore::rendertable::cellafter when visiting http://broadband.biglobe.ne.jp/ | - | 2016-10-02 |
76027 | securiti | - | 2016-10-02 |
76018 | Crash in network stack when running http/tests/loading/redirect-methods.html | - | 2016-10-02 |
76195 | potential bad cast in WebCore::toRenderCombineText/WebCore::RenderBlock::computeInlinePreferredLogicalWidths | - | 2016-10-02 |
76034 | Security:Instant hard-crash with JS code | - | 2016-10-02 |
75821 | Should we reconsider the no-client-UI decision for the web store? | - | 2016-10-02 |
75712 | Integer overflow in style elements | $1,337 | 2016-10-02 |
76001 | Stale pointer in WebCore::LayerRendererChromium::drawLayer | $1,000 | 2016-10-02 |
75835 | use of freed pointer in WebCore::RenderCounter::originalText() | - | 2016-10-02 |
75696 | Security: pushState() should be available only for origin-bearing schemes | - | 2016-10-02 |
75496 | chrome.dll!BrowserAccessibility..InternalReleaseReference ExecAV@NULL (cc7203fb809bd98728cf74b908e66edf) | - | 2016-10-02 |
75629 | Use after free in gpu::gles2::ShaderTranslator | - | 2016-10-02 |
75643 | CSS visited history disclosure | - | 2016-10-02 |
75436 | Detach Geolocation from Frame when Page destroyed. | - | 2016-10-02 |
75560 | Security: address bar updates not synchronized with document transitions | - | 2016-10-02 |
75186 | (WebCore::RenderObjectChildList::destroyLeftoverChildren) Use-after-free with nesting ruby tag and css propierties | $1,000 | 2016-10-02 |
75210 | Harfbuzz segfault in GPOS_Do_Glyph_Lookup | - | 2016-10-02 |
75021 | Use-after-free in InfoBar since ~r76800 | - | 2016-10-02 |
75311 | Bad cast in HTMLTreeBuilder::processStartTag | - | 2016-10-02 |
75347 | Bad cast to RenderBlock with floating select element with required attribute | $500 | 2016-10-02 |
75155 | Integer overflow in WebCore::GraphicsContext::fillRect (Mac) | - | 2016-10-02 |
75070 | Security: do not ignore type= on <object> | - | 2016-10-02 |
75374 | REGRESSION (r80320): Bad cast assertion failure when processing mis-nested foreign content. | - | 2016-10-02 |
74678 | v8 fuzzing - 1175 - use after free | $1,000 | 2016-10-02 |
74763 | Security: Domui process can be ptraced from a compromised renderer leading to sandbox escape | - | 2016-10-02 |
74887 | memcpy from TexSubImage2D causes memory corruption | - | 2016-10-02 |
74891 | chrome://appcache-internals/ xss | - | 2016-10-02 |
74720 | Read uninitialized value from JavaScript. | - | 2016-10-02 |
74677 | v8 fuzzing - 1160 - bad cast of object to string in array join | - | 2016-10-02 |
169685 | Missing validation of webkit_base::DataElement across IPC | - | 2016-10-02 |
169672 | Heap-buffer-overflow in WTF::AtomicString::add | - | 2016-10-02 |
169632 | Security: extensions can silently gain file: host permissions via permissions API | - | 2016-10-02 |
74675 | v8 fuzzing - 1146 - invalid memory access | $1,000 | 2016-10-02 |
74673 | v8 fuzzing - 1166 - exploitable write | $1,000 | 2016-10-02 |
74672 | v8 fuzzing - 1138 - use after free | $1,000 | 2016-10-02 |
74671 | v8 fuzzing - 1136 - corrupt JIT code | $1,000 | 2016-10-02 |
169247 | Attempting free in content::PeerConnectionTracker::UnregisterPeerConnection | - | 2016-10-02 |
169156 | Security: Use after free in FlingAnimatorImplAndroid - writing value to this after this is deleted | - | 2016-10-02 |
169054 | Security: memory corruption with webgl on linux intel driver | $3,133 | 2016-10-02 |
169295 | IPC: bad pointer used in browser if renderer sends mismatched vector lengths | - | 2016-10-02 |
169398 | Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed | - | 2016-10-02 |
169401 | Security: JavaScript injection into arbitrary web pages via Intent with JavaScript URI | $500 | 2016-10-02 |
168968 | Heap-use-after-free in DownloadRequestInfoBarDelegate::~DownloadRequestInfoBarDelegate | - | 2016-10-02 |
169006 | Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects | - | 2016-10-02 |
168768 | Heap-use-after-free in WebKit::WebMediaPlayerClientImpl::AudioSourceProviderImpl::setClient | $1,000 | 2016-10-02 |
168710 | IPC: avoid operator-new based integer overflow in Flash menu deserialization | - | 2016-10-02 |
168982 | Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath | - | 2016-10-02 |
168969 | Heap-use-after-free in WebCore::Element::hasPendingResources | - | 2016-10-02 |
168780 | Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree | - | 2016-10-02 |
168473 | Heap-buffer-overflow in vorbis_floor0_decode | - | 2016-10-02 |
168570 | Crashing in webkit_media::WebMediaPlayerMS::putCurrentFrame(WebKit::WebVideoFrame *) | - | 2016-10-02 |
168489 | Heap-use-after-free in WebCore::AccessibilityNodeObject::document | - | 2016-10-02 |
168442 | Security: Non-privileged extensions can monitor browsing activity via chrome.tabs.onUpdated events | - | 2016-10-02 |
167840 | Linux sandbox bypass in file_util_posix.cc CopyDirectory() | - | 2016-10-02 |
167788 | Security: heap-buffer-overflow on GetImageRepToPaint. | - | 2016-10-02 |
167780 | Heap-use-after-free in bool WebCore::SelectorChecker::checkOneSelector<WebCore::DOMSiblingTraversalStrategy> | - | 2016-10-02 |
167868 | Heap-use-after-free in WebCore::Document::updateHoverActiveState | - | 2016-10-02 |
168050 | Attacker controlled size mismatch in WidgetDidReceivePaintAtSizeAck() | - | 2016-10-02 |
167827 | Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren | - | 2016-10-02 |
167924 | Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer | - | 2016-10-02 |
167498 | Heap-use-after-free in WebCore::CSSStyleRule::style | - | 2016-10-02 |
167443 | Heap-buffer-overflow in WebCore::FontCache::releaseFontData | - | 2016-10-02 |
