Avatar of this page

Chromium Disclosed Security Bugs

Google discloses Chromium security bugs 14 weeks after fixing them. This website makes it easier to keep track of them.

This page is run by @securityMB but it is not an official Google product.

You can also follow this project on the following social platforms:

Bugs disclosed in 2016.json

Options
#Summary$$$Disclosure date
645811Crash in mojo::internal::Router::OnConnectionError-2016-12-31
648031Heap-use-after-free in pp::MacroExpander::expandMacro-2016-12-31
647922Crash in SuperBlitter::blitH-2016-12-31
648935Crash in FindBit-2016-12-31
649826Heap-use-after-free in CPDF_ViewerPreferences::IsDirectionR2L-2016-12-31
622271Security: Adobe Flash ContextMenu Use After Free$3,0002016-12-30
622634Security: use-after-free vulnerability in flash player 22.0.0.192$3,0002016-12-30
630544Security: use-after-free vulnerability in flash player 22.0.0.209$3,0002016-12-30
630547Security: use-after-free vulnerability in Adobe flash player$3,0002016-12-30
640177Security: use-after-free vulnerability in flash player latest version$3,0002016-12-30
647791Heap-buffer-overflow in gpu::gles2::ShaderTranslator::Translate-2016-12-30
648620CRASH() writes to a fixed mappable address-2016-12-30
649056Assertion failed: !object || (object->isBox())-2016-12-30
649095Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutBox::firstChildBox;blink::ThemePainterDefault::setupMenuListArrow-2016-12-30
649058Use-of-uninitialized-value in blink::BoxPainter::paint-2016-12-30
649599Crash in blink::ThemePainterDefault::setupMenuListArrow-2016-12-30
502871Security: adobe flash NetStream.appendBytes ByteArray data Use-After-Free$3,0002016-12-29
646278Security: Address Bar URL Spoofing$5002016-12-29
648671Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl;webrtc::CongestionController::TimeUntilNextProcess;webrtc::ProcessThreadImpl::Process-2016-12-29
647329Use-after-poison in fuzz_wasm_section-2016-12-28
645540Update It2Me host to show confirmation prompt for incoming connections.-2016-12-28
648373Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE-2016-12-28
645028Web accessible resources checks should work with blob: and filesystem: URLs that have chrome-extension:// inner URLs-2016-12-27
647612Heap-use-after-free in CPDF_RenderStatus::LoadSMask-2016-12-27
647893Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp-2016-12-27
647683Wrong security state when going back/forward after HTML5 history push-2016-12-27
639750XSS using Dropjacking-2016-12-26
646351Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE-2016-12-26
640233Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase-2016-12-25
645729Use-after-poison in blink::TimerBase::runInternal$3,5002016-12-25
646178Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor-2016-12-25
647197Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule-2016-12-24
647110Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule-2016-12-24
647027Heap-use-after-free in v8::internal::wasm::ThreadImpl::Execute-2016-12-24
647481Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase-2016-12-24
647267Crash in blink::TopDocumentRootScrollerController::globalRootScroller-2016-12-24
644674Attempting free in void v8::internal::LocalArrayBufferTracker::Free<-2016-12-23
647269Bad-cast to blink::TopDocumentRootScrollerController from blink::RootScrollerController;blink::PaintLayerCompositor::updateClippingOnCompositorLayers;blink::PaintLayerCompositor::updateIfNeeded-2016-12-23
646258Crash in ReadUnalignedValue<int>-2016-12-23
627399Use-of-uninitialized-value in CCodec_TiffContext::Decode-2016-12-22
621838Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData-2016-12-22
645745Unable to block cookies$5002016-12-22
646786Use-of-uninitialized-value in SkMatrix44::computeTypeMask-2016-12-22
646350Heap-use-after-free in ash::WmWindowAura::StackChildAbove-2016-12-22
641239Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture-2016-12-21
638159Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue-2016-12-21
642070Use-of-uninitialized-value in update_current_folder_get_info_cb-2016-12-21
643939Crash in v8::internal::Invoke-2016-12-21
645839Heap-use-after-free in cc::Scheduler::BeginImplFrameWithDeadline-2016-12-21
644733Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP-2016-12-21
645777Use-of-uninitialized-value in base::time_internal::SaturatedSub-2016-12-20
645186Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData-2016-12-20
645201Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse-2016-12-19
645770Heap-buffer-overflow in void std::vector<aura::Window*, std::allocator<aura::Window*> >::_M_insert_aux<a-2016-12-18
644373Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer.-2016-12-17
645034Use-of-uninitialized-value in blink::TraceMethodDelegate<blink::PersistentBase<blink::DOMArrayBuffer,-2016-12-17
645657Use-of-uninitialized-value in base::Pickle::WriteBytes-2016-12-17
641995value.isFunctionValue()-2016-12-16
632709Heap-use-after-free in CPDFSDK_Widget::SetAppModified-2016-12-15
642803Heap-use-after-free in cc::SurfaceManager::UnregisterBeginFrameSource-2016-12-15
643726Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData-2016-12-15
643173Wrong security state when redirecting to HTTP$2,0002016-12-15
644182Heap-buffer-overflow in unibrow::Utf8::Validate-2016-12-15
648971Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink$100,0002016-12-14
632848!object || (object->isBox())-2016-12-14
637899Heap-buffer-overflow in Decode-2016-12-14
640998Crash in CPDF_Parser::LoadCrossRefV5-2016-12-14
643431Crash in v8::internal::Object::SetPropertyInternal-2016-12-14
643665Crash inside SuperBlitter::blitH-2016-12-14
643933Crash in SuperBlitter::blitH-2016-12-14
643935Heap-buffer-overflow in gpu::gles2::Texture::SetLevelInfo-2016-12-14
640999Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver-2016-12-13
642987Heap-buffer-overflow in unibrow::Utf8::Validate-2016-12-13
643137Heap-use-after-free in blink::TimerBase::getTimerTaskRunner-2016-12-13
643970Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor-2016-12-13
644003Use-of-uninitialized-value in mojo::edk::ChannelPosix::WriteNoLock-2016-12-13
624011Security: UAF with namespace nodes in XPointer ranges$3,5002016-12-11
638220Heap-buffer-overflow in test_runner::BoundsForCharacter-2016-12-10
638166Heap-use-after-free in content::RenderFrameImpl::NavigateInternal-2016-12-09
642867Crash in v8::internal::wasm::WasmFullDecoder::AnalyzeLoopAssignment-2016-12-09
642639<no crash state available>-2016-12-09
643071Crash in v8::internal::NewSpace::Verify-2016-12-09
640576Heap-use-after-free in base::WaitableEvent::Signal-2016-12-08
642028Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La-2016-12-08
497302Integer-overflow in sfntly::FontData::Bound$1,0002016-12-06
642063Crash in v8::internal::HeapObject::SizeFromMap-2016-12-06
641575Crash in v8::internal::InstantiateObject-2016-12-05
623992Use-of-uninitialized-value in unicodetoupper-2016-12-04
622197Heap-buffer-overflow in u16_u8-2016-12-03
633473Use-of-uninitialized-value in Hunspell::spell-2016-12-03
638570Use-of-uninitialized-value in AffixMgr::compound_check-2016-12-03
638562Stack-buffer-overflow in SfxEntry::checkword-2016-12-03
625915Mac: 'Press Esc to exit fullscreen' covered up by permission prompts-2016-12-02
638615Security: heap-buffer-overflow in ImageBitmap::ImageBitmap$5,5002016-12-02
619368Heap-buffer-overflow in content::WriteMemory-2016-12-01
631375Security: mbspatch: Malform patch file may access heap out of bound-2016-12-01
635602Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface-2016-12-01
635879Security: Format String Vulnerability in Chrome OS$1,0002016-12-01
638223Use-of-uninitialized-value in Break-2016-12-01
638742Security: Universal XSS using ThreadDebugger::setMonitorEventsCallback$2,0002016-12-01
617124Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32-2016-11-30
637594Security: Universal XSS using DevTools$2,0002016-11-30
639658Security: Navigating to "chrome://" URLs via 'about:' protocol$5002016-11-30
637546Security: UNKOWN in CFX_Edit_Provider::GetCharWidthW$1,0002016-11-29
639451Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje-2016-11-29
639984Heap-use-after-free in FORM_DoDocumentAAction-2016-11-29
639985Use-of-uninitialized-value in shell::internal::InterfaceFactoryBinder<IPC::mojom::ChannelBootstrap>::BindInter-2016-11-29
633306CSP can be abused to disclose URIs cross-origin-2016-11-25
638571Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered-2016-11-25
638928!m_deletionHasBegun-2016-11-25
628942Security: Universal XSS with ScopedPageLoadDeferrer and RemoteFrame$17,5002016-11-24
630654Heap-use-after-free in CPDFSDK_Document::KillFocusAnnot$3,0002016-11-24
633474Negative-size-param in blink::LayoutGrid::populateExplicitGridAndOrderIterator-2016-11-24
638186Use-after-poison in blink::SVGLengthContext::convertValueToUserUnits-2016-11-24
638192Use-after-poison in blink::ElementResolveContext::ElementResolveContext-2016-11-24
638226Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits<-2016-11-24
619381Crash in GrCircleBlurFragmentProcessor::CreateCircleBlurProfileTexture-2016-11-23
633385CUPS domain socket should only be openable by user chonos-2016-11-23
635848Security: Crash in CPDF_Dictionary::GetObjectBy$1,0002016-11-23
638185Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren-2016-11-23
638219Bad-cast to blink::LayoutBox from blink::LayoutSVGEllipse;blink::LayoutObject::positionForPoint;blink::LayoutBox::clippingRect-2016-11-23
622033Heap-buffer-overflow in sctp_send_deferred_reset_response-2016-11-22
630870Security: Universal XSS by intercepting a UA shadow tree$7,5002016-11-22
636268Security: heap-buffer-overflow in SkColorSpace$3,5002016-11-22
634557Security: Blob file entries aren't checked against security policy-2016-11-22
628999Crash in blink::Geolocation::onGeolocationPermissionUpdated-2016-11-21
635577Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect-2016-11-19
637320Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer-2016-11-19
625404Security: use-after-free in AttachFilteredEvent on event_bindings.cc$3,0002016-11-18
628920Security: Address bar spoofing on iOS-2016-11-18
625575Security: bypassing CORS by XHR + MemoryCache + ServiceWorker-2016-11-18
633687Security: Full browser crash when trying to open missing 'downloaded' resource file.-2016-11-18
626893Security: Arbitrary memory write in v8::internal::GlobalHandles::IterateNewSpaceWeakUnmodifiedRoots()$3,0002016-11-17
628542Heap-buffer-overflow in unibrow::Utf8::Validate-2016-11-17
631368Crash in blink::getPropertyNameString-2016-11-17
634954Security: Address bar spoofing with itunes page on iOS-2016-11-17
636194Crash in void SkLinearGradient::LinearGradientContext::shade4_dx_clamp<false, false>-2016-11-17
635571Crash in blink::EventTarget::fireEventListeners-2016-11-17
622420Security: Type confusion in StylePropertySerializer::getCustomPropertyText.-2016-11-16
632124Global-buffer-overflow in silk_NLSF2A-2016-11-16
635574Use-after-poison in blink::CrossThreadPersistentRegion::shouldTracePersistentNode$3,5002016-11-16
600352Security: Cross-Protocol Theft from non-HTTP services via DNS rebinding + HTTP/0.9-2016-11-15
611955//components/filesystem/public/interfaces/*.mojom files need security review-2016-11-15
618037Security: Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings$1,0002016-11-15
633472Use-of-uninitialized-value in segment-2016-11-15
632849Heap-buffer-overflow in SkA8_Blitter::blitH-2016-11-13
628890Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate$3,5002016-11-12
628304Security: heap-buffer-overflow in opj_v4dwt_interleave_h$3,5002016-11-12
634238Security: Adobe Flash Button.blendMode setter uninitialized stack variable-2016-11-12
635045Use-of-uninitialized-value in blink::ImagePattern::isLocalMatrixChanged-2016-11-12
619429Security: Able to bypass permission prompt on keypress-2016-11-11
624514Heap-buffer-overflow in CWeightTable::Calc$3,5002016-11-11
634114Heap-use-after-free in blink::LayoutFieldset::adjustInnerStyle-2016-11-11
634394Security: UAF in PDFium's TimerProc()-2016-11-11
627355Crash in _platform_memmove$VARIANT$Nehalem-2016-11-10
632965Security: OOB read with CallSite and wasm-2016-11-10
633585Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer-2016-11-10
633471Use-of-uninitialized-value in GrPipeline::CreateAt-2016-11-08
633486Tracking bug for internal fixes: Chrome M52, release 1-2016-11-08
479961Apply wpa_supplicant P2P vulnerability fixes-2016-11-07
632634Security: Universal XSS with static methods and ScriptState::forHolderObject$7,5002016-11-07
610644Heap-buffer-overflow in ps_table_add$1,5002016-11-06
632850Crash in CPDFSDK_InterForm::GetWidget-2016-11-06
632851Heap-use-after-free in CJS_Timer::KillJSTimer-2016-11-06
632860Heap-buffer-overflow in copy-2016-11-05
616429Security: Saving WebPage with file: resources access SMB resources$1,0002016-11-04
631052Use-after-poison in blink::CompositorAnimationPlayer::NotifyAnimationStarted$3,5002016-11-04
631320Heap-use-after-free in content::WebRTCEventLogHost::PeerConnectionRemoved-2016-11-04
629919Security: heap-buffer-overflow in opj_tcd_update_tile_data$5,0002016-11-03
631050Crash in v8::internal::JSObject::UpdateAllocationSite-2016-11-03
573131Security: some extension bindings incorrectly injected into about:blank frames$7,5002016-11-02
627414Crash in MaskSuperBlitter::blitH-2016-11-02
630377Heap-use-after-free in ProfileIOData::FromResourceContext-2016-11-02
629455Heap-buffer-overflow in SuperBlitter::blitH-2016-11-02
631319Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM-2016-11-02
631752Tracking bug for internal fixes: Chrome OS 52.0.2743.85 (Platform version: 8350.60.0)-2016-11-02
628992Heap-use-after-free in SuperBlitter::blitH-2016-11-01
627454Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture-2016-11-01
630736Crash in segment-2016-11-01
630369Use-of-uninitialized-value in GrShape::attemptToSimplifyPath-2016-10-31
630749Heap-use-after-free in mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding-2016-10-31
623195Use-of-uninitialized-value in base::Pickle::WriteData-2016-10-29
630649Stack-buffer-overflow in SkDCubic::searchRoots-2016-10-29
399951Security: Cross-origin information leak via ECMAScript harmony proxies$1,0002016-10-28
614647Use-of-uninitialized-value in get_advance-2016-10-28
621362Security: Universal XSS with Flash calling into JavaScript inside Node::removedFrom$7,5002016-10-28
629962Use-of-uninitialized-value in segment-2016-10-28
628117Heap-use-after-free in blink::PaintController::commitNewDisplayItems$3,5002016-10-28
630378Use-of-uninitialized-value in SkDPoint::approximatelyEqual-2016-10-28
624213Security: Address bar RTL character spoofing on Mac-2016-10-27
624214Security: Address bar RTL character spoofing on iOS-2016-10-27
629795Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::HandleGetBufferParameteriv-2016-10-27
626186Crash in SkOpAngle::setSpans-2016-10-26
627401Crash in SkOpCoincidence::mark-2016-10-26
628995Use-of-uninitialized-value in CPWL_List_Notify::IOnInvalidateRect-2016-10-26
629452Crash in segment-2016-10-26
629454Use-of-uninitialized-value in containsCoincidence-2016-10-26
616623Use-of-uninitialized-value in walk_convex_edges-2016-10-25
629004Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::DoDrawBuffersEXT-2016-10-25
629008Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::WaitSyncTokenCHROMIUM-2016-10-25
629435Crash in v8::internal::Invoke-2016-10-25
623319URL Spoof due to subframes and NavigationEntry corruption$2,0002016-10-21
627436Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications-2016-10-21
627756Security: SEGV on unknown address in toCSSValuePair$3,0002016-10-21
627443Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper-2016-10-21
628113Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty-2016-10-21
628130Stack-buffer-overflow in saturated_add-2016-10-21
626790Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining-2016-10-20
627354Negative-size-param in content::WebRTCEventLogHost::PeerConnectionRemoved-2016-10-20
627434Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque-2016-10-20
627447Use-of-uninitialized-value in ProfileChooserView::ButtonPressed-2016-10-20
627457Use-after-poison in content::WebMessagePortChannelImpl::OnMessage$3,5002016-10-20
611957//components/leveldb/public/interfaces/leveldb.mojom needs a security review-2016-10-19
618295Security: [PDFium]AddressSanitizer: negative-size-param-2016-10-19
623168Use-of-uninitialized-value in v8::internal::Factory::NewNumber-2016-10-19
626182Heap-use-after-free in blink::PaintController::commitNewDisplayItems-2016-10-19
623365Heap Buffer Overflow in iframe URL Parse-2016-10-17
579934Chromium allows to open popup window from Flash object without user gesture or blocking$1,0002016-10-15
610986ASSERTION FAILED: !object || (object->isBox())-2016-10-15
617648Heap-use-after-free in content::FilteringNetworkManager::Initialize-2016-10-15
626562Crash in v8::internal::HandleBase::IsDereferenceAllowed-2016-10-15
626792Heap-use-after-free in GURL::GURL-2016-10-15
617105Security: use-after-free vulnerability in flash player$3,0002016-10-14
623072Use-of-uninitialized-value in containsCoincidence-2016-10-14
625541Security: heap-buffer-overflow in opj_tcd_init_tile$3,0002016-10-14
625823Security: SEGV in blink::DOMWindowV8Internal::blurMethodCallback$1,0002016-10-14
625945Security: browser history sniffing via HSTS + CSP (bypass previous fix)$1,0002016-10-14
613949Extension install crashes browser at onDownloadProgress and onInstallStageChanged$5002016-10-13
625903Security: heap-use-after-free in blink::LayoutBox::pixelSnappedOffsetHeight$2,0002016-10-13
624818Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper-2016-10-13
623378Security: UAF related to XPointer range-to function$3,5002016-10-12
625752Crash in v8::internal::LocalArrayBufferTracker::Free<1>-2016-10-12
625393Security: Heap-use-after-free in ScriptInjector$1,0002016-10-11
616907Security: Universal XSS using a ScopedPageLoadDeferrer bypass$8,0002016-10-10
619379CharacterData::setData() should handle first-letter correctly-2016-10-06
620952i < m_len-2016-10-06
624713Security: Calling from WASM to JS should not pass the global object-2016-10-06
291417Security: <webview>/App Request Contexts may not be so isolated-2016-10-05
561978Vulnerability reported in media-libs/libpng-2016-10-05
609382Security: Use after free of task_struct in Mali Midgard driver.-2016-10-05
612050Heap-use-after-free in views::Widget::OnNativeWidgetDestroying-2016-10-05
609680Chrome For Android Address Bar Spoofing Issue Due To Mishandling Of RTL Characters$3,0002016-10-05
617882Crash in v8::internal::PointerUpdateJobTraits<-2016-10-05
618333Security: Parameter sanitization failure in DevTools leads to privileged script execution$2,0002016-10-05
619414Security: Devtools has Insuffient sanitization of remoteBase parameter$2,0002016-10-05
620981Crash in _platform_bzero$VARIANT$Merom-2016-10-05
621843Heap-buffer-overflow in float blink::ShapeResultSpacing::computeSpacing<unsigned short>-2016-10-05
623985Use-after-poison in blink::PersistentBase<blink::WorkerWebSocketChannel::Bridge,$3,5002016-10-05
623996Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes-2016-10-05
617084Crash in v8::internal::HandleBase::IsDereferenceAllowed-2016-10-04
619377Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup-2016-10-04
621095SIGSEGV, RIP = 0x0-2016-10-04
118642Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor$1,0002016-10-02
118662Regression(r109014): Heap-use-after-free in WebCore::InlineTextBox::isLineBreak$5002016-10-02
118593Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded$1,0002016-10-02
118490Heap-use-after-free in WebCore::RenderObject::containingBlock$1,0002016-10-02
118467open.call(other_window) circumvents check in other_window.open()-2016-10-02
118633Security: Frame sniffing is not fixed-2016-10-02
118414Heap use after free on chrome_content_browser_client.cc with webrtc$1,0002016-10-02
118374Long autofilled value causes render issue-2016-10-02
118273ZDI-CAN-1528: Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability-2016-10-02
118227Security: cross-origin iframes can be resized from within in M18-2016-10-02
118018Heap-buffer-overflow in S32_opaque_D32_nofilter_DXDY-2016-10-02
118317Popup blocker bypass triggering mouse event on tag with rel=noreferrer-2016-10-02
118185Heap-use-after-free in WebCore::V8HTMLBodyElement::wrapSlow-2016-10-02
117890Use-after-free in CrashGenerationServer-2016-10-02
117912Heap-buffer-overflow in memcmp-2016-10-02
117794[LangFuzz] Crash on heap with invalid read through GetPropertyWithCallback$5002016-10-02
117736No permission prompt when loading unpacked extension with NPAPI plugin-2016-10-02
117728Heap-use-after-free in WebCore::InlineBox::root$1,0002016-10-02
117724Event handlers firing during Text::splitText trigger use-after-free.-2016-10-02
118009Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>-2016-10-02
117889Dangerous download warnings are suppressed for a larger class of downloads than are handled by SafeBrowsing-2016-10-02
117698Heap-use-after-free in WebCore::RenderLayer::addChild$1,0002016-10-02
117696Heap-use-after-free in WebCore::RenderBlock::addPositionedFloats-2016-10-02
117674Heap-use-after-free in WebCore::GraphicsContext3D::getExtensions-2016-10-02
117672Uptake angle security fix-2016-10-02
117656Pwnium bug: GPU memory corruption-2016-10-02
117627Security: IPC Channel does not validate the listener.-2016-10-02
117620Pwnium bug: Prerendering issues with NACL$60,0002016-10-02
117715LoadExtension binding in chrome://extensions/ is too permissive-2016-10-02
117583Iframe hijacking from Pwnium-2016-10-02
117588Security: Memory Corruption in MaskSuperBlitter$1,0002016-10-02
117545ICU lang buffer overflow-2016-10-02
117471Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled$1,0002016-10-02
117446App popup user gesture exemption should be based on process type, not just extent-2016-10-02
117418Security: Don't grant WebUI bindings to a process shared with normal views-2016-10-02
117417Security: Don't let a normal web renderer navigate to a privileged URL-2016-10-02
117413Heap-use-after-free in WebCore::RenderScrollbar::getScrollbarPseudoStyle-2016-10-02
117409Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...-2016-10-02
117400Uptake fixes on weak node iteration patterns-2016-10-02
117511Heap-use-after-free in WTF::equal-2016-10-02
117335Occasional heap-use-after-free in non-virtual thunk to AudioDevice::OnStateChanged$5002016-10-02
117341Heap-use-after-free in MessageLoop::AddToIncomingQueue$1,0002016-10-02
117230Part 2 of Pwnium Bug-2016-10-02
117226Part 1 of Pwnium Bug: UXSS$60,0002016-10-02
117150REGRESSION(wk109285): Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved$1,0002016-10-02
117110Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
116994Heap-use-after-free in chrome::ChromeContentBrowserClient::RequestMediaAccessPermission-2016-10-02
116967Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement-2016-10-02
116927Heap-buffer-overflow in av_freep$1,0002016-10-02
116806Heap-use-after-free in WebCore::RenderInline::continuationBefore-2016-10-02
116746Heap-use-after-free in WebCore::RenderBlock::splitBlocks$1,0002016-10-02
116637Renderer process crash when doing WebGL canvas to 2D canvas drawImage()-2016-10-02
116524Security: Off-by-one in OTS resulting in arbitrary code execution-2016-10-02
116461Heap-use-after-free in WebCore::CSSCrossfadeValue::~CSSCrossfadeValue$1,0002016-10-02
116405Mitigate stale layout root bugs-2016-10-02
116398Security: SSL proxy seems to not care about the cert-2016-10-02
116474Merge SVG use fix to stable-2016-10-02
121926Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware-2016-10-02
121937glGetProgramInfoLog regression in ANGLE-2016-10-02
121734Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener-2016-10-02
121726Sandbox IPC length checking race-2016-10-02
121703Crash in NSMutableRLEArray replaceObjectsInRange:withObject:length with long URL-2016-10-02
121692Heap-use-after-free in WebCore::SelectorChecker::checkOneSelector-2016-10-02
121645Heap-use-after-free in WebCore::RenderBlock::removeFloatingObject-2016-10-02
121899Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer()$1,0002016-10-02
121736Heap-use-after-free in WebCore::EventDispatcher::dispatchEvent-2016-10-02
121347Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak$5002016-10-02
121524Use after free with reflections and composited layers-2016-10-02
121206Heap-buffer-overflow in WebCore::HTMLSelectElement::setRecalcListItems-2016-10-02
121128Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>-2016-10-02
120977Crash in texSubImage2D on Mozilla's WebGL performance regression tests-2016-10-02
121269invalid cast in WebCore::toHTMLElement / WebCore::HTMLFieldSetElement::disabledAttributeChanged-2016-10-02
121223Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadCreateWebSocketChannel$5002016-10-02
121407[LangFuzz] Invalid write in v8::internal::ElementsAccessorBase<...>::CopyElements$1,0002016-10-02
120648UNKNOWN in SkARGB32_Blitter::blitV$5002016-10-02
120457Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak-2016-10-02
120711Heap-use-after-free in WebCore::Element::recalcStyle$1,0002016-10-02
120944Use-after-free due to issues in counter layout.$1,0002016-10-02
120912Heap-use-after-free in WebCore::RenderText::removeTextBox$1,0002016-10-02
120320Flash Broker Bypass 0x2B (CVE-2012-0724)-2016-10-02
120318Flash Broker Bypass 0x2D (CVE-2012-0725)-2016-10-02
120222Heap-use-after-free in WebCore::RenderTableSection::paintCell$1,0002016-10-02
120205Security: <svg:use> elements in the parser can create elements not marked as created by the parser-2016-10-02
120404Heap-buffer-overflow in WebCore::Font::codePath-2016-10-02
120037Heap-use-after-free in WebCore::ContainerNode::resumePostAttachCallbacks$1,0002016-10-02
120007Heap-use-after-free in WebCore::WorkerEventQueue::close-2016-10-02
120403Heap-use-after-free in WebCore::ContainerNode::insertBefore-2016-10-02
120189Heap-use-after-free in WebCore::V8RecursionScope::didLeaveScriptContext-2016-10-02
119926Use after free in v8::internal::IncrementalMarking::Step$1,0002016-10-02
119501Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded$1,0002016-10-02
119429UNKNOWN in v8::Message::GetScriptResourceName$5002016-10-02
120006Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo-2016-10-02
119525Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange$1,0002016-10-02
119281Heap-use-after-free in WebCore::GenericEventQueue::~GenericEventQueue$5002016-10-02
119230Heap-use-after-free in WebCore::RenderBlock::splitBlocks-2016-10-02
119150Sandboxed processes should not be able to open other sandboxed processes-2016-10-02
119084Heap-use-after-free in utext_setNativeIndex_46-2016-10-02
118970GPU process crash below DoDrawArrays (Nvidia)$5002016-10-02
119305Heap-use-after-free in WebCore::Node::~Node$1,0002016-10-02
119250GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes-2016-10-02
118803Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
118784Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short>-2016-10-02
118853Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
118664Security: Swapped out URL must be a unique origin-2016-10-02
118721Extensions resources can be fetched across incognito-2016-10-02
116162Heap-buffer-overflow in wk_png_inflate-2016-10-02
116128Content scripts should never be run in the webstore isolate-2016-10-02
116093Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget$1,0002016-10-02
116069WebCore::MediaStreamListInternal::itemCallback$5002016-10-02
116224Heap-use-after-free in WebCore::FrameLoader::urlSelected-2016-10-02
115998Heap-use-after-free in WebCore::RenderMenuList::addChild-2016-10-02
115862Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
115756Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
115754Heap-use-after-free in WebCore::RenderLayer::addChild$1,0002016-10-02
115695Heap-buffer-overflow in WebCore::StaticNodeList::itemWithName$1,0002016-10-02
115681Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer$1,0002016-10-02
115680Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation-2016-10-02
115807Heap-use-after-free in WebCore::RenderMenuList::addChild-2016-10-02
116027Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine-2016-10-02
115159Security: Setting innerText allows DOMSubtreeModified listeners to cause crashes-2016-10-02
115028Bad cast in splitAnonymousBlocksAroundChild (part 3)$1,0002016-10-02
115003Heap-use-after-free in WebCore::RenderObject::previousInPreOrder-2016-10-02
115299Use-after-free in AudioDeviceThread::Callback::InitializeOnAudioThread$5002016-10-02
115471Heap-buffer-overflow in SkAlphaRuns::add$1,0002016-10-02
114924Bad cast in splitAnonymousBlocksAroundChild$1,0002016-10-02
114911Heap-buffer-overflow in WebCore::Element::setAttribute-2016-10-02
114858Heap-use-after-free in WebCore::RenderTableSection::willBeDestroyed-2016-10-02
114960Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
114219Heap-use-after-free in WebCore::RenderTableSection::nodeAtPoint$1,0002016-10-02
114152Heap-use-after-free in WebCore::InspectorStyleSheet::deleteRule-2016-10-02
114144Crash by clicking the time field of maps.google.com-2016-10-02
114068Heap-use-after-free in WebCore::HTMLElement::isPresentationAttribute$1,0002016-10-02
114056Heap-buffer-overflow in WebCore::previousBoundary$5002016-10-02
114054Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>$5002016-10-02
113924[LangFuzz] Crash at v8::internal::HashTable<...>::FindEntry with invalid read$1,0002016-10-02
114342Stack-buffer-overflow at strcpy$1,0002016-10-02
113837Heap-use-after-free in WebCore::Document::unregisterForPageCacheSuspensionCallbacks$1,0002016-10-02
113800Heap-use-after-free in WebCore::RenderBlock::computeOverflow-2016-10-02
113902Heap-use-after-free in WebCore::InlineBox::root$1,0002016-10-02
113799Heap-use-after-free in WebCore::RenderTable::layout-2016-10-02
113801Heap-use-after-free in WebCore::RenderBlock::outlineStyleForRepaint-2016-10-02
113733Security: Flash deployed via component updater runs outside the sandbox-2016-10-02
113755Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
113707Heap-use-after-free in WebCore::RenderQuote::placeQuote$1,0002016-10-02
113690Heap-use-after-free in WebCore::RenderButton::removeChild-2016-10-02
113567Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle-2016-10-02
113562Heap-use-after-free in WebCore::NavigationScheduler::schedule-2016-10-02
113730Integer wrap in CSSParser::quoteCSSString() can cause a buffer overflow-2016-10-02
113497Heap-use-after-free in WebCore::InlineFlowBox::computeUnderAnnotationAdjustment$1,0002016-10-02
113496Links in settings page (like learn more, google dashboard) are opened in the webui renderer process-2016-10-02
113439Bad casts due to issues in splitAnonymousBlocksAroundChild$1,0002016-10-02
113415Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
113258Bad cast in WebCore::RenderBlock::createLineBoxes$1,0002016-10-02
113178Adding a ShadowRoot to a SELECT element causes crashes-2016-10-02
113174Attaching a ShadowRoot to a VIDEO element causes heap-use-after-free-2016-10-02
113160Security: Tracking bug for WK77971 - Replaces the [CheckNodeSecurity] IDL attribute-2016-10-02
113119Security: Report bad translation link uses http://-2016-10-02
112976Heap-use-after-free in vorbis_decode_frame-2016-10-02
112961TCP and UDP IPCs should not be exposed to arbitrary renderers-2016-10-02
112983Browser crash with FTP video source-2016-10-02
125462Security: libxml2 1-byte heap-buffer-overflow in xmlXPtrEvalXPtrPart$1,5002016-10-02
125436Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
125249Heap-buffer-overflow in seg_to-2016-10-02
125225Domui process can be ptraced from a compromised renderer leading to sandbox escape, take 2-2016-10-02
125159Chrome chrashes when pressing back button on a page that is still downloading a big gif image$1,3372016-10-02
125151Heap-use-after-free in WebCore::Node::compareDocumentPosition-2016-10-02
125010Stealing AutoFill data with window.getSelection() before users actually select form contents-2016-10-02
125494Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag-2016-10-02
125374Heap-use-after-free in WebCore::RenderSVGContainer::paint$1,0002016-10-02
124992Heap-use-after-free in WebCore::swapInNodePreservingAttributesAndChildren-2016-10-02
124923Heap-use-after-free in WebCore::parseToDoubleForNumberType-2016-10-02
124919Heap-use-after-free in WebCore::RenderBlock::addOverflowFromFloats-2016-10-02
124895Heap-use-after-free in WebCore::ScriptController::executeIfJavaScriptURL-2016-10-02
124893Heap-buffer-overflow in WebCore::HTMLOptionElement::selected-2016-10-02
124870Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply-2016-10-02
124868Heap-use-after-free in WebCore::RenderObject* WebCore::bidiNextShared<WebCore::BidiResolver<WebCore::InlineIterator, WebCor-2016-10-02
124836NSS should reject DH public values equal to one-2016-10-02
125000Heap-buffer-overflow in WTF::VectorMover<false, WebCore::Attribute>::move-2016-10-02
124924Heap-buffer-overflow in WebCore::XPath::sortBlock-2016-10-02
124652Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect-2016-10-02
124625Chrome: Crash Report - Stack Signature: WebCore::npObjectNamedGetter<WebCore::V8HTM...-2016-10-02
124617Heap-buffer-overflow in WebCore::RenderBlock::createLineBoxes-2016-10-02
124669Heap-use-after-free in WebCore::SVGLength::value-2016-10-02
124530Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
124594UNKNOWN in v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing$5002016-10-02
124479Use after free in PDF with corrupt CID font encoding name-2016-10-02
124356Heap-use-after-free in WebCore::GraphicsContext::restore$1,0002016-10-02
124263OOB read with PDF in cell sorting-2016-10-02
124228Security: Component updater parses unauthenticated XML with libxml in the browser process-2016-10-02
124216Security: MSVR:159 - Google Chrome NPAPI Plugin Insecure Loading Elevation of Privilege Vulnerability-2016-10-02
124191OOB read in PDF when parsing / processing text-2016-10-02
124190OOB read, off-by-one in PDF predictor code with specific decode parameters-2016-10-02
124184OOB read with 1bpp image and ICC profile-2016-10-02
124183OOB read in PDF fax codec-2016-10-02
124389Heap-use-after-free in WebCore::TargetListener::clear-2016-10-02
124182Out of bounds write in PDF with sample function with lots of inputs-2016-10-02
124179PDF crash under ASAN with character maps-2016-10-02
123929Out-of-bounds read in PDF with undersized "O" key and revision 3 crypto-2016-10-02
123858Use-after-free in WebPagePopupImpl instance-2016-10-02
123735OOB reads in PDF AES support due to buffer mismanagement-2016-10-02
123733Out-of-bounds reads with bad parameters to PDF "sampled function" function-2016-10-02
123709Breakpad ClientInfo::PopulateCustomInfo() integer wrap leads to heap overflow-2016-10-02
123656OOB read in PDF whilst scanning for "startxref"-2016-10-02
123631Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
123544Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
123530Heap-use-after-free in AutocompleteMatch::AutocompleteMatch-2016-10-02
123484Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak-2016-10-02
123481Security: ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fde15ff9890 at pc 0x7fde364c5034$1,0002016-10-02
123105Heap-buffer-overflow in Color32_SSE2-2016-10-02
123054Security: renderer can grant itself read permissions to arbitrary files-2016-10-02
123029OOB write in SkARGB32_Black_Blitter::blitAntiH -> sk_memset32_SSE2$1,0002016-10-02
123012Chrome: Crash Report - Stack Signature:WebCore::V8BindingPerContextData::constructorForType(WebCore::WrapperTypeInfo *)-2016-10-02
122925Security: Autofill info can be captured by innocuous social engineering$1,0002016-10-02
122865Heap-use-after-free in SkCanvas::internalDrawBitmapRect-2016-10-02
122760Heap-use-after-free in WebCore::RenderTable::computePreferredLogicalWidths-2016-10-02
122692UNKNOWN in /lib/libc-2.11.1.so+Unknown-2016-10-02
122681[LangFuzz] CHECK(fixed_size + height_in_bytes == input_frame_size) failed or crash with invalid read$5002016-10-02
122654Chrome: Crash Report: SocketStreamDispatcherHost::CancelSSLRequest-2016-10-02
122586Global-buffer-overflow in HB_TibetanShape-2016-10-02
122585Security: stack-buffer-overflow in WebCore::GlyphPage::fill with surrogate characters$5002016-10-02
122573Heap-use-after-free in WebCore::CachedRawResource::didAddClient-2016-10-02
122854Security: Potential (racy) use after free error in DownloadResourceHandler::OnResponseCompletedInternal-2016-10-02
122503Heap-buffer-overflow in erode-2016-10-02
122337[LangFuzz] Crash on heap with invalid write (32 bit only).$1,0002016-10-02
122208GCing a node observed by a WebKitMutationObserver can cause an invalid HashSet iterator-2016-10-02
122029Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine-2016-10-02
122014Heap-use-after-free in WorkerEventQueue::close-2016-10-02
121968Heap-use-after-free in WebCore::GraphicsLayer::willBeDestroyed-2016-10-02
122562Heap-use-after-free in ModuleSystem::LazyFieldGetter$1,0002016-10-02
112847Bad cast in addChildToAnonymousColumnBlocks$1,0002016-10-02
112833Heap-use-after-free in webkit_media::BufferedResourceLoader::Start$1,0002016-10-02
112822Security: Heap-buffer-overflow in png_decompress_chunk$1,3372016-10-02
112814Safe Browsing client doesn't always check for MAC field in response-2016-10-02
112775Heap-use-after-free in WebCore::Node::traverseNextNode-2016-10-02
112764Heap-use-after-free in RendererAccessibility::SendPendingAccessibilityNotifications-2016-10-02
112738Security: User Interface - infobar confusion, spamming, and spoofing-2016-10-02
112735Bad cast in FormSubmission::create-2016-10-02
112694Heap-use-after-free in WebCore::Node::normalize-2016-10-02
112670avcodec_53!ff_h264_get_profile - crash$5002016-10-02
112451X509UserCertResourceHandler::OnResponseCompleted crash-2016-10-02
112443[Mac] Regular SSL certificate incorrectly displayed with EV color badge-2016-10-02
112542Heap-use-after-free in WebCore::TextIterator::rangeFromLocationAndLength-2016-10-02