167412 | IPC: GPU message OnMsgAssignPictureBuffers incorrectly assumed same-sized vectors | - | 2016-10-02 |
167728 | Heap-use-after-free in WebCore::SVGTransformListV8Internal::numberOfItemsAttrGetter | - | 2016-10-02 |
167607 | Security: Failure to enforce key usage | - | 2016-10-02 |
167572 | Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement | - | 2016-10-02 |
167147 | Heap-use-after-free in WebCore::Document::implicitClose | - | 2016-10-02 |
167122 | HyphenatorHostMsg_OpenDictionary IPC allows arbitrary file reads from a compromised renderer | - | 2016-10-02 |
167110 | Heap-buffer-overflow in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately | - | 2016-10-02 |
167069 | Heap-buffer-overflow in matroska_parse_block | $500 | 2016-10-02 |
166916 | Security: mixed content XHR doesn't trigger mixed content warnings | - | 2016-10-02 |
166867 | Security: ReferencesParent bypass with a 0x00 byte | - | 2016-10-02 |
166795 | Harden audio stream creation in the browser | - | 2016-10-02 |
167180 | Security: NaCl ARM validator sandbox escape, Chrome M25 | - | 2016-10-02 |
167311 | Heap-use-after-free in WebCore::GenericEventQueue::enqueueEvent | - | 2016-10-02 |
167218 | Arbitrary server response with Content-Encoding including sdch can cause crashes if sdch is not configured | - | 2016-10-02 |
166621 | Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects | - | 2016-10-02 |
166565 | Heap-buffer-overflow in media::AudioBus::FromInterleavedPartial | - | 2016-10-02 |
166554 | [LangFuzz] Crash at v8::internal::Deoptimizer::DoComputeOutputFrames with invalid read | $1,000 | 2016-10-02 |
166553 | [LangFuzz] Crash at v8::internal::HeapObject::SizeFromMap with invalid read | $1,000 | 2016-10-02 |
166523 | [Mac] apprtc crashes when output sampling rate set to 96000 Hz | - | 2016-10-02 |
166513 | Heap-use-after-free in WebCore::StyledElement::ensureMutableInlineStyle | - | 2016-10-02 |
166503 | audio getUserMedia call crashes tab when input sampled at 88200 Hz | - | 2016-10-02 |
166708 | BrowserPluginGuest blindly trusts the size of shared memory regions leading to overflow | - | 2016-10-02 |
166627 | Heap-use-after-free in WebCore::Prerender::didStartPrerender | - | 2016-10-02 |
166324 | Heap-use-after-free in WebCore::RenderBlock::insertIntoTrackedRendererMaps | - | 2016-10-02 |
166336 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
166271 | PDF: use-after-free in colorspace cache | - | 2016-10-02 |
166257 | Security: ChromeBrowserSyncAdapterService is exported, but does not need to be? | - | 2016-10-02 |
165928 | Heap-use-after-free in WebCore::SVGSMILElement::isSMILElement | - | 2016-10-02 |
166493 | IPC: missing integer checks on Pepper UDP socket handling | - | 2016-10-02 |
166306 | WebCore::SMILTimeContainer::updateAnimations - crash | - | 2016-10-02 |
165926 | Heap-use-after-free in WTF::Vector<WTF::RefPtr<WebCore::Node>, 0ul>::shrinkCapacity | - | 2016-10-02 |
165864 | Heap-use-after-free in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument | $1,000 | 2016-10-02 |
74665 | v8 fuzzing - 1109 (out of bounds write) | $1,000 | 2016-10-02 |
74662 | v8 fuzzing - 1108 potential use-after-free in RegExp code | $1,000 | 2016-10-02 |
74660 | v8 fuzzing - 1174 - out-of-bounds write in reloc info | $1,000 | 2016-10-02 |
74653 | bypass SOP with blob: | $1,000 | 2016-10-02 |
74669 | v8 fuzzing - 1113 - stack corruption | $1,000 | 2016-10-02 |
74670 | v8 fuzzing 1128 - out of bounds write | $500 | 2016-10-02 |
74666 | v8 fuzzing 1122 - stack corruption | $1,000 | 2016-10-02 |
74372 | chrome://blob-internals/ xss | - | 2016-10-02 |
73962 | use after free due to floats not cleared (overflow) | $1,000 | 2016-10-02 |
74585 | Crash in CookieMonster DeleteAnyEquivalentCookie. | - | 2016-10-02 |
74650 | Placeholder bug for v8 security issues affecting Chrome 9 | - | 2016-10-02 |
74649 | OOB read in SearchBuffer::append | - | 2016-10-02 |
74348 | Regression: Stale node set as layout root (issue in Canvas parent layout) | - | 2016-10-02 |
73887 | GMail renderer crash @ MessageLoop::PostTask_Helper(tracked_objects::Location const &,Task *,__int64,bool) | - | 2016-10-02 |
73716 | Leak of address of heap object via xslt generate-id() function | - | 2016-10-02 |
73932 | Bad cast to text node in CompositeEditCommand::breakOutOfEmptyMailBlockquotedParagraph | - | 2016-10-02 |
73899 | Regression: Crash in RenderCombineText::combineText when running fast/text/international/text-combine-parser-test.html on Windows with full page heap enabled | - | 2016-10-02 |
73893 | Chrome:+Crash+Report+-+Stack+Signature:+`anonymous+namespace'::PureCall()-0ba6cf43_1414c783_9939c740_d9e6ed78_7be33815 | - | 2016-10-02 |
73235 | Stale pointer in WebCore::RenderBlock::lowestPosition | $1,000 | 2016-10-02 |
73216 | Use after free of frame loader in DocumentLoader::commitLoad | $1,000 | 2016-10-02 |
73526 | Floats not cleared to logical height wraps. | $1,000 | 2016-10-02 |
73478 | Pages can continuously poll the OS clipboard for paste data | - | 2016-10-02 |
73338 | Regression: stack buffer overflow in utf8 converter | - | 2016-10-02 |
73001 | Use-after-free in ObserverListBase / TabContents | - | 2016-10-02 |
73026 | dereference poisoned value in avcodec_52!ff_thread_decode_frame | - | 2016-10-02 |
72910 | Browser crash/segfault when selecting very long option in select | - | 2016-10-02 |
72908 | Freed timer heap element used | - | 2016-10-02 |
72832 | Reliability issues with WebCore::RenderBlock due to use after free in floats | - | 2016-10-02 |
73134 | Crash due to bad cast to rendertextfragment in updatefirstletter. | $1,000 | 2016-10-02 |
73163 | Heap corruption in safe_browsing detected on the Valgrind bot (might be fixed by SQLITE ROLL ??) | - | 2016-10-02 |