112411Heap-use-after-free in WebCore::SVGUseElement::expandSymbolElementsInShadowTree$1,0002016-10-02
112391Heap-use-after-free in ExtensionHost-2016-10-02
112339Security: chrome allows TDR looping leading to win7 OS crash through page refresh html tag + WebGL-2016-10-02
112325Security: Copy-paste preserves <embed> tags containing active content-2016-10-02
112317Heap-buffer-overflow in WebCore::Font::codePath$5002016-10-02
112259Heap-use-after-free in WebCore::EventTarget::dispatchEvent$5002016-10-02
112236Security: Chrome translation script downloaded over HTTP-2016-10-02
112212Heap-use-after-free in WebCore::ContainerNode::appendChild$2,0002016-10-02
112151Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle$1,0002016-10-02
112093Heap-use-after-free in WebCore::Node::dispatchSubtreeModifiedEvent-2016-10-02
112055Heap-buffer-overflow in WebCore::CSSParser::lex-2016-10-02
111779Heap-use-after-free in WebCore::SubframeLoader::loadSubframe$1,0002016-10-02
111748Heap-use-after-free in WebCore::SVGElement::removedFromDocument$1,0002016-10-02
111656Security: Accessibility bad cast-2016-10-02
111575Security: NaCl dynamic code modification allows direct calls inside existing super instructions.-2016-10-02
111491AddressSanitizer reports a heap-use-after-free in icu_46::RuleBasedBreakIterator::handleNext in DownloadTest.CrxLargeTheme (browser_tests) on Chrome OS-2016-10-02
111088Heap-use-after-free in WebCore::FrameLoader::checkTimerFired-2016-10-02
111467Heap-buffer-overflow in WebCore::SVGSVGElement::currentViewBoxRect$1,0002016-10-02
110849Heap-buffer-overflow in matroska_parse_block-2016-10-02
110764Heap-use-after-free in WebCore::DocumentLoader::detachFromFrame$1,0002016-10-02
110723Heap-use-after-free in WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation-2016-10-02
111342Heap-use-after-free in AudioDevice::FireRenderCallback-2016-10-02
110559Heap-buffer-overflow in GPU ShaderTranslator-2016-10-02
110374Heap-use-after-free in WebCore::EventHandler::mouseMoved$1,0002016-10-02
110360Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
110277Heap-buffer-overflow in xsltCompilePatternInternal$5002016-10-02
110172Heap-buffer-overflow in SkAlphaRuns::add$1,0002016-10-02
110545Security: AssociatedURLLoader exposes non-whitelisted response headers when loading with access control (CORS)-2016-10-02
110076Heap-use-after-free in WebCore::CompositeEditCommand::ensureComposition-2016-10-02
109743Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList$1,0002016-10-02
109717Security: crash when viewing a certificate without issuer signature-2016-10-02
109716Heap-use-after-free in xsltParseGlobalVariable$1,0002016-10-02
109691Security: Losing user-set pin data on HSTS header receipt-2016-10-02
110112Heap-use-after-free in WebCore::FrameView::forceLayoutParentViewIfNeeded$1,0002016-10-02
109912Security: read sandbox escape: NaCl validator for x86-64 allow REP string instructions to have out-of-bound source addresses-2016-10-02
109623Chrome: Crash Report - Stack Signature: WebKit::WebMediaPlayerClientImpl::loadInter...-2016-10-02
109574Potential XSS attack with [0x8E][0xE3] in EUC-JP page$5002016-10-02
109556Heap-buffer-overflow in WebCore::HTMLTreeBuilder::HTMLTreeBuilder$1,0002016-10-02
109411Regression: Crash in WebCore::DynamicSubtreeNodeList::length()-2016-10-02
109245Security: Chrome Drag Spoofing-2016-10-02
109664safe_browsing::SignatureUtil::CheckSignature() - crash-2016-10-02
109094Possible wild read in internal PDF-reader-2016-10-02
108958Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
129158Heap-use-after-free in WebCore::AccessibilityObject::getAttribute-2016-10-02
129191UNKNOWN in WebCore::HTMLDocumentParser::prepareToStopParsing$1,0002016-10-02
128971Heap-use-after-free in WebCore::InlineBox::deleteLine-2016-10-02
128711Run-in UAF crashes relating to generated content and inline line box tree not clearing.-2016-10-02
128704Crash when opening and closing chrome://chrome-2016-10-02
128688Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl-2016-10-02
128800Use after free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
128597RenderViewImpl's shared_popup_counter_ isn't incremented properly-2016-10-02
128498Heap-buffer-overflow in WebCore::CSSSelector::specificityForOneSelector-2016-10-02
128497CachedImage does not clear the ImageObserver pointer when dropping its Image ref-2016-10-02
128458Security: NTP Promo data is downloaded via HTTP, but then rendered on the NTP-2016-10-02
128665Heap-use-after-free in WebCore::Node::isInShadowTree-2016-10-02
128342Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement-2016-10-02
128336Heap-buffer-overflow in WebCore::SubframeLoader::createJavaAppletWidget-2016-10-02
128256tabs permission exploit on the Chrome RSS Extension-2016-10-02
128204Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot()-2016-10-02
128178Heap-use-after-free in fileapi::FileSystemOperation::DidGetUsageAndQuotaAndRunTask$3,1332016-10-02
128163Heap-buffer-overflow in GIFImageReader::read-2016-10-02
128159Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait-2016-10-02
128157Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
128151Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks::didSucceed-2016-10-02
128146UNKNOWN in v8::internal::DescriptorArray::Set-2016-10-02
128018[LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read$1,0002016-10-02
127889Use after free in WebCore::Font::characterRangeCodePath / WebCore::Font::codePath-2016-10-02
127764Heap-use-after-free in WebCore::RenderBlock::xPositionForFloatIncludingMargin-2016-10-02
127701Heap-use-after-free in WebCore::RenderObject::repaint-2016-10-02
127648Out of bounds read in WebCore::Region::Shape::compareShapes-2016-10-02
127624Security: pepper plugins - protect plugin's data files from other plugins and the renderer itself.-2016-10-02
127525Dragging a file into a web renderer exposes the file: scheme$5002016-10-02
127522Security: Chrome Allows "Carpet Bomb" from File Download-2016-10-02
127727Heap-use-after-free in WebCore::ContextDestructionObserver::contextDestroyed-2016-10-02
127449PPAPI processes hold privileged process handles-2016-10-02
127418Heap-use-after-free in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath$1,0002016-10-02
127417Security: Arbitrary memory read in libxslt$5002016-10-02
127371Heap-use-after-free in WebCore::AXObjectCache::postNotification-2016-10-02
127368Heap-use-after-free in WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal-2016-10-02
127367Heap-use-after-free in WebCore::ApplyStyleCommand::joinChildTextNodes-2016-10-02
127366Heap-use-after-free in WebCore::ReplaceSelectionCommand::performTrivialReplace-2016-10-02
127424Heap-use-after-free in WebKit::WebPagePopupImpl::closePopup$1,0002016-10-02
127234Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::FloatRect>::commitChange-2016-10-02
126723Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
126652Heap-buffer-overflow in bool WebCore::Region::Shape::compareShapes<WebCore::Region::Shape::CompareIntersectsOperation>-2016-10-02
126475Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
126414[LangFuzz] Crash on heap with invalid read from random address (32 bit)$5002016-10-02
126406Heap-use-after-free in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks-2016-10-02
126343OOB write in PDF character code mapping-2016-10-02
126337Stack buffer overflow in character range parsing-2016-10-02
126296Security: Browser crash document.createEvent("MouseEvents").initMouseEvent in background tab$1,0002016-10-02
125730Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved-2016-10-02
126105Global-buffer-overflow in RgnOper::addSpan-2016-10-02
126074Heap-use-after-free in WebCore::SpellChecker::didCheckSucceeded-2016-10-02
126048Heap-use-after-free in SpeechRecognitionManagerImpl::DispatchEvent$1,0002016-10-02
126040Heap-use-after-free in WebCore::ContainerNode::insertBefore-2016-10-02
126015Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
125921Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
125919Heap-buffer-overflow in WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue$5002016-10-02
125821The Linux setuid sandbox has becomre (even more) insanely complex-2016-10-02
126075Stack-buffer-overflow in SuggestMgr::forgotchar_utf-2016-10-02
125563Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
125557Heap-use-after-free in WebCore::AudioParam::disconnect-2016-10-02
125555Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait-2016-10-02
125529Heap-use-after-free in WebCore::HTMLLinkElement::setCSSStyleSheet-2016-10-02
125515[LangFuzz] Crash on heap with invalid write to random address$1,0002016-10-02
108918Heap-use-after-free in WebCore::RenderTableSection::rowLogicalHeightChanged-2016-10-02
108901Heap-buffer-overflow in compute_pos_tan$5002016-10-02
108894Heap-use-after-free in WebCore::HTMLCollection::length-2016-10-02
108871IndexedDB with autoincrement fails on object put and crashes chrome$1,0002016-10-02
108605Use of uninitialized value in SkAlphaRuns::Break$1,0002016-10-02
108798Heap-use-after-free in WebCore::(anonymous namespace)::AllowFileSystemMainThreadBridge::signalCompleted-2016-10-02
108695Heap-use-after-free in WebKit::WebFrameImpl::viewImpl$1,0002016-10-02
108648Security: Malicious extension could avoid being blacklisted via extension blacklist-2016-10-02
108476Heap-buffer-overflow in WebCore::Font::codePath$5002016-10-02
108544Heap-use-after-free in SubresourceLoader::didFinishLoading$1,0002016-10-02
108579Heap-buffer-overflow in void WTF::Vector<WTF::RefPtr<WebCore::TextTrack>, 0ul>::insert<WTF::RefPtr<WebCore::TextTrack> >-2016-10-02
108461Heap-use-after-free in WebCore::HTMLInputElement::copyNonAttributeProperties-2016-10-02
108416Global-buffer-overflow in render_line$5002016-10-02
108071Browser process heap-use-after-free with indexeddb cursors$3,1332016-10-02
108037Heap-buffer-overflow in WebCore::SVGLength::valueAsString$1,0002016-10-02
108006Stack-buffer-overflow in HB_MyanmarShape-2016-10-02
108267Heap-use-after-free in WebCore::RenderBlock::selectionGaps-2016-10-02
108207Heap-use-after-free in WebCore::RenderTable::borderBefore$1,0002016-10-02
107758Heap-use-after-free in WebCore::RenderRegion::offsetFromLogicalTopOfFirstPage$1,0002016-10-02
107565Security: dragging a file URL between two http-spawned windows goes remote->local-2016-10-02
107873Heap-use-after-free in WebCore::DatabaseTracker::interruptAllDatabasesForContext-2016-10-02
107616UXSS in v8 bindings npCreateV8ScriptObject()-2016-10-02
107939Heap-buffer-overflow in WebCore::RenderBlock::layoutRunsAndFloatsInRange-2016-10-02
107258Freed m_renderer used in InlineBox::deleteLine-2016-10-02
107244Heap-use-after-free in DatabaseObserver$1,0002016-10-02
107376Memory corruption crash in ExtensionPrefs::MigrateAppIndex.-2016-10-02
107128Heap-buffer-overflow in xmlStringLenDecodeEntities$4,0002016-10-02
107277Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed-2016-10-02
107182Heap use after free with malware blocking page$3,1332016-10-02
106672Security: Crash in requestAnimationFrame when removing a frame$1,0002016-10-02
106671Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
106577Heap-buffer-overflow in SkAAClipBlitter::blitAntiH$5002016-10-02
107032Sad tab when visiting https://code.google.com and --no-displaying-insecure-content-2016-10-02
106441Stack-buffer-overflow in _canonicalize$1,0002016-10-02
106419Global-buffer-overflow in SkFileDescriptorStream::read-2016-10-02
106413Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
106340Heap-use-after-free in WebCore::RenderTable::outerBorderAfter$3,0002016-10-02
106336Heap-use-after-free in WebCore::CounterNode::insertAfter$5002016-10-02
106334Security: Popupblocker is ignored, downloads are invisible-2016-10-02
106484Heap-use-after-free in WebCore::RenderObject::childAt$1,0002016-10-02
106309Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine (regions issue)-2016-10-02
106165Heap-buffer-overflow in safe_browsing protocol parser-2016-10-02
105867Use after free in V8HTMLElementWrapperFactory.cpp$1,0002016-10-02
105803PDF missing integer validation for Flate / LZW / Fax prediction codes and other parameters-2016-10-02
106200Heap-use-after-free in WebCore::InlineBox::deleteLine$5002016-10-02
106316Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag-2016-10-02
105482Security: CSP connect-src and script-src not enforced on workers-2016-10-02
105459Use-after frees and bad casts with -webkit-column-span$2,0002016-10-02
105714Nasty looking INVALID_POINTER_READ in internal PDF-reader$5002016-10-02
134123Heap-use-after-free in WebCore::VisibleSelection::rootEditableElement-2016-10-02
105162Stack-buffer-overflow in base::files::(anonymous namespace)::InotifyReaderTask::Run-2016-10-02
134305Heap-use-after-free in WebCore::RenderObject::absoluteBoundingBoxRect-2016-10-02
133725Security: public chromium site is leaking internal Google DNS names-2016-10-02
134088Use-after-free: LabelsNodeList isn't updated properly after its owner node is adopted into a new document-2016-10-02
133892Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation-2016-10-02
133288Heap-buffer-overflow in WebCore::CSPSourceList::parseSource-2016-10-02
133571Heap-use-after-free in SkARGB32_Black_Blitter::blitAntiH$1,0002016-10-02
133418Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
134101Security: webRequest API allows extensions to XSS chrome.google.com and gain access to webstorePrivate API$2,0002016-10-02
133214UNKNOWN in WebCore::RenderTableSection::addCell$1,0002016-10-02
133196Heap-use-after-free in WebCore::RenderInline::willBeDestroyed-2016-10-02
132806ChromeContentBrowserClient::AllowSocketAPI using allowed_socket_origins_ without scheme check-2016-10-02
132779Security: WebM heap-buffer-overflow in matroskadec.c:matroska_parse_block()$1,0002016-10-02
132699Update Java version metadata for Jun 2012 CPU-2016-10-02
132690Heap-use-after-free in WebCore::RenderSVGModelObject::checkIntersection-2016-10-02
132890Crash when using Web Audio + media element with no audio or when user navigates-2016-10-02
131969Heap-use-after-free in WebCore::AccessibilityObject::getAttribute-2016-10-02
132396Heap-use-after-free in WebCore::RenderBlock::layoutRunsAndFloats-2016-10-02
132398Global-buffer-overflow in D_Clear_BitmapXferProc-2016-10-02
132203UAF in ValueStoreFrontend::Backend::Get-2016-10-02
132019Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
132270Global-buffer-overflow in WebCore::mediaControlElementType-2016-10-02
131968Heap-use-after-free in WebCore::AccessibilityTable::isDataTable-2016-10-02
132241Heap-use-after-free in WebCore::DocumentThreadableLoader::cancel-2016-10-02
131934Heap-use-after-free in WTF::Vector<WebCore::Attribute, 0ul>::~Vector-2016-10-02
131348Security: Use-after-free in safe_browseing::DownloadProtectionService found by Valgrind-2016-10-02
131347heap-use-after-free in DictionaryValue while closing chrome, requires extension.-2016-10-02
131087UAF due to Document::removePendingSheet re-entering JavaScript during Document cleanup-2016-10-02
130927Heap-use-after-free in WebCore::CompositeEditCommand::breakOutOfEmptyListItem-2016-10-02
130824Security: Linux crash report generation code reads past the end of an unterminated string buffer.-2016-10-02
130802Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>-2016-10-02
130743Chromium is no more asking you for permissions to run WMP plugin via the Infobar. Is it intentional?-2016-10-02
130723Use after free after setting -webkit-line-clamp to none-2016-10-02
130722Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply-2016-10-02
130595Heap-use-after-free in WebCore::RenderBlock::layoutBlockChildren$1,0002016-10-02
130356Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget$1,0002016-10-02
130276Chrome attempts to load metro_driver.dll when Metro is not supported-2016-10-02
130241[crash] WebCore::RenderStyle::fontMetrics(void)+0xa-2016-10-02
130240Heap-buffer-overflow WRITE in read_markers third_party/libjpeg_turbo/jdmarker$1,0002016-10-02
130237Heap-use-after-free in WebCore::RenderObject::arenaDelete-2016-10-02
130235Heap-use-after-free in WebCore::HTMLElement::adjustDirectionalityIfNeededAfterChildrenChanged-2016-10-02
130369Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects$1,0002016-10-02
129826Chrome_Mac: Zombie <DownloadItemController: 0x1f1e6fd0> received -handleReveal: (via -performSelector:withObject:)-2016-10-02
129947Heap-use-after-free in WebCore::RenderObject::setStyle$1,0002016-10-02
129942UNKNOWN in v8_i18n::IntlNumberFormat::JSInternalFormat$1,0002016-10-02
129936Heap-use-after-free in WebCore::InlineTextBox::nodeAtPoint-2016-10-02
129930Security: libxml2 growBuffer integer overflow on 64-bit machines$3,0002016-10-02
129898Heap-use-after-free in WebCore::CounterNode::lastDescendant$1,0002016-10-02
129890Heap-use-after-free in WebCore::cancelAll-2016-10-02
129951UNKNOWN in v8::Function::Call$1,0002016-10-02
129394Heap-use-after-free in WebCore::AccessibilityTable::isDataTable-2016-10-02
129569Heap-use-after-free in WebCore::RenderLayer::updateCompositingLayersAfterScroll-2016-10-02
129396Heap-buffer-overflow in WebCore::RenderTable::colElement-2016-10-02
129357Heap-buffer-overflow in WebCore::RenderProgress::isDeterminate-2016-10-02
129301Heap-use-after-free in WebCore::AXObjectCache::postPlatformNotification-2016-10-02
129299Run-in UAFs part 2-2016-10-02
129360Heap-use-after-free in WebCore::InlineFlowBox::removeChild-2016-10-02
105143Cross-origin drag-and-drop prevention ineffective-2016-10-02
105157Heap-use-after-free in WebCore::InlineFlowBox::removeChild-2016-10-02
105133Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
105012Global-buffer-overflow in WebCore::RenderFlexibleBox::mainAxisBorderAndPaddingExtentForChild-2016-10-02
104935Security: HSTS "cookies" do not obey expected policy.-2016-10-02
104863Heap-use-after-free in WebCore::SubresourceLoader::didFail$1,0002016-10-02
104859Heap-use-after-free in WebCore::InlineFlowBox::computeOverAnnotationAdjustment$1,0002016-10-02
104617Heap-use-after-free in WebCore::CSSImageGeneratorValue::addClient-2016-10-02
104529PDF-reader tab-crash with editable crash address.$2,0002016-10-02
104959Nasty looking crash on internal pdf-reader$5002016-10-02
104461Security: chrome://workers/ crash-2016-10-02
104325Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
104315Heap-use-after-free WebCore::RenderObject::container-2016-10-02
104272Security: Directory traversal in extension docs-2016-10-02
104266Heap-use-after-free in WebCore::nextBreakablePosition-2016-10-02
104466Schema check on navigations to chrome/file schemas should be avoided-2016-10-02
104317Stale RenderObject in RenderBlock::addChildIgnoringAnonymousColumnBlocks()-2016-10-02
104056Crash with PDF at bad IP$1,0002016-10-02
104223Security: MHTML can be used to steal cookies-2016-10-02
103867Security: chrome.test.resetQuota extension API exposed to all extensions-2016-10-02
103750minor self-inflicted xss on chrome://tracking2-2016-10-02
103738Security: out of bounds array access in WebCore::RenderTableSection::rowLogicalHeightChanged-2016-10-02
104011v8_i18n::BCP47ToICUFormat() - crash$1,0002016-10-02
104151Bad cast in WebCore::RenderThemeMac::paintMediaToggleClosedCaptionsButton-2016-10-02
103921Use-after-free in DOM Range$1,0002016-10-02
103239Security: INVALID_POINTER_READ/WRITE_EXPLOITABLE_chrome!SkRgnBuilder::blitH$1,0002016-10-02
103259[LangFuzz] Crash at v8::internal::WriteQuoteJsonString with invalid write$1,0002016-10-02
102810Security: buffer overflow in link prefetching$1,0002016-10-02
103630Security: iFrame SandBox Unique Origin not enforced in extensions-2016-10-02
103126Heap-use-after-free in WebCore::RenderTextFragment::styleDidChange-2016-10-02
103244Pinning checks aren't enforced in the case of a minor error.-2016-10-02
103058Security: missing xslt import causes crash w/preloading$1,0002016-10-02
102037Security: Use after free in CSSStyleDeclarationInternal::parentRuleAttrGetter-2016-10-02
101900Security: bug rendering web pages with flash content-2016-10-02
101835Exit full screen button crashs browser-2016-10-02
101779OOB read with corrupt PDF; possible stability issue too-2016-10-02
101624Security: buffer overrun leading to heap corruption in ANGLE shader translator-2016-10-02
102242ZDI-CAN-1416: WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability-2016-10-02
101901Security:scrolling web with flash content rendering bug-2016-10-02
102628Security: Adobe regions use-after-free with multiple region css thingies$1,0002016-10-02
102461Failure to infobar JRE7-2016-10-02
102359Use-after-free in SVG renderer$1,0002016-10-02
101446Use after free in TextTrack::~TextTrack-2016-10-02
101235Security: Location bar spoofing when using replaceState in unload event handler-2016-10-02
101205Security: marketplace-2016-10-02
101172Seeking on webm 1080p video causes crash-2016-10-02
101580Heap-use-after-free in WebCore::RenderObject::enclosingLayer-2016-10-02
101548Test: ABCD-2016-10-02
101494OOB read in media::ScaleYUVToRGB32-2016-10-02
101458OOB read in WebM/vorbis vorbis_decode_frame()$1,0002016-10-02
101018Use after free in fullscreen unwraprenderer-2016-10-02
101010Security: css/CSSParser.cpp memory corruption bug-2016-10-02
100958Heap-use-after-free WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
100879Problem with full-screen infobar permission prompt-2016-10-02
100863OOB read in SVG at WebCore::parseArcFlag-2016-10-02
100543OOB read in WebM/vorbis at render_line()$5002016-10-02
101065Use after free with counters and inline-table and :before content-2016-10-02
101127BlackBerry®-2016-10-02
101136Security: Search terms hijacked to return only one site for search terms-2016-10-02
138210Information and credential disclosure by file:// URLs (Android)$5002016-10-02
138035Security: Google Chrome for Android: Current-tab cross-application scripting (UXSS)$5002016-10-02
138012Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
137912Heap-buffer-overflow in WebCore::DelayDSPKernel::process-2016-10-02
137891Security: HTTPS proxy can run JavaScript on requested HTTPS sites-2016-10-02
137852Heap-use-after-free in WebKit::WebElement::document-2016-10-02
137778Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer-2016-10-02
138208Crash in SkGlyphCache::findImage$1,0002016-10-02
100492Use after free in WebM/matroska at matroska_execute_seekhead()$3,0002016-10-02
100465OOB read in OGV at unpack_vlcs$5002016-10-02
100464Use-after-free in WebM at decode_mb_mode$1,0002016-10-02
100459Use after free in RenderDeprecatedFlexibleBox::layoutHorizontalBox(bool) [and first-letter]-2016-10-02
100447ClusterFuzz Account Check.-2016-10-02
100322Security: Calling arbitrary V8 native functions from JavaScript-2016-10-02
138196Stack-buffer-overflow in NPObjectProxy::NPNEvaluate-2016-10-02
138192Heap-buffer-overflow in WebCore::HTMLInputElement::dataList-2016-10-02
100526Use after free in floats and first-letter-2016-10-02
137623Heap-buffer-overflow in WebPluginDelegateProxy::BackgroundChanged-2016-10-02
137532Security: Android APIs exposed to JavaScript$5002016-10-02
137471Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren-2016-10-02
137413Heap-buffer-overflow in WebCore::RenderTableSection::setCellLogicalWidths-2016-10-02
137409Heap-use-after-free in WebCore::RenderObject::container-2016-10-02
137407Security: Chrome for iOS security bug-2016-10-02
137364Heap-use-after-free in WebCore::CSSFontSelector::beginLoadTimerFired-2016-10-02
137707Security: Chrome extensions bug cause crash in all Chrome processes$5002016-10-02
137671Security: Bad cast in WebCore::CalendarPickerElement::hostInput()$2,0002016-10-02
137541Reproduceable crash. Changing tabs while a specific text field has focus.-2016-10-02
137233Heap-buffer-overflow in WebCore::RenderBlock::handleTrailingSpaces-2016-10-02
137125UNKNOWN in WebCore::StylePropertySet::addParsedProperties$1,0002016-10-02
137208Security: Mouse lock permission and iframe on different host-2016-10-02
137174UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation-2016-10-02
137147UNKNOWN in WebCore::RenderTable::cellBefore-2016-10-02
137303Corrupted rendering with many MapsGL tabs open-2016-10-02
137052Heap-use-after-free in WebCore::EllipsisBox::paint-2016-10-02
137363Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
137362Heap-buffer-overflow in WebCore::CCLayerTreeHostImpl::CullRenderPassesWithNoQuads::shouldRemoveRenderPass-2016-10-02
137232UNKNOWN in WebCore::ElementAttributeData::addAttribute-2016-10-02
136497Security: XSS via Copy&Paste protection bypass using @formaction / General Iframe Sandbox Considerations regarding copy&paste / drag&drop-2016-10-02
136881Security: race condition with workers and sync xmlhttprequests$5002016-10-02
136894Heap-buffer-overflow in UpsampleBgraLinePairSSE2$1,0002016-10-02
136952Heap-use-after-free in WebCore::RenderLineBoxList::dirtyLinesFromChangedChild-2016-10-02
136226Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
136182Heap-use-after-free in WebCore::ImageLoader::updateRenderer-2016-10-02
136344Heap-use-after-free in WebCore::FrameLoader::stopAllLoaders-2016-10-02
136116Heap-use-after-free in WebCore::RenderLayer::enclosingFilterLayer-2016-10-02
136046Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass-2016-10-02
136296Heap-use-after-free in WebCore::SVGSMILElement::resetTargetElement-2016-10-02
136235Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList$1,0002016-10-02
136145Security: Heap-buffer-overflow on TextFieldDecorationElement::defaultEventHandler-2016-10-02
135697Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps-2016-10-02
135658Turn off <iframe> seamless for m21-2016-10-02
135595Heap-use-after-free in WebCore::ImageLoader::notifyFinished-2016-10-02
135705Heap-buffer-overflow in WebCore::TextIterator::handleTextBox-2016-10-02
135432Heap-buffer-overflow in skia::BGRAConvolve2D$1,0002016-10-02
135698Heap-use-after-free in WebCore::HTMLInputElement::isPresentationAttribute-2016-10-02
135485SPDY - Pushed stream - crash accessing https://jetty.intalio.com:10111/spdy-2016-10-02
135071Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>-2016-10-02
134897Bad cast with run-ins and <input>$1,0002016-10-02
135173Heap-use-after-free in WebCore::RenderQuote::rendererRemovedFromTree-2016-10-02
135043Heap-use-after-free in media_stream::$3,1332016-10-02
134429Heap-use-after-free in WebCore::Document::clearNodeListCaches-2016-10-02
134639Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers-2016-10-02
134428Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget-2016-10-02
134519Security: memory address disclosure through JavaScript in WebUI's cookies page-2016-10-02
134402Heap buffer overflows in WebCore::CSSParser::lex-2016-10-02
134324Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
134325Security: Use after free with mouse lock and window.open$1,0002016-10-02
100177Use after free in first-letter container destruction handling.-2016-10-02
100149Use after free in AX Scrollbars-2016-10-02
99991Use after free in ImageBuffer::toDataURL-2016-10-02
100059Generic fix: Register custom fonts at creation time, rather than retire time.$1,3372016-10-02
99652OOB read in vp8_decode_frame$1,0002016-10-02
99732Use after free in table parts.-2016-10-02
99603Use after free due to flexible box not laying some of its children.-2016-10-02
99597Use after free in tables, float, :after content-2016-10-02
99840Windows OpenGL performance drops by 2/3 with GPU sandbox on-2016-10-02
99880Use after free in table :before, :after content.$1,0002016-10-02
99901BinScope reports SafeSEH not supported on video DLLs-2016-10-02
99615Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
99465Security: AccessibilityImageMapLink holds onto it's parent even after it's been freed-2016-10-02
99348Use after free in tables-2016-10-02
99338Use after free in RenderTableSection::splitColumn-2016-10-02
99596Use after free in media::FFmpegDemuxerStream::Read-2016-10-02
99553repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources-2016-10-02
99480OOB read in media::ScaleYUVToRGB32-2016-10-02
99294Use after free with :after in display table and :first-letter$1,0002016-10-02
99167[LangFuzz] Crash on Heap involving GC (invalid write)$1,0002016-10-02
99104WebKit: invalid cast in WebCore::toRenderBlock / WebCore::RenderBlock::blockSelectionGaps-2016-10-02
99016Security: HTTPS Address Bar Spoofing Using View-source And Redirection$1,0002016-10-02
99003changing proxy-2016-10-02
99229WebKit: Use after free in ~Node because ~HTMLLinkElement triggers script execution-2016-10-02
99211Heap buffer overflow in Webaudio FFTFrame::doFFT$2,0002016-10-02
99138Use-after-free with plugin and editing$1,0002016-10-02
98556Use after free with first-letter$1,0002016-10-02
98262Chrome 16 crash when resizing window-2016-10-02
98161Bug 68816 - Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption-2016-10-02
98773[LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read$1,0002016-10-02
98809Renderer crash with PDF at isalnum$5002016-10-02
98582Security: invalid memory reference to window object-2016-10-02
97994Use after free due to stale fonts-2016-10-02
97952Stale layout root generic fix from Mitz-2016-10-02
97898Regression: Use after free in RenderBlock::linkToEndLineIfNeeded-2016-10-02
97867Security: Major Google Plus and Google Chrome Problem-2016-10-02
98089memory corruption in ANGLE shader translator-2016-10-02
98064Use-after-free when font is missing$1,0002016-10-02
97784[v8] Stale pointer in CSSStyleSheet, Invalid cast in V8ListenerList::doFindWrapper$1,5002016-10-02
97608Use after free in counters in :before, :after content$5002016-10-02
97596Security: anonymous proxy-2016-10-02
97553Clicking a link on a page that has been fullscreened by JS doesn't exit fullscreen-2016-10-02
97546Use after free in ruby text :after, :before content due to stale styles.-2016-10-02
97278Security: Tracking bug for CachedResourceLoader::canRequest in a redirect chain-2016-10-02
97148Crashes in PhishingDOMFeatureExtractor::ExtractFeaturesWithTimeout-2016-10-02
97092Stale canvas used in WebCore::PlatformContextSkia::save()$1,0002016-10-02
97674Security: Extension can get at tabs details (url/title) without requesting tabs permission-2016-10-02
97599More stale styles in listmarkers$1,0002016-10-02
96747Security: Magic iframe transfer vulnerability for Pepper/NaCl plugins-2016-10-02
96902Use-after-free in findPlaceForCounter$1,0002016-10-02
97006Use after free due to issues in element detachment when entering fullscreen-2016-10-02
96665Use after free in Element::recalcStyle due to reparenting issues in treebuilder-2016-10-02
96382out-of-bounds access in Gradient::sortStopsIfNecessary-2016-10-02
96292Use after free in media BufferedResourceLoader::Start-2016-10-02
141815Heap-use-after-free in WebCore::RenderQuote::detachQuote-2016-10-02
141651Heap-buffer-overflow in SkA8_Blitter::blitAntiH$5002016-10-02
141564Heap-use-after-free in WebCore::HTMLLinkElement::removedFrom-2016-10-02
141462Extension resources that are not web accessible should not be able to be linked to from the web-2016-10-02
141444Security: Support pinning for Google ccTLDs-2016-10-02
141395UNKNOWN in v8::internal::SemiSpaceIterator::Next$1,0002016-10-02
96499Heap-use-after-free in WebCore::RenderLayer::updateVisibilityStatus-2016-10-02
96444Freed scrollbar used in RenderScrollbarPart::imageChanged [not related to previous stale m_owner issues]-2016-10-02
96149Use after free in WebCore::AudioChannel::sumFrom-2016-10-02
141093Security: Dev only restriction for declarativeWebRequest does not seem to work-2016-10-02
96150Use after free in OfflineAudioDestinationNode::notifyCompleteDispatch-2016-10-02
140805Heap-use-after-free in WebCore::RenderRegion::restoreRegionObjectsOriginalStyle-2016-10-02
140803Heap-buffer-overflow in SkA8_Blitter::blitH$1,0002016-10-02
140720Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
140656Heap-use-after-free in WebCore::CachedResource::didAddClient$1,0002016-10-02
140647UNKNOWN in ogg_calc_pts-2016-10-02
140642Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect-2016-10-02
96131Closing parent then child in gmail = sad tab-2016-10-02
96170Use after free in InspectorPageAgent::resourceContent-2016-10-02
140495Text box fails to render contents and does not accept user input.-2016-10-02
140484Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
140368Security: heap-use-after-free in xsltGenerateIdFunction-2016-10-02
140165Heap-buffer-overflow in vorbis_decode_frame-2016-10-02
140142Heap-use-after-free in base::internal::WeakReference::is_valid-2016-10-02
140532Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
140544Security: CSP doesn't turn off eval, etc. in Web Workers-2016-10-02
140083[LangFuzz] Crash on heap trying to execute address 0x0000000200000000.$1,0002016-10-02
140045REGRESSION(r122498): Assertion failure: m_nodeListCounts is sometimes not zero in the Document destructor-2016-10-02
139961Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale target]-2016-10-02
139814UAF in DOMContentLoaded$2,0002016-10-02
139789Heap-buffer-overflow in WebCore::CSSParser::updateLastSelectorLineAndPosition-2016-10-02
139772AddressSanitizer reports a global buffer underflow in swizzle_for_size() in Mesa-2016-10-02
139744Security: SSL compression infoleak$5,3372016-10-02
140085UNKNOWN in /mnt/scratch0/clusterfuzz/slave-bot/builds/revisions/asan-linux-release-149416/chrome+Unknown-2016-10-02
139685OOB read atleast in WebCore::SVGListProperty<WebCore::SVGTransformList>::getItemValuesAndWrappers-2016-10-02
139690Heap-use-after-free in WebCore::GenericEventQueue::timerFired-2016-10-02
139646Heap-use-after-free in WebCore::DynamicNodeList::itemWithName-2016-10-02
139679Bad cast in RenderFrameSet::computeEdgeInfo-2016-10-02
139530Heap-use-after-free in WebCore::Node::~Node-2016-10-02
139475Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale event listener]-2016-10-02
139462Heap-use-after-free in SkCanvas::updateDeviceCMCache-2016-10-02
139541UNKNOWN in v8::HandleScope::CreateHandle-2016-10-02
139464Heap-use-after-free in WebCore::RenderSVGShape::calculateStrokeBoundingBox-2016-10-02
139321Heap-use-after-free in WebCore::InlineBox::extractLine-2016-10-02
139402Heap-use-after-free in D_Clear_BitmapXferProc-2016-10-02
139215Heap-use-after-free in WebCore::StyleResolver::collectMatchingRules-2016-10-02
139168Security: Creating a loop in the DOM tree (99% a DoS)$5002016-10-02
139131Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList-2016-10-02
139290Heap-use-after-free in WebCore::StyleResolver::loadPendingImage-2016-10-02
139383Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer-2016-10-02
139240Heap-buffer-overflow in WebCore::TextTrackCueList::add-2016-10-02
138738Crash in extensions::SetContentSettingFunction-2016-10-02
138915Heap-use-after-free in WebCore::ContainerNode::cloneChildNodes-2016-10-02
138422Heap-use-after-free in WebCore::Font::glyphDataAndPageForCharacter-2016-10-02
138404Heap-use-after-free in WebCore::Document::page-2016-10-02
138673Heap-buffer-overflow in xsltApplyTemplates$1,0002016-10-02
138990Heap-use-after-free in WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible-2016-10-02
138672Heap-double-free in xsltCompileStepPattern-2016-10-02
138901Heap-use-after-free in ProfileKeyedBaseFactory::GetProfileToUse-2016-10-02
138302Stack-buffer-overflow in NPObjectProxy::NPInvokePrivate-2016-10-02
138318UXSS with pointer lock-2016-10-02
138382Heap-use-after-free in WebCore::AutoTableLayout::recalcColumn-2016-10-02
138316Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
95849Security: any Chrome committer (or parhaps even any user with Google account?) can compromise Google Chrome-2016-10-02
95842Security: Chrome Gives Unreliable Security Info-2016-10-02
95761Use after free in ContainerNode::removeChild (looks related to plugin)-2016-10-02
95672Use after free in ListIterms and RunIns rendering (from bug 88680)$1,0002016-10-02
95669Regression(r93913): Use after free in ScriptController::executeScript-2016-10-02
95992Security: header injection when using embeded \0 in headerline-2016-10-02
95920[LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read$1,0002016-10-02
95917Security: Chrome does not ask for approval when "not trusted" SSL cert. changes-2016-10-02
95563OOB read in tibetan_nextSyllableBoundary-2016-10-02
95625OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays-2016-10-02
95499Use after free due to style not updated and having stale fonts.-2016-10-02
95485[LangFuzz] Crash at v8::internal::Object::Lookup$1,0002016-10-02
95639Use after free in Document::fullScreenChangeDelayTimerFired-2016-10-02
95620use-after-free in browser_tests-2016-10-02
95520Child not placed correctly when :before, :after placed in same table part container causing stale style-2016-10-02
95359Use after free in WebCore::SVGTRefElement::updateReferencedText-2016-10-02
95360use after free in WebCore::ContainerNode::removeChild via Range.deleteContents()-2016-10-02
95083Security: Reveal stored passwords using the Developer Tool-2016-10-02
95072Use after free due to style not updated for svg text runs.$1,0002016-10-02
95012Add defensive bounds checking in AudioNode-2016-10-02
94834Security: Thread safety with AudioChannelMerger-2016-10-02
95374Redirect to chrome:// URIs via Location: header$2,3372016-10-02
954654 OOB reads in XMLDocumentParser::doWrite-2016-10-02
95333ERROR:the following pages have become unresponsive. you can wait to become responsive or kill them-2016-10-02
94820Don't allow nodes of one context to be connected to nodes of another context-2016-10-02
94743Regression(r93913): Use after free in ScheduledAction::execute(WebCore::V8Proxy*)-2016-10-02
94578Security: Brute forcing Intranet WWW-Auth with script element-2016-10-02
94487Security: JSC::Yarr regexp 32/48 to the left of 768 with workers$1,0002016-10-02
94464Security: e-2016-10-02
94463Security: e-2016-10-02
94462Security: e-2016-10-02
94461Security: e-2016-10-02
94460Security: e-2016-10-02
94459Security: e-2016-10-02
94458Security: e-2016-10-02
94810Use after free with Floats and Ruby-2016-10-02
94809Use after free in ruby overhang.-2016-10-02
94456Security:-2016-10-02
94275Make sure that AudioArray is 16-byte aligned-2016-10-02