72936 | Freed scrollbar in ScrollView::updateScrollbars | - | 2016-10-02 |
72492 | Cross application unsafe redirect | $1,000 | 2016-10-02 |
72437 | Crash in ContainerNodeAlgorithms.h with outdated ice-tea plugin | $1,000 | 2016-10-02 |
72434 | stale pointer, invalid read, svg | - | 2016-10-02 |
72523 | chrome.tabs.captureVisibleTab allows capturing images of any "file://" resource | - | 2016-10-02 |
72517 | Dev. console null character crash @ history::URLDatabase::GetMostRecentKeywordSearchTerms | $500 | 2016-10-02 |
72399 | Valgrind reports on JPEG decoding since r74103 | - | 2016-10-02 |
72340 | use after free in WebCore::RenderCounter::destroyCounterNode | $1,000 | 2016-10-02 |
72189 | Bypass popup blocker using custom event and onMouseOver | - | 2016-10-02 |
72135 | IDBTransaction and IDBRequest can be deleted while ScriptExecutionContext is iterating | - | 2016-10-02 |
72134 | Potential buffer overrun in SVGTextRunWalker::walk() | - | 2016-10-02 |
72028 | Stale continuation flow pointer for ContinuationOutlineTableMap | $1,000 | 2016-10-02 |
71960 | OOB Read in WebGL due to integer overflows | - | 2016-10-02 |
72387 | Out of bounds read in WebCore::LayerTilerChromium::invalidateRect (dev only) | $1,000 | 2016-10-02 |
72217 | HTMLFormElement::formElementIndex() returns a bad index into a vector of form associated elements | - | 2016-10-02 |
71786 | ThreadSanitizer reports a race on WebCore::schemesWithUniqueOrigins (on cross_fuzz) | - | 2016-10-02 |
71734 | Security: accessing DataView methods with negative index could cause crash | - | 2016-10-02 |
71717 | webgl causes segfault | - | 2016-10-02 |
71601 | Switch to https by default in autofill toolbar server queries | - | 2016-10-02 |
71788 | Memory corruption playing back specially crafted .ogg vorbis file. | - | 2016-10-02 |
71763 | use-after-free when document.close and document.write are called after requesting a non-existing script | $1,000 | 2016-10-02 |
71855 | stale pointer in WebCore::RenderBlock::insertFloatingObject | $1,000 | 2016-10-02 |
71545 | Chrome_Mac: Crash Report - Stack Signature: WebKit::NotificationPresenterImpl::checkPermission-5428423 | - | 2016-10-02 |
71388 | Security:WebCore::HTMLTextAreaElement::updateValue+0xf | $1,000 | 2016-10-02 |
71386 | Stale nodes in Document::recalcStyleSelector | $1,000 | 2016-10-02 |
71370 | https not properly connected to google doc and gmail. | - | 2016-10-02 |
71357 | PPAPI var objects reference invalid memory when the instance is deleted | - | 2016-10-02 |
71586 | race in base/third_party/xdg_mime (crasher) | $500 | 2016-10-02 |
71296 | Stale iterator in SVGDocumentExtensions::startAnimations() | $1,000 | 2016-10-02 |
71551 | Cross_fuzz and ClusterFuzz crashes in WebCore::DatabaseTracker::removeOpenDatabase | - | 2016-10-02 |
71345 | fail to connect with https when browsing google doc in chrome | - | 2016-10-02 |
71203 | Branch ANGLE and merge fixes to m9 | - | 2016-10-02 |
173654 | Heap-use-after-free in WebCore::FrameSelection::notifyRendererOfSelectionChange | - | 2016-10-02 |
173500 | XSS: chromiumbugs.appspot.com | - | 2016-10-02 |
173483 | New search UI (1993) could lead to self-XSS | $500 | 2016-10-02 |
173402 | ASSERTION FAILED: !object || object->isRenderImage(), UNKNOWN in WebCore::HTMLAnchorElement::handleClick | - | 2016-10-02 |
173399 | ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker | - | 2016-10-02 |
173397 | Heap-buffer-overflow in WTF::MemoryInstrumentation::Wrapper<WebCore::ContainerNode>::callReportMemoryUsage | - | 2016-10-02 |
173341 | Heap-use-after-free in content::PeerConnectionTracker::TrackSetSessionDescription | - | 2016-10-02 |
173250 | Security: Heap-Buffer-Overflow in extensions::SetIconNatives | - | 2016-10-02 |
173050 | Heap-use-after-free in WebCore::Node::removedLastRef | - | 2016-10-02 |
173049 | Heap-use-after-free in WebKit::WebLayerImpl::layer | - | 2016-10-02 |
172993 | Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects | - | 2016-10-02 |
173068 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderFrameSet::paint | - | 2016-10-02 |
172926 | Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process | $1,000 | 2016-10-02 |
172918 | Flash shouldn't load if the "src" URL has a bad content type and Content-Type-Options: nosniff | - | 2016-10-02 |
172824 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::commonTreeScope | - | 2016-10-02 |
172822 | ASSERTION FAILED: !object || object->isTextControl(), UNKNOWN in WebCore::TextControlInnerTextElement::customStyleForRenderer | - | 2016-10-02 |
172984 | Any MITM attacker can load NaCl :-( | - | 2016-10-02 |
172814 | Heap-use-after-free in WebCore::RenderTextTrackCue::layout | - | 2016-10-02 |
172658 | Security: TLS timing attack leading to message recovery | - | 2016-10-02 |
172573 | Compromised renderer can load banned plug-in | - | 2016-10-02 |
172342 | Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus | $1,000 | 2016-10-02 |
172331 | Use-after-free in WebCore::VectorMath::vsmul | $1,000 | 2016-10-02 |
172794 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately | - | 2016-10-02 |
172243 | Heap-buffer-overflow in WebCore::OscillatorNode::process | $1,000 | 2016-10-02 |
172119 | Security: Do not allow Chrome Web Store URLs to commit in unprivileged processes | - | 2016-10-02 |
171962 | UNKNOWN in _wordcopy_fwd_aligned | - | 2016-10-02 |
171951 | Security: UAF in WebCore::SecurityOrigin::databaseIdentifier() | $1,500 | 2016-10-02 |
172264 | DatabaseMessageFilter: path traversal in origin_identifier | - | 2016-10-02 |
172071 | verify svn.golo.chromium.org subversion package is up-to-date with security fixes | - | 2016-10-02 |
171557 | ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::toRenderBox | - | 2016-10-02 |
171392 | Cross-Origin copy&paste / drag&drop allowing XSS (again, this time srcdoc) | - | 2016-10-02 |
171630 | ASSERTION FAILED: document() == newChild->document(), UNKNOWN in WebCore::ContainerNode::parserAppendChild | - | 2016-10-02 |
171569 | Security: Escape from NaCl sandbox on Mac OS X due to signal handler without SA_ONSTACK | - | 2016-10-02 |
170715 | SIGSEGV in NotificationUIManagerImpl::CancelAllBySourceOrigin() | - | 2016-10-02 |
171130 | Heap-use-after-free in WebCore::AXObjectCache::notificationPostTimerFired | - | 2016-10-02 |
170666 | Heap-use-after-free in SkAlphaRuns::add | - | 2016-10-02 |
171131 | Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement | - | 2016-10-02 |
170683 | Heap-use-after-free in ChromeURLDataManagerBackend::StartRequest | - | 2016-10-02 |
171134 | XSS in 1993 history handling | $500 | 2016-10-02 |
170679 | Heap-buffer-overflow in WebCore::RenderBlock::clone | - | 2016-10-02 |
170199 | Heap-use-after-free in WebCore::HTMLSelectElement::length | - | 2016-10-02 |
170240 | Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache | - | 2016-10-02 |
170360 | Use-after-free: Merge http://trac.webkit.org/changeset/139732 | - | 2016-10-02 |
170432 | UNKNOWN in WTF::equalIgnoringCase | - | 2016-10-02 |
170237 | Heap-use-after-free in WebCore::InspectorInstrumentation::didHandleEventImpl | - | 2016-10-02 |
170188 | Heap-use-after-free in WebCore::Document::updateHoverActiveState | - | 2016-10-02 |
169973 | IPC: out-of-bounds vector accesses with mismatched vector | - | 2016-10-02 |
169972 | Security: Heap-Buffer-Overflow in usb_api.cc:CreateBufferForTransfer | - | 2016-10-02 |
169966 | IPC: negative integer in command to safe browsing host will cause bad vector access | - | 2016-10-02 |
169770 | IPC: Unvalidated content type used as index for write into raw array | - | 2016-10-02 |
169765 | Security: Integer overflow in libusb_alloc_transfer causes Heap-Buffer-Overflow in chrome.usb.isochronousTransfer | - | 2016-10-02 |
170184 | Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint | - | 2016-10-02 |
170034 | Security: ASAN issue in chromeos::VersionInfoUpdater::OnBootTimes() | - | 2016-10-02 |
169981 | Security: chrome.usb Api missing parameter validation for "length" | - | 2016-10-02 |
169723 | [LangFuzz] Crash at v8::internal::AccessorPair::GetComponent with invalid read | $1,000 | 2016-10-02 |
71115 | Stale pointer in WebCore::RenderTable::firstLineBoxBaseline | $1,000 | 2016-10-02 |
71114 | Stale pointer due to table childs incorrect added | $1,000 | 2016-10-02 |
71167 | Bypass popup blocker using custom event (variation of issue 3275) | - | 2016-10-02 |
70877 | Arbitrary cross-origin bypass using SyntaxError and Number prototype overrides | $1,337 | 2016-10-02 |
70819 | Empty address bar after opening an URL from extension in new tab | - | 2016-10-02 |
70779 | width of boundingClientRect for Range with unicode combining characters is corrupted | - | 2016-10-02 |
70718 | crashes when opening a page with webgl | - | 2016-10-02 |
70589 | race on a linked list in third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp | - | 2016-10-02 |
71027 | REGRESSION: crash after download and close window (only in incognito) | - | 2016-10-02 |
70885 | Bypass popup blocker using iframe | - | 2016-10-02 |
70456 | OOM handler not always properly terminating process | $1,000 | 2016-10-02 |
70538 | Open popup in new tab using java applet | - | 2016-10-02 |
70374 | Browser crash: DeterminePossibleFieldTypesForUpload | - | 2016-10-02 |
70577 | Security: webgl crashes on all tabs + processing spike even after all webgl programs are closed | - | 2016-10-02 |
70376 | Pickle::FindNext reads payload_size without checking that the header is complete | - | 2016-10-02 |
70244 | height of <rect> - integer overflow(?) | $1,000 | 2016-10-02 |
70337 | Regression: new window.onerror() implementation leaks cross-origin Javascript errors | - | 2016-10-02 |
70070 | WebGL crashes depending on uniform names | $500 | 2016-10-02 |
70231 | Prefetch: Do not present authentication prompt | - | 2016-10-02 |
70336 | Cross-origin Javascript error message leak via Worker importScripts() | $500 | 2016-10-02 |
70078 | Crash by form controls with form attributes under orphan nodes | $500 | 2016-10-02 |
69934 | Use after free in LayoutPluginTester.SelfDeletePluginInvoke | - | 2016-10-02 |
69825 | security flaw | - | 2016-10-02 |
69970 | Invalid read in convertV8ObjectToNPVariant | - | 2016-10-02 |
70027 | Stale text node in linebox due to failure to dirty linebox when that text child is dirtied | $1,000 | 2016-10-02 |
69965 | Use after free in geolocation infobars | - | 2016-10-02 |
69628 | Probable memory corruption in WebCore::CounterNode::lastDescendant | $500 | 2016-10-02 |
69597 | Segfault in WebCore::ContainerNode::removeAllChildren() | - | 2016-10-02 |
69569 | Crashed @ IPC::Channel::ChannelImpl::OnIOCompleted when delete browser history | - | 2016-10-02 |
69657 | Not signing out from my https webmail account. | - | 2016-10-02 |
69531 | Valgrind/Memcheck reports uninitialized use of SkGlyph::fMaskFormat in third_party/skia/src/core/SkScalerContext.cpp | - | 2016-10-02 |
69640 | memcheck: read after free in third_party/icu/source/common/unormimp.h | - | 2016-10-02 |
69556 | Issue with merging anonymous block in renderblock::removechild (2) | $1,000 | 2016-10-02 |
69275 | Use after free in scrollbars | - | 2016-10-02 |
69187 | Error prototypes are called on remote scripts | $1,337 | 2016-10-02 |
69159 | Crash @ PasswordStore::RemoveLogin | - | 2016-10-02 |