94273V8 custom bindings for AudioNode must do proper object checking and throw exception in case of error-2016-10-02
94186WebAudio node lifetype crash when tearing down audio nodes / media element node-2016-10-02
94025WebAudio: Integer overflows in AudioArray-2016-10-02
93978Out of bounds reads and writes when FFT size is changed.-2016-10-02
93918Regression(93122): Use after free in InspectorCSSAgent::clearFrontend-2016-10-02
94457Security: e-2016-10-02
94278Fix thread-safety of AudioNode deletion-2016-10-02
93596Bad read in bundled PDF viewer-2016-10-02
93497Security: Accessibility of the chrome.webstorePrivate-API-2016-10-02
93472Yet another double-free caused by malformed XPath expression in XSLT$1,0002016-10-02
93420Use after free in FocusController::advanceFocusInDocumentOrder$1,0002016-10-02
93788Use after free in RenderText lineboxes.$1,0002016-10-02
93587Use after free in WebCore::Text::recalcStyle due to before after content issue in table parts$1,0002016-10-02
93856Use after free in RenderFlowThread::nextRendererForNode-2016-10-02
93146Security: Possible race condition in Windows Policy reading that can lead to stale policy.-2016-10-02
93106Failing assertion in IDBTransaction.cpp-2016-10-02
93097Defensively null out danging pointers in the NaCl browser plugin memory safety for M14-2016-10-02
93059OOB read in EventDispatcher::adjustToShadowBoundaries-2016-10-02
93416Security: Arbitrary cross-origin bypass using __defineGetter__ prototype override$2,0002016-10-02
93236Stale Pointer Crash in PrintWebViewHelper::PrintPreviewContext::CreatePreviewDocument-2016-10-02
92959Stale node in StyleSheetCandidateListHashSet$1,0002016-10-02
92769Use after free in TreeBuilder-2016-10-02
92651Use after free due to style not updated for ANONYMOUS boxes (e.g RenderRow), inline-blocks (e.g. RenderRubyRun)$1,0002016-10-02
92621Use after free in VisibleSelection::selectionFromContentsOfNode-2016-10-02
92550Chrome (main process) crashes when setVersion is called when all (Indexed) database name space is used up-2016-10-02
92226Use after free in CounterNode::lastDescendant-2016-10-02
92840Use after free in HarfbuzzFace::~HarfbuzzFace-2016-10-02
146433Chrome_Mac: Crash Report - base::::CrMallocErrorBreak / invalid free in SkWriter32::rewindToOffset-2016-10-02
146235WTF::equal is too aggressive and may trigger ASan reports-2016-10-02
146208Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint-2016-10-02
146145Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths-2016-10-02
146144Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath-2016-10-02
146111Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
145976Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer-2016-10-02
145921AddressSanitizer reports a UAF in WebCore::RenderStyle::letterSpacing-2016-10-02
146146Heap-buffer-overflow in WebCore::FlowThreadController::unregisterNamedFlowContentNode-2016-10-02
145867Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath-2016-10-02
145915Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face-2016-10-02
145530Mitigation: Kill OOB reads(or few writes) by preventing access to harmful locals in dirty text lineboxes-2016-10-02
145525Security: heap buffer overflow in gpu process with webgl$3,5002016-10-02
145492Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (UAF)-2016-10-02
145544Security: integer overflow in gpu process with webgl$1,0002016-10-02
145272Heap-use-after-free in WebCore::nextBreakablePosition-2016-10-02
145018Heap-use-after-free in WebCore::StyleSheetContents::checkLoadCompleted-2016-10-02
144886Security: webgl crash on mesa$3,1332016-10-02
144866Security: Chrome for Android Bypassing SOP for Local Files By Symlinks$5002016-10-02
144831Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom-2016-10-02
145363Security: Chrome extension DEP crash-2016-10-02
144899SkPaint::SkPaint - crash$1,0002016-10-02
144799Heap-double-free in xmlFreeNodeList-2016-10-02
144813Security: UXSS via com.android.browser.application_id Intent extra$5002016-10-02
144671Heap-use-after-free in WebCore::GCPrologueVisitor<void, WebCore::SpecialCasePrologueObjectHandler>::visitDOMWrapper-2016-10-02
144466Crash when verifying ECDSA certificate on XP-2016-10-02
144734Heap-buffer-overflow in WebCore::RenderTable::removeCaption-2016-10-02
144810Heap-use-after-free in WebCore::RenderTable::calcBorderEnd-2016-10-02
144704Tracking bug for fixing rel=noreferrer aslr bypass-2016-10-02
143761Heap-use-after-free in WebCore::GraphicsContext::restore$1,0002016-10-02
143672Flapper Crash in BrokerProcessDispatcher::GetSitesWithData-2016-10-02
143859Security: World-writable shared memory segments for X/Linux UI-2016-10-02
144051Security: Memory address disclosure through JavaScript in Print Preview WebUI-2016-10-02
143846Security: Chromoting creates a world-writable shared memory segment-2016-10-02
143609Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter$1,0002016-10-02
143604Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextLineBreak [SVG text]-2016-10-02
143593Heap-buffer-overflow in WebCore::SurrogatePairAwareTextIterator::consume-2016-10-02
143582Heap-use-after-free in WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener, 1ul> >::~OwnPtr-2016-10-02
143551Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope-2016-10-02
143656Heap-use-after-free in WebCore::SVGTRefElement::updateReferencedText$1,0002016-10-02
143648Heap-buffer-overflow in WebCore::StyleResolver::applyProperty-2016-10-02
143176Heap-use-after-free in WebCore::AccessibilityNodeObject::document-2016-10-02
143409Heap-buffer-overflow in SkScalerContext_FreeType::generateImage-2016-10-02
142956Security: XSS in SSL Certificate error page$5002016-10-02
142876Heap-buffer-overflow in WebCore::HarfBuzzShaperBase::isWordEnd-2016-10-02
143329Bad cast in RenderGrid::layoutGridItems-2016-10-02
143004Security: Untrustworthy Chrome OS user-wallpaper png's are loaded pre-login (in the sandboxed utility process)-2016-10-02
142310ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test-2016-10-02
142395Bad cast in computeReplacedLogicalHeightUsing-2016-10-02
142145Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
142746Security: Potential use after destruction in ui/gfx/image-2016-10-02
142169Heap-buffer-overflow in SkAlphaRuns::add$5002016-10-02
142088UNKNOWN in v8::internal::Invoke-2016-10-02
142087UNKNOWN in void v8::internal::String::WriteToFlat<char>-2016-10-02
141901Security: mesa stack scribbling thingamadoo$3,1332016-10-02
141889Security: Cookie theft from Chrome by malicious Android app$5002016-10-02
91972Regression(85705): Use after free on m_originatingLine in floats-2016-10-02
91940Security: Romanian colloquialism meaning penis when viewing YouTube channels-2016-10-02
91939Security: Romanian colloquialism meaning penis when viewing YouTube channels-2016-10-02
91921Use after free in RenderRubyBase-2016-10-02
91911Freed m_renderer used in InlineBox::deleteLine-2016-10-02
91973Regression(90971): Use after free in Textarea placeholder-2016-10-02
91665Crash on bad rip when opening a PDF$1,0002016-10-02
91801Use after free of RootInlineBox-2016-10-02
91577file:// URL access is defaulting to opt-in-2016-10-02
91554Possible use-after-free in AddToConsole-2016-10-02
91633Security: When upgrade to 13.0.782.107, chrome will run js and load image which had be disabled in chrome-2016-10-02
91502Security: Malware Page forbids user from closing a tab.(window.onunload hijack)-2016-10-02
91362Regression(91331): Bad cast due to html renderer created for svg glyphref-2016-10-02
91312Security: Native Client app can crash trusted code.-2016-10-02
91218XSS in chrome://appcache-internals-2016-10-02
91517Security: V8 asserts (crashes) when entering simple JS snippit-2016-10-02
91321Regression(91788): Bad cast in WebCore::blockWithNextLineBox-2016-10-02
91020Use after free in MediaTest.FLAKY_VideoBearWebm on Mac OS-2016-10-02
91099OOB read in RenderScrollbarPart::computeScrollbarWidth-2016-10-02
91120[LangFuzz] Crash at Runtime_QuoteJSONString with invalid write$5002016-10-02
91082Security: Major Privacy Loop Hole !-2016-10-02
91079where to submit Google account bug-2016-10-02
91093Bad cast in paintMediaPlayButton-2016-10-02
91016Security: Canvas toDataURL security error: It is taking page information and not the canvas when making the image$5002016-10-02
91013[LangFuzz] Crash at RootMarkingVisitor::VisitPointers (32 bit)$1,0002016-10-02
91010[LangFuzz] Crash at JSObject::SetDictionaryElement with invalid read (32 bit)$1,0002016-10-02
91197Use after free or bad cast with empty .swf file-2016-10-02
91092Use after free in SVGUseElement::buildShadowTree-2016-10-02
90978read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData (WEBKIT 65352)-2016-10-02
90668Use after free in WebCore::findPlainText$1,0002016-10-02
90498Security: automatically downloading of .crdownload-files-2016-10-02
91008[LangFuzz] Crash at JSObject::PrepareElementsForSort with invalid read$1,0002016-10-02
90357OOB read in WebCore::previousBoundary-2016-10-02
90217Prevent silent truncation of trailing characters in downloaded file names-2016-10-02
90173OOB read in media::ScaleYUVToRGB32 due to failure to account for zero source width and accessing negative indices-2016-10-02
90134OOB read in harfbuzz with khmer character-2016-10-02
90105Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak-2016-10-02
89991Regression(82144): OOB InlineIterator read in TrailingObjects::updateMidpointsForTrailingBoxes$5002016-10-02
90175Security: remove any site from Google Index-2016-10-02
89795Browser crash in net::WebSocketJob::SendPending-2016-10-02
89580Use after free due to continuation splitting issues in -webkit-column-span-2016-10-02
89599Freed SVGTRefElement used in SVGStyledElement::buildPendingResourcesIfNeeded-2016-10-02
89836Tracking bug for ANGLE memory corruption on Windows$1,3372016-10-02
89575Use after free of markers in CompositeEditCommand::replaceTextInNodePreservingMarkers-2016-10-02
89564Possible URL Bar Spoofing when history.forward() is ignored using forward button$5002016-10-02
89678Use after free in ReplacementFragment::removeUnrenderedNodes-2016-10-02
89552Use after free in CSSStyleSheet::checkLoaded-2016-10-02
89522SVG animation API crashes on SVGAnimateTransform-2016-10-02
89511Use after free in IDBRequest::abort-2016-10-02
89493Use after free in SVG foreignobject rendering.-2016-10-02
89422Two use after frees in NPObjectStub-2016-10-02
89558Use after free in SVGUseElement::buildShadowTree$5002016-10-02
89402Memory corruption (double free) caused by malformed XPath expression in XSLT$1,0002016-10-02
89330DocumentLoader use after free in KURL::strippedForUseAsReferrer$1,0002016-10-02
89219Use after free due to document destruction within unload event$1,0002016-10-02
89142PDF viewer crash$5002016-10-02
89020Security: ftp-2016-10-02
88976possible use after free WebCore::FontCache::getFontDataForCharacters-2016-10-02
88949Security: Location Bar Spoofing using very long string on a web address in the location bar-2016-10-02
88944Use-after free in leveldb$3,1332016-10-02
88932Security: Exploit in google+-2016-10-02
152691chrome!std::_Tree<std::_Tmap_traits<tracked_objects::Location,tracked_objects::Births *,std::less<tracked_objects::Location>,std::allocator<std::pair<tracked_objects::Location const ,tracked_objects::Births *> >,0> >::find+15 - crash$2,0002016-10-02
152585Heap-use-after-free in WebCore::ContainerNode::removeAllChildren-2016-10-02
152420Heap-use-after-free in content::P2PSocketClient::OnDataReceived-2016-10-02
152354Mask RenderArena freelist entries.-2016-10-02
152569Chrome_Mac: Crash Report - Stack Signature: CompositorOutputSurface::OnMessageReceived-...$5002016-10-02
152442Heap-use-after-free in icu_46::RuleBasedCollator::RuleBasedCollator-2016-10-02
151895Defense to throw "unauthorized" infobar for excessively crashing plug-in does not work for Pepper Flash!-2016-10-02
151888Crash in v8::internal::SlotsBuffer::UpdateSlotsRecordedIn-2016-10-02
151854Heap-use-after-free in WebCore::CachedResource::addClientToSet-2016-10-02
151795Security: remove chrome.experimental.offscreenTabs API-2016-10-02
152104out of bounds array access in WTF::TypedArrayBase<unsigned char>::item(unsigned int) / WebCore::FEMorphology::platformApplyGeneric-2016-10-02
151992Heap-use-after-free in VideoCaptureImpl::RemoveClient-2016-10-02
151860Heap-use-after-free in WebCore::DateTimeFieldElement::didBlur$1,0002016-10-02
151008Heap-use-after-free in WebCore::CanvasRenderingContext2D::setFont$1,0002016-10-02
151424Chrome: Crash Report - Stack Signature: WebCore::CachedImage::likelyToBeUsedSoon()-...-2016-10-02
151449Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue-2016-10-02
150966Heap-use-after-free in WebCore::Node::~Node-2016-10-02
151049Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers-2016-10-02
150571Global-buffer-overflow in v128_copy_octet_string-2016-10-02
150067Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxesInInlineDirection-2016-10-02
149999Heap-use-after-free in WebCore::WebKitCSSSVGDocumentValue::load-2016-10-02
150842Heap-use-after-free in content::P2PSocketClient::DeliverOnSocketCreated-2016-10-02
150545UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer-2016-10-02
150650MSI installer ships an out-of-date GoogleUpdate.exe with no ASLR or DEP (and may not be updating)-2016-10-02
150729UNKNOWN in v8::internal::Invoke$1,5002016-10-02
150737IndexedDB causes V8 heap corruption$1,0002016-10-02
149717Security: integer overflow in webgl on osx$1,0002016-10-02
149877Security: Omnibox drop target enables navigation to restricted URLs-2016-10-02
149904Security: webgl - after running out of memory, buffer can still be written$1,0002016-10-02
149840Heap-use-after-free in WebCore::StyleRuleImport::setCSSStyleSheet-2016-10-02
149871Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing-2016-10-02
148612Heap-use-after-free in WebCore::pushFullyClippedState-2016-10-02
148896UNKNOWN in v8::internal::ElementsAccessorBase<v8::internal::ExternalUnsignedByteElementsAccessor, v8::internal:-2016-10-02
148378[LangFuzz] Crash due to invalid free in v8::internal::Runtime_RegExpExecMultiple$1,0002016-10-02
148692Heap-buffer-overflow in ucstrTextExtract$5002016-10-02
148638Heap-buffer-overflow in SkAAClipBlitter::blitAntiH$5002016-10-02
148567Touch events allow cross-origin access$5002016-10-02
147625Security: UXSS/SOP bypass with document.write (Chrome on iOS)$5002016-10-02
147499Heap-use-after-free in media::AudioOutputDevice::AudioThreadCallback::Process$3,1332016-10-02
147475UNKNOWN in v8::internal::Deoptimizer::DoComputeOutputFrames-2016-10-02
147459Heap-use-after-free in WebCore::ImageLoader::updateRenderer-2016-10-02
148376[LangFuzz] Crash at v8::internal::MarkCompactCollector::EvacuateNewSpace with invalid read$1,0002016-10-02
147700Heap-use-after-free in WebCore::Document::fullScreenChangeDelayTimerFired-2016-10-02
147592Chrome_ChromeOS: Crash Report - Stack Signature: WebKit::WebWorkerClientImpl::openFileSystem...-2016-10-02
146882Heap-use-after-free in WebCore::InlineBox::adjustPosition-2016-10-02
146760Security: URL bar spoofing with SSL error messages (Chrome on iOS)$5002016-10-02
146725AddressSanitizer reports a use-after-free in WebKit::DateTimeChooserImpl::didClosePopup-2016-10-02
147435Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
147436UNKNOWN in sk_memset32_SSE2-2016-10-02
147290Heap-use-after-free in WebCore::DateTimeEditElement::setEmptyValue$1,0002016-10-02
146492Check behavior of "," in "content_security_policy" manifest attribute.-2016-10-02
88850Use after free with fuzzed ogv file$1,0002016-10-02
88846Use-after-free in FrameLoader with no form post method$1,0002016-10-02
88889Stale pointer due to floats not removed (flexible box display)$1,0002016-10-02
88858[LangFuzz] Crash at JSObject::LocalLookupRealNamedProperty with invalid read on gc$1,0002016-10-02
88757AudioContext GainNode memory corruption-2016-10-02
88730Use after free in SVGUseElement::invalidateShadowTree / SVGElementInstance::invalidateAllInstancesOfElement-2016-10-02
88723REGRESSION (r85964): Use after free in WebCore::RenderObject::localToAbsolute-2016-10-02
88684Stale m_owner in RenderScrollbar (m_owner is deleted body element)-2016-10-02
88670ZDI-CAN-1283: Webkit fontface Invalid Font Family Remote Code Execution Vulnerability-2016-10-02
88649HRTFDatabaseLoader memory corruption-2016-10-02
88647webkitAudioContext can be called as a function instead of a constructor.-2016-10-02
88827OOB read due to Integer overflow in SkDashPathEffect constructor (len and phase)-2016-10-02
88729Security: PPB_Graphics2D_Create will lead to integer overflow in shm alloc-2016-10-02
88436Ogg memory corruption-2016-10-02
88337The beforeload event allows tracking URI changes in a frame$5002016-10-02
88131Aw, Snap! with context.createBuffer(request.response, false) on certain files-2016-10-02
88093Security: out-of-bounds read in v8 with defineProperty and arguments$1,0002016-10-02
88591[LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell$1,0002016-10-02
88531Use-after-free in SafeBrowsingResourceHandler::OnBrowseUrlCheckResult-2016-10-02
88216Regression: Use-after-free in CounterNode::insertAfter$1,0002016-10-02
87861Security: OOB read in svg text run-2016-10-02
87815chrome-devtools:// can be navigated from http-2016-10-02
87746Security: Chrome content script listener-2016-10-02
87925Use after free in range extract contents$1,0002016-10-02
87965webkitAudioContext multiple issues-2016-10-02
87862Security: Use after free in svg text-2016-10-02
87701Stale pointer in WebCore::PlatformContextSkia::save-2016-10-02
87548use after free in skia blitter-2016-10-02
87520Security: Webpage can gain access to extension content-script variables when content-script triggers events-2016-10-02
87478[LangFuzz] Crash on heap with invalid read$1,0002016-10-02
87339XSS injection via prototype chain$5002016-10-02
87298OOB read due to iterating over wrong textbox in TextIterator::emitText (first-letter + RTL)$5002016-10-02
87729Use after free in third_party/WebKit/LayoutTests/fast/dom/HTMLLinkElement/link-and-subresource-test.html$1,0002016-10-02
87728Regression(89733): Use after free in fast/forms/text-control-intrinsic-widths.html$1,0002016-10-02
87120Use after free on 2-Step-Authentication-method-change$5002016-10-02
87148use after free due to floats not removed$1,0002016-10-02
86758URL Bar Spoofing using History.back() and History.forward$5002016-10-02
86705Use after free in Geolocation::fatalErrorOccurred-2016-10-02
87227Use after free due to refcounting issue in MediaQueryMatcher::prepareEvaluator$1,0002016-10-02
86900Heap memory corruption in web database support (SQLite/ICU)$1,0002016-10-02
86502Use after free due to floats not cleared from parent's next siblings blocks (on losing ability to intrude floats)$1,0002016-10-02
86191Security: web-exposed manifest from Chrome extensions diverges from the real manifest in regards to NPAPI-2016-10-02
86304Google Chrome Acess Violation in Frame manipulation-2016-10-02
86609OOB read in fontfallbacklist due to issue in CSSPrimitiveValues clamping-2016-10-02