69106 | ZDI-CAN-1009: Apple Webkit setOuterText Memory Corruption Remote Code Execution Vulnerability | - | 2016-10-02 |
69294 | Browser crash when executing indexedDb tutorial.html in an incognito window. | - | 2016-10-02 |
69195 | playing Z-Type causes crash | - | 2016-10-02 |
68741 | Stale pointers in CSSOM - 2 | $1,000 | 2016-10-02 |
68646 | Integer overflow and signed comparison in RenderView::DidDownloadApplicationIcon() | - | 2016-10-02 |
68641 | Stale form associated element pointer in Document object | $1,000 | 2016-10-02 |
68773 | Chrome: Crash Report - Stack Signature: UTF8ToUTF16(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)-382777c6_d21c627c_9e383e89_c1eaa2f5_ef047e8d | - | 2016-10-02 |
68766 | Chrome: Crash Report - Stack Signature: net::HttpStreamFactory::~HttpStreamFactory()-2A77B8F | - | 2016-10-02 |
68434 | Search Bug Dynamic dns | - | 2016-10-02 |
68369 | Installing extensions in "popup"-type windows crash browser | - | 2016-10-02 |
68342 | Aw snap on github.com with voice search extension installed | $500 | 2016-10-02 |
68439 | Destroying nextblock in RenderBlock::removeChild can cause oldChild and nextblock's next sibling to be merged. | $1,000 | 2016-10-02 |
68244 | Playing audio with volume set to undefined crashes browser | - | 2016-10-02 |
68170 | invalid free() in bundled pdf viewer | $1,000 | 2016-10-02 |
68259 | Virus, exploit in maps | - | 2016-10-02 |
68130 | Memory corruption in font draws for accelerated 2d canvas. | - | 2016-10-02 |
68115 | Memory corruption with bad Vorbis streams (from CERT) | $1,000 | 2016-10-02 |
68075 | chrome.dll!WebCore::CounterNode::resetRenderers ExecAV@NULL (7b931db52815b50413964fbdd401fe15) | - | 2016-10-02 |
68062 | OOB read crash in SVG length list parsing algorithm | - | 2016-10-02 |
67968 | Use after free due to adjacent floats not cleared properly from parents | - | 2016-10-02 |
67966 | the bank tell me my browser ar not safe | - | 2016-10-02 |
67923 | Stale pointer in SVGImage | - | 2016-10-02 |
68120 | Stale pointer in CSSFontFaceSource::m_svgFontFaceElement | $1,000 | 2016-10-02 |
177913 | Heap-buffer-overflow in AutofillExternalDelegate::OnSuggestionsReturned | - | 2016-10-02 |
177876 | Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer | - | 2016-10-02 |
177858 | Global-buffer-overflow in v8::internal::MaybeObject* v8::internal::SlowQuoteJsonString<unsigned char, v8::internal::SeqOneByte | - | 2016-10-02 |
177932 | Heap-use-after-free in WebCore::SVGElementInstance::invalidateAllInstancesOfElement | - | 2016-10-02 |
177873 | Security: out of bounds write with webgl and gl.DEPTH_COMPONENT | $1,000 | 2016-10-02 |
177688 | ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes | - | 2016-10-02 |
177620 | Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement | $1,000 | 2016-10-02 |
177410 | Heap-use-after-free in extensions::BookmarksIOFunction::ShowSelectFileDialog | - | 2016-10-02 |
177403 | ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::RenderBlock::clone | - | 2016-10-02 |
177737 | Heap-use-after-free in webrtc::DataChannel::Send | - | 2016-10-02 |
177686 | Heap-use-after-free in WebCore::ImageLoader::dispatchPendingErrorEvent | - | 2016-10-02 |
177815 | pepper_flash_clipboard_message_filter.cc assumed same-sized vectors from untrusted Flash process | - | 2016-10-02 |
176882 | Heap-use-after-free in WebCore::FrameLoader::checkCompleted | $1,000 | 2016-10-02 |
176863 | ASSERTION FAILED: !detachingNode, Heap-buffer-overflow in WebCore::CSSImageGeneratorValue::removeClient | - | 2016-10-02 |
177215 | ASSERTION FAILED: static_cast<unsigned>(m_start + length) <= string.length(), UNKNOWN in WebCore::InlineTextBox::paint | - | 2016-10-02 |
176719 | Global-buffer-overflow in cld::ProcessProbV25UniTote | - | 2016-10-02 |
176692 | postTaskForModeToWorkerContext/dispatchTaskToWorkerThread invalid pointer crash with Workers/FileSystem API | $1,000 | 2016-10-02 |
177197 | Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short> | - | 2016-10-02 |
176738 | ASSERTION FAILED: itemIndex < m_values->size(), UNKNOWN in WebCore::SVGPathSegListPropertyTearOff::processIncomingListItemValue | - | 2016-10-02 |
176514 | Heap-use-after-free in WebCore::RenderObject::propagateStyleToAnonymousChildren | - | 2016-10-02 |
176298 | Heap-buffer-overflow in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::erase | - | 2016-10-02 |
176252 | RenderViewHostImpl::OnMessageReceived | $1,000 | 2016-10-02 |
176137 | Data extraction with XSS Auditor | $500 | 2016-10-02 |
176676 | Heap-use-after-free in cricket::TransportChannelProxy::SetImplementation | - | 2016-10-02 |
176033 | Use-after-free in webrtc::WebRtcSession::data_channel() | - | 2016-10-02 |
176027 | Heap-buffer-overflow in SkARGB32_Opaque_Blitter::blitMask | - | 2016-10-02 |
175741 | UNKNOWN in webkit::ppapi::PluginInstance::PrintPDFOutput | - | 2016-10-02 |
175343 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::AccessibilityMenuListPopup::didUpdateActiveOption | - | 2016-10-02 |
175342 | Heap-use-after-free in WebCore::DeleteButtonController::enable | - | 2016-10-02 |
175305 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately | - | 2016-10-02 |
176056 | Global-buffer-overflow in v8::internal::MarkCompactCollector::EmptyMarkingDeque | - | 2016-10-02 |
174920 | Heap-use-after-free in WebCore::CachedCSSStyleSheet::checkNotify | - | 2016-10-02 |
174676 | Heap-use-after-free in SpellcheckHunspellDictionary::InitializeDictionaryLocation | - | 2016-10-02 |
174846 | Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList | - | 2016-10-02 |
175069 | Heap-use-after-free in net::SpdySession::DoLoop | - | 2016-10-02 |
174895 | IndexedDB: missing check that index_ids and index_keys have equal size | - | 2016-10-02 |
174566 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGListProperty<WebCore::SVGPathSegList>::replaceItemValues | - | 2016-10-02 |
174328 | IndexedDB: overflow of 2-bit index id size field | - | 2016-10-02 |
174146 | Crashing in gpu::gles2::GLES2Implementation::ReadPixels(int,int,int,int,unsigned int,unsigned int,void *) | - | 2016-10-02 |
174137 | Crashing in WebCore::ChannelMergerNode::process(unsigned int) | - | 2016-10-02 |
174129 | Security: Silent HTTP Basic Authentification & HTTP Authentification Brute Force | - | 2016-10-02 |
174579 | stack-buffer-overflow in ui::ScrollEvent::Scale on Chrome OS | - | 2016-10-02 |
174150 | Crashing in media::VideoRendererBase::ThreadMain() | - | 2016-10-02 |
174020 | ASSERTION FAILED: !object || object->isMenuList(), UNKNOWN in WebCore::HTMLSelectElement::menuListDefaultEventHandler | - | 2016-10-02 |
173906 | document.referrer leakage with XSS Auditor page block | - | 2016-10-02 |
173880 | Heap-buffer-overflow in media::OpusAudioDecoder::ConfigureDecoder | - | 2016-10-02 |
174049 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderTableSection::layout | - | 2016-10-02 |
174017 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation | - | 2016-10-02 |
173781 | Heap-buffer-overflow in void std::__introsort_loop<WebCore::GridTrack**, long, bool | - | 2016-10-02 |
173688 | Security: Non-web-accessible extension URLs should not load in non-extension processes | - | 2016-10-02 |
67393 | Freeing invalid uninitialized pointer to bug_report_ object | $1,000 | 2016-10-02 |
67363 | EXTERNAL-REPORT: SVGElementInstance::m_useElement not cleared on corresponding use element destruction | $500 | 2016-10-02 |
67577 | Switch .jar and .class to always-warn | - | 2016-10-02 |
67234 | Webkit crashes during animation event processing | - | 2016-10-02 |
67303 | renderer crash when playing a corrupt webm video | $1,000 | 2016-10-02 |
67208 | VU#821271 Exception generated by code running in the Stack | $1,000 | 2016-10-02 |
66986 | Reparenting error due to double merge of anonymous blocks in removeChild | - | 2016-10-02 |
66962 | browser crash when reproducing issue #64051 | - | 2016-10-02 |
66931 | Google Chrome crashes at https://webmail.afmc.af.mil/Exchange | - | 2016-10-02 |
66841 | Chrome View keeps changing percentage(decreasing to 50%) automatically | - | 2016-10-02 |
67100 | Crash in PDF form event handling when deleting page from underneath self | - | 2016-10-02 |
66760 | ZDI-CAN-968: Apple Webkit Font Glyph Layout Remote Code Execution Vulnerability | - | 2016-10-02 |
66718 | webgl page causes X server crash | - | 2016-10-02 |
66700 | chrome.dll!WebCore::RenderTextControlSingleLine::speechAttributeChanged ReadAV@NULL (7acb553d23eecf733d9ececf57a499f7) | - | 2016-10-02 |
66676 | REGRESSION: Crash on exit after clearing all downloads | - | 2016-10-02 |
66486 | MAC OSX 10.6.5 google chrome | - | 2016-10-02 |
66473 | Crash in ReplaceSelectionCommand::doApply when modified during mutation event | - | 2016-10-02 |
66748 | CSSCursorImageValue not clearing SVGElement back pointer | $500 | 2016-10-02 |
66334 | Crashes at wild EIP when pressing "print" button on PDFs | - | 2016-10-02 |
65942 | Stale pointer in Range::processContents when modified during mutation event | - | 2016-10-02 |
65869 | crash when rapidly reloading a page with an applet | - | 2016-10-02 |
65845 | Bad cast from RenderText to RenderBox due to details tag being shown inline. | - | 2016-10-02 |
65796 | Children of cloned anonymous blocks should set childreninline flag | - | 2016-10-02 |
65299 | Out of bound read when using modified webp file | $500 | 2016-10-02 |
65194 | Renderer crash @ gpu::gles2::GLES2Implementation::TexSubImage2D(unsigned int,int,int,int,int,int,unsigned int,unsigned int,void const *) | - | 2016-10-02 |
64974 | Integer overflow leading to OOB read, possible memory corruption in webgl getfloat32 | - | 2016-10-02 |
64949 | Crash with progressive rendering | - | 2016-10-02 |
64788 | Access data from my company Google Docs (domain wittit.com) with my gmail account. | - | 2016-10-02 |
64669 | Not allow overwrite of field data when merging profile data | - | 2016-10-02 |
64559 | Bad cast when selection changes for combo boxes. | - | 2016-10-02 |
64456 | Chrome crashes when attempting to install a userscript. | - | 2016-10-02 |
64945 | Crash when webp image is invalid | $1,000 | 2016-10-02 |
64364 | falla al inicio de abrir el navegador | - | 2016-10-02 |
64331 | Stale node being set as layout root when rendering meter, progress elements. | - | 2016-10-02 |
64088 | Use after free due to calling a stale timer on a closed frame/document | - | 2016-10-02 |
64046 | WebKit 49902 - chrome.dll!WebCore::toWebWidgetClient ReadAV@NULL (08ffd4f21a8c6465bb1e19a2f52e4bd5) | - | 2016-10-02 |
63982 | Memory corruption in RenderObjectChildList::removeChildNode | - | 2016-10-02 |
64424 | Computing style on a stale node while sending pending accessibility notification | - | 2016-10-02 |
64108 | Verify cross-origin push fails under SPDY | - | 2016-10-02 |
63911 | Memory corruption in accelerated 2d canvas | - | 2016-10-02 |
63945 | More memory corruption in accelerated 2d canvas, this time in moveTo | - | 2016-10-02 |
63617 | Closing multiple WebGL tabs at the same time causes segfault in Xorg | - | 2016-10-02 |
63609 | Delete any link promotes - Orkut OLD | - | 2016-10-02 |
63552 | Windows media player plugin crashes all the time @ NPAPI::PluginLib::Load+0x116 | - | 2016-10-02 |
63533 | WebM Crash fix merge from M7 | - | 2016-10-02 |
63529 | Security: Segfault when dealing with Web Workers and MessageChannels | - | 2016-10-02 |
63866 | WebKit CSS Font Face Parsing Type Confusion | $1,000 | 2016-10-02 |