86178URL bar introduces NUMEROUS vulnerabilities.-2016-10-02
86648Use after free in formassociatedelement not removed from m_formElementsWithFormAttribute-2016-10-02
86367Use after free of frame in Document::finishedParsing-2016-10-02
85992Renderers can have registry handle which would allow a Windows sandbox escape-2016-10-02
85943Use after free in Stylesheet due to issue in CLONE nodes-2016-10-02
85808chrome_1c30000!webkit::ppapi::PPB_Widget_Impl::Invalidate crash$5002016-10-02
85559Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.-2016-10-02
86133Add GRP to dangerous file list-2016-10-02
86108Security: FileSystem API can be used to learn about installed software on the user's computer-2016-10-02
85418Use-after-free in WebCore::RenderTextControl::isSelectableElement$1,0002016-10-02
85309Crash when closing a child window that uses a canvas-2016-10-02
85302Crasher in WebCore::StyleBase::stylesheet-2016-10-02
85256OOB read in UniscribleController::advance-2016-10-02
85211Use after free in SVGUseElement::buildShadowTree$1,0002016-10-02
85177Renderer crash with javascript + setInterval$5002016-10-02
85158Content script can gain access to the "window" object of the page using custom events-2016-10-02
85350Browser Crash in ~TabContents caused by PrerenderManager::PeriodicCleanup-2016-10-02
156906Heap-use-after-free in WebCore::XMLDocumentParser::doEnd-2016-10-02
156826UNKNOWN in S32A_Blend_BlitRow32_SSE2-2016-10-02
156828UNKNOWN in WebCore::Font::drawGlyphs-2016-10-02
156669Origin.com somehow manages to open its result page in the previous tab (which was gmail)-2016-10-02
156619Heap-use-after-free in WebCore::ApplyStyleCommand::cleanupUnstyledAppleStyleSpans-2016-10-02
156431Security: Use after free in IDBDatabaseCallbacksImpl::onVersionChange-2016-10-02
156418Heap-use-after-free in SpellCheckHostImpl::SaveDictionaryData-2016-10-02
156689Heap-buffer-overflow in WTF::StringImpl::findIgnoringCase-2016-10-02
156567Security: use-after-free in WebCore::GraphicsContext::paintingDisabled$1,0002016-10-02
156282Heap-use-after-free in WebCore::StyleResolver::pseudoStyleRulesForElement-2016-10-02
156383Security: chrome_to_device makes use of HTTP for cloudprint-2016-10-02
156096Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak-2016-10-02
156231UNKNOWN in _wordcopy_fwd_aligned$1,0002016-10-02
156366Heap-use-after-free in PluginPlaceholder::ReplacePlugin-2016-10-02
156152Issues with HSTS / public key pins state tracking-2016-10-02
155977Security: remove uses of innerHTML in commented code for Getting Started Guide.-2016-10-02
155860WebCore::SharedBuffer::append(data, 0) can cause unitialized memory to be added to the SharedBuffer-2016-10-02
155711Security: forced oom in browser process due to indefinitely growing buffer in chunked decoder-2016-10-02
155643Heap-use-after-free in content::RenderWidgetHostImpl::OnMsgInputEventAck-2016-10-02
156015Heap-use-after-free in WebCore::FontPlatformData::uniqueID-2016-10-02
156051Heap use-after-free in ExtensionFunctionDispatcher::Dispatch caught by ASan when using "Screen Capture by Google"-2016-10-02
155877Chrome: RenderViewImpl::OnContextMenuClosed(content::CustomContextMenuContext const &)-2016-10-02
155293Heap-use-after-free in WebCore::ContextMenu::appendItem-2016-10-02
155285Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc-2016-10-02
155117Security: GetReadonlyPnaclFD IPC security issues-2016-10-02
154987Pwnium SVG use after free-2016-10-02
154983Security: Pwnium 2 TCMalloc profile bug$60,0002016-10-02
155421Security: javascript scheme links auto-generated in devtools console-2016-10-02
154617Heap-use-after-free in WebCore::Node::~Node-2016-10-02
155323Out of bounds array access in GPU process-2016-10-02
154926Heap-use-after-free in WebIntentPickerGtk::OnDestroyThunk-2016-10-02
154488Heap-use-after-free in WebCore::FrameLoader::stopLoading-2016-10-02
154465Bad cast in webkit_glue::GetSubResourceLinkFromElement-2016-10-02
154460Heap-use-after-free in WebCore::ScrollableArea::scroll-2016-10-02
154448Heap-use-after-free in TransportDIB::DecreaseInFlightCounter-2016-10-02
154362Heap-buffer-overflow in WebCore::HTMLSelectElement::typeAheadFind-2016-10-02
154590Stack-buffer-overflow in SkFontHost::GetAdvancedTypefaceMetrics-2016-10-02
154485Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:-2016-10-02
154158Security: ensure that a user has willing-fully logged-in to his Google account before triggering the one click Chrome login feature-2016-10-02
154055Heap-use-after-free in WebCore::RenderLayerBacking::paintIntoLayer$1,0002016-10-02
153793Heap-use-after-free in WebCore::EventHandler::mouseMoved-2016-10-02
153666Security: Bypass for consumable user gesture on pop-up-2016-10-02
153592Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
154284Heap-use-after-free in WebCore::SVGTextRunRenderingContext::glyphDataForCharacter-2016-10-02
154283Heap-buffer-overflow in _HB_GDEF_Check_Property-2016-10-02
153469Security: Nvidia - Kernel Panic - [@ gpu::gles2::GLES2DecoderImpl::ResizeOffscreenFrameBuffer]-2016-10-02
153239Heap-use-after-free in WebCore::GCEpilogueVisitor<void, WebCore::SpecialCaseEpilogueObjectHandler, &WebCore::DOMDataStore::-2016-10-02
153228Heap-use-after-free in WebCore::SVGImage::drawSVGToImageBuffer-2016-10-02
153211Heap-use-after-free in webrtc::ThreadPosix::Run-2016-10-02
153566Heap-use-after-free in WebCore::FontCache::purgeInactiveFontData-2016-10-02
153128Buffer overrun in Harfbuff-2016-10-02
153184Heap-use-after-free in WebCore::computeNonFastScrollableRegion-2016-10-02
153048Invalid pointer read in std::basic_string-2016-10-02
152916Security: browser process jump to bad address on osx with getUserMedia() and crazyness-2016-10-02
152707Invalid pointer write in GrGpu::clear$1,0002016-10-02
152921Browser crash, navigator.geolocation.watchPosition issue-2016-10-02
85102Use after free in WebCore::ContainerNode::parserAddChild$5002016-10-02
85041Memory Corruption in video decoding-2016-10-02
84946Merge http://trac.webkit.org/changeset/87959 and http://trac.webkit.org/changeset/87756 for documentloader use after frees-2016-10-02
85003Parsing issue with -webkit-calc$1,0002016-10-02
84950Merge http://trac.webkit.org/changeset/87856-2016-10-02
84885ASSERT obj->parentObject() == this in accessibility tree-2016-10-02
84919Memory corruption in browser process with interstitial that goes back-2016-10-02
84805Flash/GPU memory corruption in critical section.$5002016-10-02
84797Click Reload this page button after Conway's Game of Life starts causes Aw Snap error-2016-10-02
84763POssible mac use after free in drag & drop code-2016-10-02
84933Browser crash with IndexedDB and very long database names-2016-10-02
84819Bad cast in cloning elements with shadow DOM-2016-10-02
84597use-after-free in WebCore::LevelDBTransaction::commit-2016-10-02
84584Invalid memory access caused by ThumbnailGenerator-2016-10-02
84452Bad cast in HTMLMediaElement::mediaControls$1,0002016-10-02
84418Shockwave crashed-2016-10-02
84402Extensions permission elevevation using javascript: in homepage_url-2016-10-02
84355use-after-free in svg fontfacelement$1,0002016-10-02
84600Security: Web page can initiate speech recognition without user knowing about it-2016-10-02
84234[LangFuzz] Crash @ MarkCompactCollector::SweepSpaces() or SeqTwoByteString::SeqTwoByteStringReadBlockIntoBuffer() (64 bit)$1,0002016-10-02
84160Use after free in accessibility notifications.-2016-10-02
84016Use after free in BrowserAccessibility::DetachTree-2016-10-02
84002OOB read in ComplexTextController constructor (ComplexTextControllerLinux.cpp) + OOB read in WidthIterator-2016-10-02
83917OOB Write in Skia Shader Blitter-2016-10-02
83903Vai-2016-10-02
83848Use after free in LayerChromium::~LayerChromium-2016-10-02
83841User information leakage esp local paths, username in webgl getProgramInfoLog-2016-10-02
84333use after free in WebCore::ContainerNode::firstChild / WebCore::XMLDocumentParser::insertErrorMessageBlock-2016-10-02
83672Stale layout root set as input element when child of a keygen with autofocus-2016-10-02
83598OOB read in WebCore::parseColorIntOrPercentage-2016-10-02
83275UXSS with window.execScript$3,1332016-10-02
83273Browser prompt when installing unpacked npapi extensions-2016-10-02
83270oob read in WebCore::ImageBufferData::getData-2016-10-02
83743Universal XSS using contentWindow.eval$1,0002016-10-02
83235Bad cast in RenderBlock::createLineBoxes due to double attach in htmlformelement-2016-10-02
83012Use after free in XMLDocumentParser-2016-10-02
83010An extension can access and modify all chrome:// pages, options, etc.$1,0002016-10-02
82903OOB write in BlobURLRequestJob::HeadersCompleted-2016-10-02
82873Memory corruption in GPU command buffer-2016-10-02
83031Chrome spoof on 302 redirect-2016-10-02
82841Browser crash @ closing chrome://settings/syncSetup-2016-10-02
82817buffer overflow marshalling data from sandbox-2016-10-02
82653Use after free due to incorrectly setting document.body to non body elements, elements from other docs.-2016-10-02
82633Bad cast in CSSParser::createFontFaceRule-2016-10-02
82597document.execCommand('copy') return always false-2016-10-02
82552REGRESSION (83075): Use after free in line box culling optimization-2016-10-02
82546Stale pointer in WebCore::RenderBlock::marginBeforeForChild$1,0002016-10-02
82516write-after-free in third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.h:58-2016-10-02
82438OOB read in media::FFmpegVideoDecodeEngine::Initialize-2016-10-02
82416IndexedDB crash on index.getKey-2016-10-02
82309CRASH @ DownloadItem::UpdateObservers()-2016-10-02
82184Renderer crash @ GrTHashTable<GrGpuGLShaders::ProgramCache::Entry,GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32>,8>::remove(GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32> const &,GrGpuGLShaders::ProgramCache::Entry const *)-2016-10-02
82161Google Chrome (Pwned)-2016-10-02
82154out-of-bound access in third_party/WebKit/Source/WebKit/chromium/src/WebFrameImpl.cpp-2016-10-02
82152Need to merge WebKit 64-bit issue http://trac.webkit.org/changeset/86106-2016-10-02
82096Merge http://trac.webkit.org/changeset/85693-2016-10-02
82444Local file disclosure when pasting stuff from Excel, etc.-2016-10-02
82018TEST TEST IGNORE-2016-10-02
81949use-after-free in imageloader with fallbackcontent$1,0002016-10-02
82083Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass-2016-10-02
161077Invalid pointer write in GrRenderTarget::onRelease$1,0002016-10-02
161089Indexeddb createIndex() crashes the page-2016-10-02
161015Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement-2016-10-02
161239Heap-use-after-free in WebCore::IDBTransactionBackendImpl::taskTimerFired-2016-10-02
160926Security:Check for integer wrap in PPB_ImageData_Impl::Init() is insufficient-2016-10-02
160480Security: Integer overflow in opus_packet_parse_impl-2016-10-02
160450Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxRangeInInlineDirection-2016-10-02
160380Heap-use-after-free in WebKit::ChromePrintContext::spoolPage-2016-10-02
160760Security: NaCl sandbox escape; missing register check across a superinstruction-2016-10-02
160803Security: ugly crash with history.replaceState() while the window displays HTTPS interstitial-2016-10-02
160456Security: Restrict chromoting viewer plugin to chromoting extension-2016-10-02
160010[LangFuzz] Crash at v8::internal::BasicJsonStringifier::SerializeString$1,0002016-10-02
159829Heap-buffer-overflow in WebCore::HTMLInputElement::isImageButton-2016-10-02
159828Heap-use-after-free in WebCore::RenderLayer::hitTest-2016-10-02
159553Security: Integer overflow in remoting viewer AudioDecoderSpeex::Decode-2016-10-02
159429Security: Use after free on ~AssociatedURLLoader with pdf plugin$1,0002016-10-02
159338Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget$1,0002016-10-02
160068Merge http://trac.webkit.org/changeset/133840-2016-10-02
160038Security: Unquoted Path vulnerability in GoogleCrashHandler-2016-10-02
159165Heap-use-after-free in webkit::ppapi::PluginInstance::PrintBegin-2016-10-02
159229Security: Integer overflow in remoting viewer AudioDecoderOpus::Decode-2016-10-02
158992Heap-use-after-free in WebCore::RenderTextTrackCue::layout-2016-10-02
158898Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
158897Heap-buffer-overflow in WebCore::RenderBlock::clone-2016-10-02
159219Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent-2016-10-02
159098Heap-buffer-overflow in WebCore::TextTrackCueList::add-2016-10-02
158693Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer-2016-10-02
158695Heap-use-after-free in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets-2016-10-02
158533Heap-use-after-free in WebCore::RenderLayer::paintLayerContents [MathML]-2016-10-02
158457Heap-use-after-free in non-virtual thunk to content::RenderViewImpl::createPopupMenu-2016-10-02
158249Security: Heap-buffer-underflow in xmlParseAttValueComplex-2016-10-02
158204Heap-use-after-free in WebCore::Frame::dispatchVisibilityStateChangeEvent$1,5002016-10-02
158199Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue-2016-10-02
158707Heap-use-after-free in WebCore::RenderObject::isBody-2016-10-02
158547Heap-use-after-free in WebCore::HTMLInputElement::setValue for type=range, type=date, and type=time with datalist-2016-10-02
158060Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
157951Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup-2016-10-02
157875Heap-use-after-free in WebCore::OpenTypeVerticalData::substituteWithVerticalGlyphs-2016-10-02
157845Heap-use-after-free in skia::BGRAConvolve2D$5002016-10-02
157779Heap-use-after-free in WebKit::WebMediaStreamDescriptor::label-2016-10-02
157778Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
157585Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::~BaseMultipleFieldsDateAndTimeInputType-2016-10-02
158065Stack-buffer-overflow in WebCore::SVGMaskElement::~SVGMaskElement-2016-10-02
157463Heap-use-after-free in content::LocalVideoCapture::Stop-2016-10-02
157516Security: XSS auditor can sometimes be used to maliciously alter form action property.-2016-10-02
157363Heap-buffer-overflow in void std::__final_insertion_sort<WebCore::SMILTimeWithOrigin*>-2016-10-02
157289Invalid cast in WebCore::toInsertionPoint / WebCore::ContentDistributor::distribute-2016-10-02
157462Heap-use-after-free in webrtc::MediaStreamSignaling::UpdateRemoteStreams-2016-10-02
157079Security: Integer overflow in libwebp "ParseOptionalChunks" allows memory disclosure$3,5002016-10-02
157071Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup-2016-10-02
157019UNKNOWN in v8::internal::Invoke-2016-10-02
157124UNKNOWN in v8::internal::ObjectHashTable::Put-2016-10-02
157053Heap-use-after-free in WebCore::Element::attributeChanged-2016-10-02
156977Heap-use-after-free in WebCore::RenderText::removeAndDestroyTextBoxes-2016-10-02
156980Security: workers can initialize the sandbox multithreaded-2016-10-02
157009Heap-use-after-free in WebCore::SubresourceLoader::willSendRequest-2016-10-02
81947Use after free in WebCore::requiresLineBox-2016-10-02
81753Valgrind reports issues in icu_46::RegexMatcher-2016-10-02
81916Stale observer in BrowsingDataRemover's observer_list_$5002016-10-02
81351CSSSelector double frees-2016-10-02
81348Use after free when removing elements with reflections-2016-10-02
81307Security: dropping file:/// URLs into gmail grants access to files-2016-10-02
81803out-of-bounds use in SkBitmapOperations::CreateMaskedBitmap-2016-10-02
81681Memory corruption in GraphicsContext::fillPath-2016-10-02
80680Security: .keystone_install_lock is insecurely handled in install.py-2016-10-02
80608Multiple integer overflows in SVG filter effects-2016-10-02
80401Url bar spoof using onbeforeunload when user cancels navigation-2016-10-02
80358WebCore::InspectorBackendDispatcher::Runtime_evaluate user after free-2016-10-02
81234Flash content vulnerability-2016-10-02
80255use after free in WebCore::RenderSVGInlineText::characterStartsNewTextChunk-2016-10-02
80222Herror of chrome-2016-10-02
80287Regression(81992): Stale node set as layout root-2016-10-02
80116Stale pointer in WebCore::Document::recalcStyleSelector-2016-10-02
79746Floats not cleared due to overflow (remaining usecase)$1,0002016-10-02
79726BrowserAccessibility browser process memory corruption-2016-10-02
79668invalid read w/new skia update-2016-10-02
79661Sandbox is broken (low integrity level)-2016-10-02
79595Bad cast due to childrenInline assumption in RenderSVGText-2016-10-02
79566Bypass extensions permission$5002016-10-02
79862Bypass extensions permission app launch web_url should not allow javascript: chrome:-2016-10-02
79452H-2016-10-02
79426HTTP Basic Auth Realm Spoof-2016-10-02
79371Use after free in ImplicitAnimation::~ImplicitAnimation-2016-10-02
79362Reproducible PDF crash (siryo3.pdf)-2016-10-02
79266Bypass unsafe file types dialog-2016-10-02
79075Stale node set as layout root, due to one caption not laid out in table with two captions-2016-10-02
79055Freed m_viewportRenderer in FrameView::updateOverflowStatus-2016-10-02
79025Use after free when inline runin precedes details tag-2016-10-02
78948Integer underflow in HTMLFormElement::m_associatedElementsAfterIndex-2016-10-02
78861Memory corruption in RenderViewHost related to observers code-2016-10-02
78842proslor.co.be-2016-10-02
78841invalid access with bad html$1,0002016-10-02
78798Security: XSS in dev tools HTML inspector-2016-10-02
78639Memory corruption leading to OOB read symptom in PDF initialization$1,0002016-10-02
78576compareDocumentPosition memory corruption-2016-10-02
78575Bad cast in reverseInlineBoxRangeAndValueListsIfNeeded-2016-10-02
78572CounterNode memory corruption-2016-10-02
78558chrome bug-2016-10-02
78524ANGLE buffer overflow$1,0002016-10-02
78516Looks like a stale frame in UserScriptSlave::InjectScripts-2016-10-02
78427url spoof through bookmark bar click-2016-10-02
78401Stale node being set as layout root-2016-10-02
78327Integer overflow in FilterEffect::copyImageBytes-2016-10-02
78296False warning of Google Chrome / Fake Antimalware Tool-2016-10-02
78270[LangFuzz] V8: Crash in HeapObject::map_word on GC$1,0002016-10-02
78559chrome bug-2016-10-02
78106ZDI-CAN-1108: WebKit ContentEditable Inline Style Remote Code Execution-2016-10-02
78071css parsing issue in calc$1,0002016-10-02
78038ThreadSanitizer reports a potential use after free in net::X509Certificate::Verify-2016-10-02
78031Url bar spoof$1,0002016-10-02
78145Invalid write in SVGTextLayoutEngine-2016-10-02
78053Stale m_fontList in svgFontAndFontFaceElementForFontData-2016-10-02
165747IPC: renderer out-of-bounds crash creating 3D context from malformed PPAPI message-2016-10-02
165836Information leak when sending messages cross process that use WriteData() on structures/objects which contain padding bytes.-2016-10-02
165549Security: Sandbox isolation not working-2016-10-02
165602Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
165804Security: SnapshotProvider exposed to other applications on the device-2016-10-02
165601Heap-use-after-free in matroska_parse_block-2016-10-02
165456Heap-use-after-free in WebCore::Element::hasPendingResources-2016-10-02