63924 | Bad cast from RenderTableCol to RenderBlock in search css | - | 2016-10-02 |
63732 | Browser crash @ JavaScriptAppModalDialog::Cleanup() | $500 | 2016-10-02 |
63389 | Setting small numeric CSS values using setFloatValues changes that value on all pages until the browser is quit | - | 2016-10-02 |
63268 | Universal XSS via mutating style objects and read styles cross origins | - | 2016-10-02 |
63248 | segfault in bundled PDF viewer (invalid read in strlen) | $1,000 | 2016-10-02 |
63444 | Security: possible memory corruption (double-free) in XPath processing code | $1,000 | 2016-10-02 |
63495 | WebCore::NamedNodeMap::setAttributes() stale iterator | - | 2016-10-02 |
63454 | Analyze integer wraps in WebCore::Range. | - | 2016-10-02 |
63380 | SVG Transformlist memory corruption | - | 2016-10-02 |
63031 | Stale font accessed in WebCore::GlyphPage::glyphDataForCharacter | - | 2016-10-02 |
63166 | CryptUnprotectData disclose sensitive information in stack | - | 2016-10-02 |
63051 | chrome_6dc70000!WebCore::EventHandler::updateSelectionForMouseDrag use after free | $500 | 2016-10-02 |
63037 | Security: chrome.google.com Stored XSS | - | 2016-10-02 |
189090 | Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects | - | 2016-10-02 |
189089 | ASSERTION FAILED: curr->isRenderBlock(), UNKNOWN in WebCore::RenderBlock::splitBlocks | - | 2016-10-02 |
189250 | Security: pango loads config options from $HOME/.pangorc | - | 2016-10-02 |
189091 | Heap-use-after-free in extensions::ObjectBackedNativeHandler::Router | - | 2016-10-02 |
189084 | Bad cast in WebKit::WebPageSerializerImpl::endTagToString | - | 2016-10-02 |
187243 | Heap-use-after-free in WebCore::InlineBox::deleteLine | - | 2016-10-02 |
181617 | Security: Possible path traversal in file_util::AbsolutePath (Windows XP/2K3) | $1,337 | 2016-10-02 |
181580 | Heap-use-after-free in extensions::ModuleSystem::LazyFieldGetterInner | - | 2016-10-02 |
187245 | Heap-use-after-free in SkTypeface::getTableSize | - | 2016-10-02 |
188092 | Invalid pointer read in WebCore::WaveShaperProcessor::process | - | 2016-10-02 |
183741 | arbitrary number of popups in response to single user action | - | 2016-10-02 |
181083 | Security: H.264 scaling list parsing overflow | $40,000 | 2016-10-02 |
180920 | Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList | - | 2016-10-02 |
181438 | TransportDIB::Map doesn't validate size of mapped section on Windows | - | 2016-10-02 |
180763 | PWN2OWN: Bad cast in SVGViewSpec::viewTarget | - | 2016-10-02 |
180593 | Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine | - | 2016-10-02 |
180555 | Security: DevTools renderer navigation is handled in renderer and allows opening any URL in DevTools window. | - | 2016-10-02 |
181375 | Heap-use-after-free in WebCore::AXObjectCache::getOrCreate | - | 2016-10-02 |
180909 | Buffer overflow in URLLoader::ReadResponseBodyAck | - | 2016-10-02 |
180051 | Use after free in PersistentTabRestoreService (during shutdown?) | - | 2016-10-02 |
179653 | ANGLE shader compiler: struct size overflow | - | 2016-10-02 |
179634 | Heap-use-after-free in (anonymous | - | 2016-10-02 |
179632 | Heap-use-after-free in sigslot::_signal_base1<bool, sigslot::single_threaded>::disconnect | - | 2016-10-02 |
179631 | Heap-use-after-free in WebCore::SegmentedString::SegmentedString | - | 2016-10-02 |
179580 | Devtools uses dangling WebContents* when extension reloads | - | 2016-10-02 |
180058 | Security: Loading NaCl from Web via permissive extension | - | 2016-10-02 |
179654 | ANGLE shader compiler: validate numBytes in TPoolAllocator::allocate | - | 2016-10-02 |
178848 | Chrome_Linux: Crash Report - Stack Signature: extensions::UserScriptSlave::GetDataSourceU... | - | 2016-10-02 |
178706 | Mac AVCConfigRecordBuilder: integer overflow leading to heap-buffer-overflow | - | 2016-10-02 |
178780 | Security: Chrome extensions whitelist leaks IDs | - | 2016-10-02 |
178761 | Heap-use-after-free in WebCore::FrameView::maintainScrollPositionAtAnchor | - | 2016-10-02 |
178760 | Heap-use-after-free in gtk_floating_container_add_floating | - | 2016-10-02 |
179287 | ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderSliderContainer::layout | - | 2016-10-02 |
179522 | Heap-use-after-free in WebCore::AudioNodeOutput::pull | $3,133 | 2016-10-02 |
178797 | Use-after-free under CachedRawResource::responseReceived | - | 2016-10-02 |
178266 | Heap-use-after-free in WebCore::RenderBlock::determineStartPosition | - | 2016-10-02 |
178242 | NavigationController can copy wrong NavigationEntry when committing a new page | - | 2016-10-02 |
178269 | Heap-use-after-free in WebCore::FrameLoader::stopForUserCancel | - | 2016-10-02 |
178130 | ASSERTION FAILED: node->treeScope() == m_oldScope, Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope | - | 2016-10-02 |
178581 | Heap-use-after-free in BrowsingDataRemover::DoClearCache | - | 2016-10-02 |
178264 | Heap-use-after-free in WebCore::Frame::setPageAndTextZoomFactors | - | 2016-10-02 |
178002 | Heap-use-after-free in WebCore::LiveNodeList::namedItem | - | 2016-10-02 |
177933 | ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue | - | 2016-10-02 |
178003 | ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::HTMLElementStack::popCommon | - | 2016-10-02 |
177956 | cross-process memory address leak via sa_restorer | $1,000 | 2016-10-02 |
62987 | Use after free in EventSource | - | 2016-10-02 |
62925 | <Unloaded_S.DLL>+0x42cd17f crash | $1,000 | 2016-10-02 |
62718 | renderer crash in PDF viewer (possibly due to overlapping memcpy) | - | 2016-10-02 |
62674 | Valgrind detected invalid read in net::SingleRequestHostResolver::Cancel() - use-after-free? | - | 2016-10-02 |
62623 | Crash at NULL IP in PDF when evaluating strange expression | $1,000 | 2016-10-02 |
62401 | Crash in WebCore::SMILTimeContainer::begin | $1,000 | 2016-10-02 |
62358 | Integer overflow in SVG Parsing | - | 2016-10-02 |
62791 | Crash loading invalid crx extension file | - | 2016-10-02 |
62354 | Bad cast in SVGImageBufferTools::renderSubtreeToImageBuffer | - | 2016-10-02 |
62296 | Bad cast from renderinline to renderbox in animations | - | 2016-10-02 |
62281 | Use after free due to overhanging floats in LEGEND block | - | 2016-10-02 |
62276 | Out of bound memory access in webp decoder | - | 2016-10-02 |
62261 | use after free in ContainerNode::willRemove | - | 2016-10-02 |
62168 | Bad cast in WebDevToolsFrontendImpl::dispatchOnInspectorFrontend | - | 2016-10-02 |
62158 | Exploitable-looking crash when simply selecting a drop-down value | - | 2016-10-02 |
62293 | Bad cast in CSSStyleSelector::createTransformOperations | - | 2016-10-02 |
62118 | Autosave - Password | - | 2016-10-02 |
61975 | Page is shown before password is requested | - | 2016-10-02 |
61919 | [Regression] Browser crash in GetMostVisitedThumbnailsOnDBThread | - | 2016-10-02 |
61917 | [Regression] Purecall in TopSitesDatabase::UpdatePageThumbnail | - | 2016-10-02 |
62127 | faulty webm file causes segfault | $1,000 | 2016-10-02 |
61954 | split webstorePrivate.install into two functions, one of which requires a gesture | - | 2016-10-02 |
61719 | Chrome | - | 2016-10-02 |
61691 | SECURITY FAIL | - | 2016-10-02 |
61653 | MSVR-10-0108 - Integer Overflow in Chrome's VP8 decoding leads to memory corruption | - | 2016-10-02 |
61634 | webstorePrivate.install method should not suppress install confirmation for extensions with NPAPI | - | 2016-10-02 |
61721 | Security: Google Chrome 7.0.517.41 Multiple DLL Hijacking Vulnerability | - | 2016-10-02 |
61701 | Security: google chrome crashes when a request passes through a proxy and recieves a 407 HTTP error code from the server | - | 2016-10-02 |
61848 | Search results are displayed in bing. | - | 2016-10-02 |
61555 | on double click of a password with comma in it, selects only the part separated by comma instead of selecting fully. The compromises security besides being an inconvenience. | - | 2016-10-02 |
61502 | Floats left out of the incremental line break code due to failed image load. | - | 2016-10-02 |
61338 | pdf viewer segfault after js syntax error | $1,000 | 2016-10-02 |
61577 | Security Bug: Google Docs Published Spreadsheets | - | 2016-10-02 |
61255 | Bad cast in PageClickTracker::handleEvent | - | 2016-10-02 |
61576 | WebKit 48831 - chrome.dll!WebCore::SVGLength::SVGLength WriteAV@Arbitrary (ab566cfad36b72d82883e59d51a1dbec) | - | 2016-10-02 |
61313 | Use after free related to ApplyBlockElementCommand::formatSelection | - | 2016-10-02 |
61129 | Double click selection behaviour exposes password information | - | 2016-10-02 |
60978 | WebGL stencil buffers not correctly initialized | - | 2016-10-02 |
60816 | Crash in hunspell::NodeReader::FindWord | - | 2016-10-02 |
60769 | more bad casts in event handling. | - | 2016-10-02 |
60761 | chrome_1c30000!TabContents::RemoveInfoBar(class InfoBarDelegate * delegate = 0x05dfe700)+0x1dfull tab crash | - | 2016-10-02 |
61158 | Use after free in ApplyStyleCommand::removeInlineStyle | - | 2016-10-02 |
60695 | Bad cast in RenderView docheight,docwidth calc due to adding non box childs | - | 2016-10-02 |
60688 | chrome_55000000!WebCore::FEBlend::apply+0x1a5 | $1,000 | 2016-10-02 |
60653 | Memory error inside WTF::String::format | - | 2016-10-02 |
60496 | Speed tracer + AdBlock = Renderer Crash @ v8::internal::Invoke | - | 2016-10-02 |
60327 | Bad cast to MouseEvent in Node::defaultEventHandler() | $500 | 2016-10-02 |
60238 | Use after free of m_frame in FrameLoader::loadWithDocumentLoader | $500 | 2016-10-02 |
60697 | CSS, background-repeat bug | - | 2016-10-02 |
60029 | OOB read with StringImpl::find line 621 | - | 2016-10-02 |
59817 | Security: Add .html and .htm to the dangerous extensions list for OSX and OS_POSIX | - | 2016-10-02 |
60055 | WebM crash in vp8_setup_intra_recon() | $1,000 | 2016-10-02 |
59663 | CSSPrimitiveValue::cssText() may cause a buffer overflow | - | 2016-10-02 |
60013 | RenderIndicator childs not laid out at all. | - | 2016-10-02 |
223145 | Security: <template> implementation fails to check for "template" in special list when handling "any other end tag for in body" | - | 2016-10-02 |
223125 | Heap-buffer-overflow in WebCore::InlineIterator::atTextParagraphSeparator | - | 2016-10-02 |
223032 | ASSERTION FAILED: !HashTranslator::equal(Extractor::extract(deletedValue), key), Heap-buffer-overflow in WebCore::Font::width | - | 2016-10-02 |
222852 | Heap-use-after-free in WebCore::RenderObject::isDescendantOf | - | 2016-10-02 |
222770 | UNKNOWN in WebCore::QualifiedName* WTF::HashTable<WebCore::QualifiedName, WebCore::QualifiedName, WTF::Identity | - | 2016-10-02 |
222754 | Multiple ffmpeg security issues found by j00ru. | - | 2016-10-02 |
222539 | UNKNOWN in WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul>, 0ul>::reserveCapacity | - | 2016-10-02 |
223034 | Heap-buffer-overflow in void media::ToInterleavedInternal<int, long> | - | 2016-10-02 |
223238 | Heap-use-after-free in GIFImageReader::decode | $1,000 | 2016-10-02 |
222000 | Use after free - using speech API after loading a web page | $1,000 | 2016-10-02 |
222036 | Heap-use-after-free in cricket::WebRtcRenderAdapter::FrameSizeChange | - | 2016-10-02 |
222136 | Heap-use-after-free in WebCore::AudioDSPKernelProcessor::reset | - | 2016-10-02 |
221131 | HTML tags are not sanitized in chrome://network | - | 2016-10-02 |
220039 |