165430Heap-buffer-overflow in media::AudioRendererAlgorithm::OutputFasterPlayback-2016-10-02
165102Security: devtool xss-2016-10-02
165091Bypassing Chrome's XSS filter, XSSAuditor-2016-10-02
165537PDF: off-by-one read when scanning for startxref-2016-10-02
165538PDF: integer overflows in JS array handling-2016-10-02
165432Use after free in SVG path$5002016-10-02
164958IPC: PPAPI messages have problems with use of signed integers for lengths-2016-10-02
165015Heap-use-after-free in WebCore::Element::normalizeAttributes$1,0002016-10-02
164701PDF: regressions due to merge losing previous security fixes-2016-10-02
164697PDF: regressions in JBIG2 codec-2016-10-02
164682Input validation error in BrowserPluginEmbedderHelper::OnHandleInputEvent() leads to bad cast-2016-10-02
164643Security: ASan reports a use-after-free while using SecureShell-2016-10-02
165009Heap-use-after-free in WebCore::SVGSMILElement::disconnectConditions-2016-10-02
164946IPC: GPU messages have integer truncation (bad use of size_t) and integer sign extension (bad use of signed type) issues-2016-10-02
164582Heap-buffer-overflow in SkRectClipBlitter::blitAntiH-2016-10-02
164581Heap-use-after-free in WebCore::TextTrackCue::isActive-2016-10-02
164565Security: V8 bug may give out-of-bounds access to the stack-2016-10-02
164490IPC: integer overflow in Windows' SharedMemory::Create-2016-10-02
164454switch off mathml for m24-2016-10-02
164263Heap-use-after-free in WebCore::FrameSelection::directionOfSelection-2016-10-02
164584Translate should load resources over HTTPS even if the original page is loaded via HTTP.-2016-10-02
163593Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo [MathML]-2016-10-02
163588IPC::Channel::ChannelImpl::ProcessOutgoingMessages - crash-2016-10-02
163291Heap-buffer-overflow in WebCore::RenderGrid::layoutGridItems-2016-10-02
163238Security: XSS in bug tracker? <script>alert(0)</script> again?-2016-10-02
163218Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse-2016-10-02
163994Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
163203IndexedDB: Assert hit in IDBObjectStoreBackendImpl::setIndexesReady-2016-10-02
162896Out of bounds read in WTF::String::String / WebCore::WebVTTParser::constructTreeFromToken-2016-10-02
163208Security: Workers don't initialize a sandbox on Mac-2016-10-02
162835Heap-use-after-free in WebCore::MediaPlayer::sourceSetTimestampOffset [exploitable]$7,3312016-10-02
162778PDF: use-after-frees in field name tree again-2016-10-02
162776PDF: out-of-bounds reads with crazy bits per component / num components values-2016-10-02
163110Heap-use-after-free in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode-2016-10-02
162620Heap-use-after-free in WebCore::RenderSVGResourcePattern::applyResource-2016-10-02
162551Access violation write in _VEC_memcpy$1,0002016-10-02
162489Security: Small info leak in the SUID sandbox helper?-2016-10-02
162156PDF: more out-of-bounds reads with mismatched colorspaces-2016-10-02
162622Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed-2016-10-02
162494Heap-use-after-free in WebCore::PopStateEvent::~PopStateEvent$1,0002016-10-02
162114Security: Renderer sandbox bypass by crafting LevelDB database in "profile/File System/"-2016-10-02
162115Heap-buffer-overflow in SkA8_Blitter::blitH-2016-10-02
162032Heap-use-after-free in udat_close_46-2016-10-02
161836Security: Possible directory traversal vulnerability in ExtensionResource::GetFilePath().-2016-10-02
161690Heap-use-after-free in WebCore::RenderSVGResourceContainer::markClientForInvalidation-2016-10-02
161662Heap-use-after-free in media::BlockingUrlProtocol::SignalReadCompleted-2016-10-02
162153PDF: bad cast if root page is not a dictionary object-2016-10-02
162066LOGFONT IPC deserializer doesn't require NULL terminated lfFaceName-2016-10-02
161564Security: Renderer sandbox bypass on ChildProcessSecurityPolicyImpl::SecurityState::HasPermissionsForFile()-2016-10-02
161484UNKNOWN in WebCore::RenderObject::propagateStyleToAnonymousChildren-2016-10-02
161478Heap-buffer-overflow in WebCore::Biquad::process-2016-10-02
161458Heap-buffer-overflow in apply_kernel_interp-2016-10-02
161420Heap-buffer-overflow in WTF::StringImpl::create-2016-10-02
161639Security: ffmpeg oob write4 (222)$2,0002016-10-02
161340Security: GPU sandbox is always disabled because of watchdog thread on Linux-2016-10-02
161240Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement-2016-10-02
77633write-after-free in v8::internal::RegExpMacroAssemblerX64::~RegExpMacroAssemblerX64-2016-10-02
77917Looks like a bad cast in RenderInputSpeech::paintInputFieldSpeechButton-2016-10-02
77786URL Bar Spoofing using redirection and location.reload();$5002016-10-02
7776512 bad cast in editing code relating to htmlelement conversions, isprimitivevalue problems.-2016-10-02
77703Use-after-free in WebCore::isDeletableElement-2016-10-02
77700Captured an attack used against Chrome on many google image links, uses chromes own error template against itself-2016-10-02
77690Use after free in WebCore::ContainerNode::insertedIntoDocument / WebCore::SVGElement::insertedIntoDocument-2016-10-02
77940ZDI-CAN-1021: Apple Safari Webkit SVG Marker Remote Code Execution Vulnerability-2016-10-02
77812Security: Chrome Security Pop-up-2016-10-02
77669Bad cast in WebCore::BreakBlockquoteCommand::doApply-2016-10-02
77507URL Bar Spoof$1,0002016-10-02
77493OOB read with Flash$1,0002016-10-02
77349When object destroyed, its select file dialog is not informed to cleared its listener which can call back that destroyed object-2016-10-02
77346Use After Free in Websockets - possible remote code execution within sandbox$1,0002016-10-02
77181OOB function pointer array call FEComponentTransfer::apply-2016-10-02
77130stale entries in gPercentHeightDescendantsMap$1,0002016-10-02
77053Bad cast in HTMLTreeBuilder with closed </form> tags-2016-10-02
77038repair-2016-10-02
77026Bypass extension manifest permission$1,3372016-10-02
76966RIP goes to zero with select tag, and form validation message with position:relative$1,0002016-10-02
76955Renderer crash when visiting http://runescape.wikia.com/wiki/Special:Search-2016-10-02
76784Bad cast to RenderBlock in accessibility assuming that anonymous blocks are renderblocks.-2016-10-02
76771use after free in WebCore::ScriptWrappable::wrapper-2016-10-02
76666URL bar spoof$1,0002016-10-02
76646OOB read in FEDisplacementMap::apply-2016-10-02
76589Crash@ anonymous namespace'::PureCall() when navigate to previous page while speech input API fetching result text-2016-10-02
76542Linux setuid sandbox allows local privilege escalation$5002016-10-02
76474crash in WebKit::WebPluginContainerImpl::handleEvent()-2016-10-02
76202DownloadThrottlingResourceHandler::OnResponseCompleted NOTREACHED()-2016-10-02
76198Bad cast in HTMLTreeBuilder::processStartTag-2016-10-02
76528use after free in AnimationBase::next / AnimationControllerPrivate::styleAvailable-2016-10-02
76194bad cast in WebCore::toRenderBoxModelObject / WebCore::RenderMathMLRoot::layout-2016-10-02
76059WebCore::LayerTilerChromium::invalidateRect() - crash$1,0002016-10-02
76031Crash when visiting http://kikafriends.forumcommunity.net/-2016-10-02
76029Crash in webcore::rendertable::cellafter when visiting http://broadband.biglobe.ne.jp/-2016-10-02
76027securiti-2016-10-02
76018Crash in network stack when running http/tests/loading/redirect-methods.html-2016-10-02
76195potential bad cast in WebCore::toRenderCombineText/WebCore::RenderBlock::computeInlinePreferredLogicalWidths-2016-10-02
76034Security:Instant hard-crash with JS code-2016-10-02
75821Should we reconsider the no-client-UI decision for the web store?-2016-10-02
75712Integer overflow in style elements$1,3372016-10-02
76001Stale pointer in WebCore::LayerRendererChromium::drawLayer$1,0002016-10-02
75835use of freed pointer in WebCore::RenderCounter::originalText()-2016-10-02
75696Security: pushState() should be available only for origin-bearing schemes-2016-10-02
75496chrome.dll!BrowserAccessibility..InternalReleaseReference ExecAV@NULL (cc7203fb809bd98728cf74b908e66edf)-2016-10-02
75629Use after free in gpu::gles2::ShaderTranslator-2016-10-02
75643CSS visited history disclosure-2016-10-02
75436Detach Geolocation from Frame when Page destroyed.-2016-10-02
75560Security: address bar updates not synchronized with document transitions-2016-10-02
75186(WebCore::RenderObjectChildList::destroyLeftoverChildren) Use-after-free with nesting ruby tag and css propierties$1,0002016-10-02
75210Harfbuzz segfault in GPOS_Do_Glyph_Lookup-2016-10-02
75021Use-after-free in InfoBar since ~r76800-2016-10-02
75311Bad cast in HTMLTreeBuilder::processStartTag-2016-10-02
75347Bad cast to RenderBlock with floating select element with required attribute$5002016-10-02
75155Integer overflow in WebCore::GraphicsContext::fillRect (Mac)-2016-10-02
75070Security: do not ignore type= on <object>-2016-10-02
75374REGRESSION (r80320): Bad cast assertion failure when processing mis-nested foreign content.-2016-10-02
74678v8 fuzzing - 1175 - use after free$1,0002016-10-02
74763Security: Domui process can be ptraced from a compromised renderer leading to sandbox escape-2016-10-02
74887memcpy from TexSubImage2D causes memory corruption-2016-10-02
74891chrome://appcache-internals/ xss-2016-10-02
74720Read uninitialized value from JavaScript.-2016-10-02
74677v8 fuzzing - 1160 - bad cast of object to string in array join-2016-10-02
169685Missing validation of webkit_base::DataElement across IPC-2016-10-02
169672Heap-buffer-overflow in WTF::AtomicString::add-2016-10-02
169632Security: extensions can silently gain file: host permissions via permissions API-2016-10-02
74675v8 fuzzing - 1146 - invalid memory access$1,0002016-10-02
74673v8 fuzzing - 1166 - exploitable write$1,0002016-10-02
74672v8 fuzzing - 1138 - use after free$1,0002016-10-02
74671v8 fuzzing - 1136 - corrupt JIT code$1,0002016-10-02
169247Attempting free in content::PeerConnectionTracker::UnregisterPeerConnection-2016-10-02
169156Security: Use after free in FlingAnimatorImplAndroid - writing value to this after this is deleted-2016-10-02
169054Security: memory corruption with webgl on linux intel driver$3,1332016-10-02
169295IPC: bad pointer used in browser if renderer sends mismatched vector lengths-2016-10-02
169398Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed-2016-10-02
169401Security: JavaScript injection into arbitrary web pages via Intent with JavaScript URI$5002016-10-02
168968Heap-use-after-free in DownloadRequestInfoBarDelegate::~DownloadRequestInfoBarDelegate-2016-10-02
169006Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
168768Heap-use-after-free in WebKit::WebMediaPlayerClientImpl::AudioSourceProviderImpl::setClient$1,0002016-10-02
168710IPC: avoid operator-new based integer overflow in Flash menu deserialization-2016-10-02
168982Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath-2016-10-02
168969Heap-use-after-free in WebCore::Element::hasPendingResources-2016-10-02
168780Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree-2016-10-02
168473Heap-buffer-overflow in vorbis_floor0_decode-2016-10-02
168570Crashing in webkit_media::WebMediaPlayerMS::putCurrentFrame(WebKit::WebVideoFrame *)-2016-10-02
168489Heap-use-after-free in WebCore::AccessibilityNodeObject::document-2016-10-02
168442Security: Non-privileged extensions can monitor browsing activity via chrome.tabs.onUpdated events-2016-10-02
167840Linux sandbox bypass in file_util_posix.cc CopyDirectory()-2016-10-02
167788Security: heap-buffer-overflow on GetImageRepToPaint.-2016-10-02
167780Heap-use-after-free in bool WebCore::SelectorChecker::checkOneSelector<WebCore::DOMSiblingTraversalStrategy>-2016-10-02
167868Heap-use-after-free in WebCore::Document::updateHoverActiveState-2016-10-02
168050Attacker controlled size mismatch in WidgetDidReceivePaintAtSizeAck()-2016-10-02
167827Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren-2016-10-02
167924Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer-2016-10-02
167498Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
167443Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
167412IPC: GPU message OnMsgAssignPictureBuffers incorrectly assumed same-sized vectors-2016-10-02
167728Heap-use-after-free in WebCore::SVGTransformListV8Internal::numberOfItemsAttrGetter-2016-10-02
167607Security: Failure to enforce key usage-2016-10-02
167572Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement-2016-10-02
167147Heap-use-after-free in WebCore::Document::implicitClose-2016-10-02
167122HyphenatorHostMsg_OpenDictionary IPC allows arbitrary file reads from a compromised renderer-2016-10-02
167110Heap-buffer-overflow in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
167069Heap-buffer-overflow in matroska_parse_block$5002016-10-02
166916Security: mixed content XHR doesn't trigger mixed content warnings-2016-10-02
166867Security: ReferencesParent bypass with a 0x00 byte-2016-10-02
166795Harden audio stream creation in the browser-2016-10-02
167180Security: NaCl ARM validator sandbox escape, Chrome M25-2016-10-02
167311Heap-use-after-free in WebCore::GenericEventQueue::enqueueEvent-2016-10-02
167218Arbitrary server response with Content-Encoding including sdch can cause crashes if sdch is not configured-2016-10-02
166621Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
166565Heap-buffer-overflow in media::AudioBus::FromInterleavedPartial-2016-10-02
166554[LangFuzz] Crash at v8::internal::Deoptimizer::DoComputeOutputFrames with invalid read$1,0002016-10-02
166553[LangFuzz] Crash at v8::internal::HeapObject::SizeFromMap with invalid read$1,0002016-10-02
166523[Mac] apprtc crashes when output sampling rate set to 96000 Hz-2016-10-02
166513Heap-use-after-free in WebCore::StyledElement::ensureMutableInlineStyle-2016-10-02
166503audio getUserMedia call crashes tab when input sampled at 88200 Hz-2016-10-02
166708BrowserPluginGuest blindly trusts the size of shared memory regions leading to overflow-2016-10-02
166627Heap-use-after-free in WebCore::Prerender::didStartPrerender-2016-10-02
166324Heap-use-after-free in WebCore::RenderBlock::insertIntoTrackedRendererMaps-2016-10-02
166336Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
166271PDF: use-after-free in colorspace cache-2016-10-02
166257Security: ChromeBrowserSyncAdapterService is exported, but does not need to be?-2016-10-02
165928Heap-use-after-free in WebCore::SVGSMILElement::isSMILElement-2016-10-02
166493IPC: missing integer checks on Pepper UDP socket handling-2016-10-02
166306WebCore::SMILTimeContainer::updateAnimations - crash-2016-10-02
165926Heap-use-after-free in WTF::Vector<WTF::RefPtr<WebCore::Node>, 0ul>::shrinkCapacity-2016-10-02
165864Heap-use-after-free in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument$1,0002016-10-02
74665v8 fuzzing - 1109 (out of bounds write)$1,0002016-10-02
74662v8 fuzzing - 1108 potential use-after-free in RegExp code$1,0002016-10-02
74660v8 fuzzing - 1174 - out-of-bounds write in reloc info$1,0002016-10-02
74653bypass SOP with blob:$1,0002016-10-02
74669v8 fuzzing - 1113 - stack corruption$1,0002016-10-02
74670v8 fuzzing 1128 - out of bounds write$5002016-10-02
74666v8 fuzzing 1122 - stack corruption$1,0002016-10-02
74372chrome://blob-internals/ xss-2016-10-02
73962use after free due to floats not cleared (overflow)$1,0002016-10-02
74585Crash in CookieMonster DeleteAnyEquivalentCookie.-2016-10-02
74650Placeholder bug for v8 security issues affecting Chrome 9-2016-10-02
74649OOB read in SearchBuffer::append-2016-10-02
74348Regression: Stale node set as layout root (issue in Canvas parent layout)-2016-10-02
73887GMail renderer crash @ MessageLoop::PostTask_Helper(tracked_objects::Location const &,Task *,__int64,bool)-2016-10-02
73716Leak of address of heap object via xslt generate-id() function-2016-10-02
73932Bad cast to text node in CompositeEditCommand::breakOutOfEmptyMailBlockquotedParagraph-2016-10-02
73899Regression: Crash in RenderCombineText::combineText when running fast/text/international/text-combine-parser-test.html on Windows with full page heap enabled-2016-10-02
73893Chrome:+Crash+Report+-+Stack+Signature:+`anonymous+namespace'::PureCall()-0ba6cf43_1414c783_9939c740_d9e6ed78_7be33815-2016-10-02
73235Stale pointer in WebCore::RenderBlock::lowestPosition$1,0002016-10-02
73216Use after free of frame loader in DocumentLoader::commitLoad$1,0002016-10-02
73526Floats not cleared to logical height wraps.$1,0002016-10-02
73478Pages can continuously poll the OS clipboard for paste data-2016-10-02
73338Regression: stack buffer overflow in utf8 converter-2016-10-02
73001Use-after-free in ObserverListBase / TabContents-2016-10-02
73026dereference poisoned value in avcodec_52!ff_thread_decode_frame-2016-10-02
72910Browser crash/segfault when selecting very long option in select-2016-10-02
72908Freed timer heap element used-2016-10-02
72832Reliability issues with WebCore::RenderBlock due to use after free in floats-2016-10-02
73134Crash due to bad cast to rendertextfragment in updatefirstletter.$1,0002016-10-02
73163Heap corruption in safe_browsing detected on the Valgrind bot (might be fixed by SQLITE ROLL ??)-2016-10-02
72936Freed scrollbar in ScrollView::updateScrollbars-2016-10-02
72492Cross application unsafe redirect$1,0002016-10-02
72437Crash in ContainerNodeAlgorithms.h with outdated ice-tea plugin$1,0002016-10-02
72434stale pointer, invalid read, svg-2016-10-02
72523chrome.tabs.captureVisibleTab allows capturing images of any "file://" resource-2016-10-02
72517Dev. console null character crash @ history::URLDatabase::GetMostRecentKeywordSearchTerms$5002016-10-02
72399Valgrind reports on JPEG decoding since r74103-2016-10-02
72340use after free in WebCore::RenderCounter::destroyCounterNode$1,0002016-10-02
72189Bypass popup blocker using custom event and onMouseOver-2016-10-02
72135IDBTransaction and IDBRequest can be deleted while ScriptExecutionContext is iterating-2016-10-02
72134Potential buffer overrun in SVGTextRunWalker::walk()-2016-10-02
72028Stale continuation flow pointer for ContinuationOutlineTableMap$1,0002016-10-02
71960OOB Read in WebGL due to integer overflows-2016-10-02
72387Out of bounds read in WebCore::LayerTilerChromium::invalidateRect (dev only)$1,0002016-10-02
72217HTMLFormElement::formElementIndex() returns a bad index into a vector of form associated elements-2016-10-02
71786ThreadSanitizer reports a race on WebCore::schemesWithUniqueOrigins (on cross_fuzz)-2016-10-02
71734Security: accessing DataView methods with negative index could cause crash-2016-10-02
71717webgl causes segfault-2016-10-02
71601Switch to https by default in autofill toolbar server queries-2016-10-02
71788Memory corruption playing back specially crafted .ogg vorbis file.-2016-10-02
71763use-after-free when document.close and document.write are called after requesting a non-existing script$1,0002016-10-02
71855stale pointer in WebCore::RenderBlock::insertFloatingObject$1,0002016-10-02
71545Chrome_Mac: Crash Report - Stack Signature: WebKit::NotificationPresenterImpl::checkPermission-5428423-2016-10-02
71388Security:WebCore::HTMLTextAreaElement::updateValue+0xf$1,0002016-10-02
71386Stale nodes in Document::recalcStyleSelector$1,0002016-10-02
71370https not properly connected to google doc and gmail.-2016-10-02
71357PPAPI var objects reference invalid memory when the instance is deleted-2016-10-02
71586race in base/third_party/xdg_mime (crasher)$5002016-10-02
71296Stale iterator in SVGDocumentExtensions::startAnimations()$1,0002016-10-02
71551Cross_fuzz and ClusterFuzz crashes in WebCore::DatabaseTracker::removeOpenDatabase-2016-10-02
71345fail to connect with https when browsing google doc in chrome-2016-10-02
71203Branch ANGLE and merge fixes to m9-2016-10-02
173654Heap-use-after-free in WebCore::FrameSelection::notifyRendererOfSelectionChange-2016-10-02
173500XSS: chromiumbugs.appspot.com-2016-10-02
173483New search UI (1993) could lead to self-XSS$5002016-10-02
173402ASSERTION FAILED: !object || object->isRenderImage(), UNKNOWN in WebCore::HTMLAnchorElement::handleClick-2016-10-02
173399ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker-2016-10-02
173397Heap-buffer-overflow in WTF::MemoryInstrumentation::Wrapper<WebCore::ContainerNode>::callReportMemoryUsage-2016-10-02
173341Heap-use-after-free in content::PeerConnectionTracker::TrackSetSessionDescription-2016-10-02
173250Security: Heap-Buffer-Overflow in extensions::SetIconNatives-2016-10-02
173050Heap-use-after-free in WebCore::Node::removedLastRef-2016-10-02
173049Heap-use-after-free in WebKit::WebLayerImpl::layer-2016-10-02
172993Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects-2016-10-02
173068ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderFrameSet::paint-2016-10-02
172926Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process$1,0002016-10-02
172918Flash shouldn't load if the "src" URL has a bad content type and Content-Type-Options: nosniff-2016-10-02
172824ASSERTION FAILED: i < size(), UNKNOWN in WebCore::commonTreeScope-2016-10-02
172822ASSERTION FAILED: !object || object->isTextControl(), UNKNOWN in WebCore::TextControlInnerTextElement::customStyleForRenderer-2016-10-02
172984Any MITM attacker can load NaCl :-(-2016-10-02
172814Heap-use-after-free in WebCore::RenderTextTrackCue::layout-2016-10-02
172658Security: TLS timing attack leading to message recovery-2016-10-02
172573Compromised renderer can load banned plug-in-2016-10-02
172342Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus$1,0002016-10-02
172331Use-after-free in WebCore::VectorMath::vsmul$1,0002016-10-02
172794ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
172243Heap-buffer-overflow in WebCore::OscillatorNode::process$1,0002016-10-02
172119Security: Do not allow Chrome Web Store URLs to commit in unprivileged processes-2016-10-02
171962UNKNOWN in _wordcopy_fwd_aligned-2016-10-02
171951Security: UAF in WebCore::SecurityOrigin::databaseIdentifier()$1,5002016-10-02
172264DatabaseMessageFilter: path traversal in origin_identifier-2016-10-02
172071verify svn.golo.chromium.org subversion package is up-to-date with security fixes-2016-10-02
171557ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::toRenderBox-2016-10-02
171392Cross-Origin copy&paste / drag&drop allowing XSS (again, this time srcdoc)-2016-10-02
171630ASSERTION FAILED: document() == newChild->document(), UNKNOWN in WebCore::ContainerNode::parserAppendChild-2016-10-02
171569Security: Escape from NaCl sandbox on Mac OS X due to signal handler without SA_ONSTACK-2016-10-02
170715SIGSEGV in NotificationUIManagerImpl::CancelAllBySourceOrigin()-2016-10-02
171130Heap-use-after-free in WebCore::AXObjectCache::notificationPostTimerFired-2016-10-02
170666Heap-use-after-free in SkAlphaRuns::add-2016-10-02
171131Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement-2016-10-02
170683Heap-use-after-free in ChromeURLDataManagerBackend::StartRequest-2016-10-02
171134XSS in 1993 history handling$5002016-10-02
170679Heap-buffer-overflow in WebCore::RenderBlock::clone-2016-10-02
170199Heap-use-after-free in WebCore::HTMLSelectElement::length-2016-10-02
170240Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache-2016-10-02
170360Use-after-free: Merge http://trac.webkit.org/changeset/139732-2016-10-02
170432UNKNOWN in WTF::equalIgnoringCase-2016-10-02
170237Heap-use-after-free in WebCore::InspectorInstrumentation::didHandleEventImpl-2016-10-02
170188Heap-use-after-free in WebCore::Document::updateHoverActiveState-2016-10-02
169973IPC: out-of-bounds vector accesses with mismatched vector-2016-10-02
169972Security: Heap-Buffer-Overflow in usb_api.cc:CreateBufferForTransfer-2016-10-02
169966IPC: negative integer in command to safe browsing host will cause bad vector access-2016-10-02
169770IPC: Unvalidated content type used as index for write into raw array-2016-10-02
169765Security: Integer overflow in libusb_alloc_transfer causes Heap-Buffer-Overflow in chrome.usb.isochronousTransfer-2016-10-02
170184Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint-2016-10-02
170034Security: ASAN issue in chromeos::VersionInfoUpdater::OnBootTimes()-2016-10-02
169981Security: chrome.usb Api missing parameter validation for "length"-2016-10-02
169723[LangFuzz] Crash at v8::internal::AccessorPair::GetComponent with invalid read$1,0002016-10-02
71115Stale pointer in WebCore::RenderTable::firstLineBoxBaseline$1,0002016-10-02
71114Stale pointer due to table childs incorrect added$1,0002016-10-02
71167Bypass popup blocker using custom event (variation of issue 3275)-2016-10-02
70877Arbitrary cross-origin bypass using SyntaxError and Number prototype overrides$1,3372016-10-02
70819Empty address bar after opening an URL from extension in new tab-2016-10-02
70779width of boundingClientRect for Range with unicode combining characters is corrupted-2016-10-02
70718crashes when opening a page with webgl-2016-10-02
70589race on a linked list in third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp-2016-10-02
71027REGRESSION: crash after download and close window (only in incognito)-2016-10-02
70885Bypass popup blocker using iframe-2016-10-02
70456OOM handler not always properly terminating process$1,0002016-10-02
70538Open popup in new tab using java applet-2016-10-02
70374Browser crash: DeterminePossibleFieldTypesForUpload-2016-10-02
70577Security: webgl crashes on all tabs + processing spike even after all webgl programs are closed-2016-10-02
70376Pickle::FindNext reads payload_size without checking that the header is complete-2016-10-02
70244height of <rect> - integer overflow(?)$1,0002016-10-02
70337Regression: new window.onerror() implementation leaks cross-origin Javascript errors-2016-10-02
70070WebGL crashes depending on uniform names$5002016-10-02
70231Prefetch: Do not present authentication prompt-2016-10-02
70336Cross-origin Javascript error message leak via Worker importScripts()$5002016-10-02
70078Crash by form controls with form attributes under orphan nodes$5002016-10-02
69934Use after free in LayoutPluginTester.SelfDeletePluginInvoke-2016-10-02
69825security flaw-2016-10-02
69970Invalid read in convertV8ObjectToNPVariant-2016-10-02
70027Stale text node in linebox due to failure to dirty linebox when that text child is dirtied$1,0002016-10-02
69965Use after free in geolocation infobars-2016-10-02
69628Probable memory corruption in WebCore::CounterNode::lastDescendant$5002016-10-02
69597Segfault in WebCore::ContainerNode::removeAllChildren()-2016-10-02
69569Crashed @ IPC::Channel::ChannelImpl::OnIOCompleted when delete browser history-2016-10-02
69657Not signing out from my https webmail account.-2016-10-02
69531Valgrind/Memcheck reports uninitialized use of SkGlyph::fMaskFormat in third_party/skia/src/core/SkScalerContext.cpp-2016-10-02
69640memcheck: read after free in third_party/icu/source/common/unormimp.h-2016-10-02
69556Issue with merging anonymous block in renderblock::removechild (2)$1,0002016-10-02
69275Use after free in scrollbars-2016-10-02
69187Error prototypes are called on remote scripts$1,3372016-10-02
69159Crash @ PasswordStore::RemoveLogin-2016-10-02
69106ZDI-CAN-1009: Apple Webkit setOuterText Memory Corruption Remote Code Execution Vulnerability-2016-10-02
69294Browser crash when executing indexedDb tutorial.html in an incognito window.-2016-10-02
69195playing Z-Type causes crash-2016-10-02
68741Stale pointers in CSSOM - 2$1,0002016-10-02
68646Integer overflow and signed comparison in RenderView::DidDownloadApplicationIcon()-2016-10-02
68641Stale form associated element pointer in Document object$1,0002016-10-02
68773Chrome: Crash Report - Stack Signature: UTF8ToUTF16(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)-382777c6_d21c627c_9e383e89_c1eaa2f5_ef047e8d-2016-10-02
68766Chrome: Crash Report - Stack Signature: net::HttpStreamFactory::~HttpStreamFactory()-2A77B8F-2016-10-02
68434Search Bug Dynamic dns-2016-10-02
68369Installing extensions in "popup"-type windows crash browser-2016-10-02
68342Aw snap on github.com with voice search extension installed$5002016-10-02
68439Destroying nextblock in RenderBlock::removeChild can cause oldChild and nextblock's next sibling to be merged.$1,0002016-10-02
68244Playing audio with volume set to undefined crashes browser-2016-10-02
68170invalid free() in bundled pdf viewer$1,0002016-10-02
68259Virus, exploit in maps-2016-10-02
68130Memory corruption in font draws for accelerated 2d canvas.-2016-10-02
68115Memory corruption with bad Vorbis streams (from CERT)$1,0002016-10-02
68075chrome.dll!WebCore::CounterNode::resetRenderers ExecAV@NULL (7b931db52815b50413964fbdd401fe15)-2016-10-02
68062OOB read crash in SVG length list parsing algorithm-2016-10-02
67968Use after free due to adjacent floats not cleared properly from parents-2016-10-02
67966the bank tell me my browser ar not safe-2016-10-02
67923Stale pointer in SVGImage-2016-10-02
68120Stale pointer in CSSFontFaceSource::m_svgFontFaceElement$1,0002016-10-02
177913Heap-buffer-overflow in AutofillExternalDelegate::OnSuggestionsReturned-2016-10-02
177876Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer-2016-10-02
177858Global-buffer-overflow in v8::internal::MaybeObject* v8::internal::SlowQuoteJsonString<unsigned char, v8::internal::SeqOneByte-2016-10-02
177932Heap-use-after-free in WebCore::SVGElementInstance::invalidateAllInstancesOfElement-2016-10-02
177873Security: out of bounds write with webgl and gl.DEPTH_COMPONENT$1,0002016-10-02
177688ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes-2016-10-02
177620Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement$1,0002016-10-02
177410Heap-use-after-free in extensions::BookmarksIOFunction::ShowSelectFileDialog-2016-10-02
177403ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::RenderBlock::clone-2016-10-02
177737Heap-use-after-free in webrtc::DataChannel::Send-2016-10-02
177686Heap-use-after-free in WebCore::ImageLoader::dispatchPendingErrorEvent-2016-10-02
177815pepper_flash_clipboard_message_filter.cc assumed same-sized vectors from untrusted Flash process-2016-10-02
176882Heap-use-after-free in WebCore::FrameLoader::checkCompleted$1,0002016-10-02
176863ASSERTION FAILED: !detachingNode, Heap-buffer-overflow in WebCore::CSSImageGeneratorValue::removeClient-2016-10-02
177215ASSERTION FAILED: static_cast<unsigned>(m_start + length) <= string.length(), UNKNOWN in WebCore::InlineTextBox::paint-2016-10-02
176719Global-buffer-overflow in cld::ProcessProbV25UniTote-2016-10-02
176692postTaskForModeToWorkerContext/dispatchTaskToWorkerThread invalid pointer crash with Workers/FileSystem API$1,0002016-10-02
177197Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short>-2016-10-02
176738ASSERTION FAILED: itemIndex < m_values->size(), UNKNOWN in WebCore::SVGPathSegListPropertyTearOff::processIncomingListItemValue-2016-10-02
176514Heap-use-after-free in WebCore::RenderObject::propagateStyleToAnonymousChildren-2016-10-02
176298Heap-buffer-overflow in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::erase-2016-10-02
176252RenderViewHostImpl::OnMessageReceived$1,0002016-10-02
176137Data extraction with XSS Auditor$5002016-10-02
176676Heap-use-after-free in cricket::TransportChannelProxy::SetImplementation-2016-10-02
176033Use-after-free in webrtc::WebRtcSession::data_channel()-2016-10-02
176027Heap-buffer-overflow in SkARGB32_Opaque_Blitter::blitMask-2016-10-02
175741UNKNOWN in webkit::ppapi::PluginInstance::PrintPDFOutput-2016-10-02
175343ASSERTION FAILED: i < size(), UNKNOWN in WebCore::AccessibilityMenuListPopup::didUpdateActiveOption-2016-10-02
175342Heap-use-after-free in WebCore::DeleteButtonController::enable-2016-10-02
175305ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
176056Global-buffer-overflow in v8::internal::MarkCompactCollector::EmptyMarkingDeque-2016-10-02
174920Heap-use-after-free in WebCore::CachedCSSStyleSheet::checkNotify-2016-10-02
174676Heap-use-after-free in SpellcheckHunspellDictionary::InitializeDictionaryLocation-2016-10-02
174846Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList-2016-10-02
175069Heap-use-after-free in net::SpdySession::DoLoop-2016-10-02
174895IndexedDB: missing check that index_ids and index_keys have equal size-2016-10-02
174566ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGListProperty<WebCore::SVGPathSegList>::replaceItemValues-2016-10-02
174328IndexedDB: overflow of 2-bit index id size field-2016-10-02
174146Crashing in gpu::gles2::GLES2Implementation::ReadPixels(int,int,int,int,unsigned int,unsigned int,void *)-2016-10-02
174137Crashing in WebCore::ChannelMergerNode::process(unsigned int)-2016-10-02
174129Security: Silent HTTP Basic Authentification & HTTP Authentification Brute Force-2016-10-02
174579stack-buffer-overflow in ui::ScrollEvent::Scale on Chrome OS-2016-10-02
174150Crashing in media::VideoRendererBase::ThreadMain()-2016-10-02
174020ASSERTION FAILED: !object || object->isMenuList(), UNKNOWN in WebCore::HTMLSelectElement::menuListDefaultEventHandler-2016-10-02
173906document.referrer leakage with XSS Auditor page block-2016-10-02
173880Heap-buffer-overflow in media::OpusAudioDecoder::ConfigureDecoder-2016-10-02
174049ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderTableSection::layout-2016-10-02
174017ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation-2016-10-02
173781Heap-buffer-overflow in void std::__introsort_loop<WebCore::GridTrack**, long, bool-2016-10-02
173688Security: Non-web-accessible extension URLs should not load in non-extension processes-2016-10-02
67393Freeing invalid uninitialized pointer to bug_report_ object$1,0002016-10-02
67363EXTERNAL-REPORT: SVGElementInstance::m_useElement not cleared on corresponding use element destruction$5002016-10-02
67577Switch .jar and .class to always-warn-2016-10-02
67234Webkit crashes during animation event processing-2016-10-02
67303renderer crash when playing a corrupt webm video$1,0002016-10-02
67208VU#821271 Exception generated by code running in the Stack$1,0002016-10-02
66986Reparenting error due to double merge of anonymous blocks in removeChild-2016-10-02
66962browser crash when reproducing issue #64051-2016-10-02
66931Google Chrome crashes at https://webmail.afmc.af.mil/Exchange-2016-10-02
66841Chrome View keeps changing percentage(decreasing to 50%) automatically-2016-10-02
67100Crash in PDF form event handling when deleting page from underneath self-2016-10-02
66760ZDI-CAN-968: Apple Webkit Font Glyph Layout Remote Code Execution Vulnerability-2016-10-02
66718webgl page causes X server crash-2016-10-02
66700chrome.dll!WebCore::RenderTextControlSingleLine::speechAttributeChanged ReadAV@NULL (7acb553d23eecf733d9ececf57a499f7)-2016-10-02
66676REGRESSION: Crash on exit after clearing all downloads-2016-10-02
66486MAC OSX 10.6.5 google chrome-2016-10-02
66473Crash in ReplaceSelectionCommand::doApply when modified during mutation event-2016-10-02
66748CSSCursorImageValue not clearing SVGElement back pointer$5002016-10-02
66334Crashes at wild EIP when pressing "print" button on PDFs-2016-10-02
65942Stale pointer in Range::processContents when modified during mutation event-2016-10-02
65869crash when rapidly reloading a page with an applet-2016-10-02
65845Bad cast from RenderText to RenderBox due to details tag being shown inline.-2016-10-02
65796Children of cloned anonymous blocks should set childreninline flag-2016-10-02
65299Out of bound read when using modified webp file$5002016-10-02
65194Renderer crash @ gpu::gles2::GLES2Implementation::TexSubImage2D(unsigned int,int,int,int,int,int,unsigned int,unsigned int,void const *)-2016-10-02
64974Integer overflow leading to OOB read, possible memory corruption in webgl getfloat32-2016-10-02
64949Crash with progressive rendering-2016-10-02
64788Access data from my company Google Docs (domain wittit.com) with my gmail account.-2016-10-02
64669Not allow overwrite of field data when merging profile data-2016-10-02
64559Bad cast when selection changes for combo boxes.-2016-10-02
64456Chrome crashes when attempting to install a userscript.-2016-10-02
64945Crash when webp image is invalid$1,0002016-10-02
64364falla al inicio de abrir el navegador-2016-10-02
64331Stale node being set as layout root when rendering meter, progress elements.-2016-10-02
64088Use after free due to calling a stale timer on a closed frame/document-2016-10-02
64046WebKit 49902 - chrome.dll!WebCore::toWebWidgetClient ReadAV@NULL (08ffd4f21a8c6465bb1e19a2f52e4bd5)-2016-10-02
63982Memory corruption in RenderObjectChildList::removeChildNode-2016-10-02
64424Computing style on a stale node while sending pending accessibility notification-2016-10-02
64108Verify cross-origin push fails under SPDY-2016-10-02
63911Memory corruption in accelerated 2d canvas-2016-10-02
63945More memory corruption in accelerated 2d canvas, this time in moveTo-2016-10-02
63617Closing multiple WebGL tabs at the same time causes segfault in Xorg-2016-10-02
63609Delete any link promotes - Orkut OLD-2016-10-02
63552Windows media player plugin crashes all the time @ NPAPI::PluginLib::Load+0x116-2016-10-02
63533WebM Crash fix merge from M7-2016-10-02
63529Security: Segfault when dealing with Web Workers and MessageChannels-2016-10-02
63866WebKit CSS Font Face Parsing Type Confusion$1,0002016-10-02
63924Bad cast from RenderTableCol to RenderBlock in search css-2016-10-02
63732Browser crash @ JavaScriptAppModalDialog::Cleanup()$5002016-10-02
63389Setting small numeric CSS values using setFloatValues changes that value on all pages until the browser is quit-2016-10-02
63268Universal XSS via mutating style objects and read styles cross origins-2016-10-02
63248segfault in bundled PDF viewer (invalid read in strlen)$1,0002016-10-02
63444Security: possible memory corruption (double-free) in XPath processing code$1,0002016-10-02
63495WebCore::NamedNodeMap::setAttributes() stale iterator-2016-10-02
63454Analyze integer wraps in WebCore::Range.-2016-10-02
63380SVG Transformlist memory corruption-2016-10-02
63031Stale font accessed in WebCore::GlyphPage::glyphDataForCharacter-2016-10-02
63166CryptUnprotectData disclose sensitive information in stack-2016-10-02
63051chrome_6dc70000!WebCore::EventHandler::updateSelectionForMouseDrag use after free$5002016-10-02
63037Security: chrome.google.com Stored XSS-2016-10-02
189090Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
189089ASSERTION FAILED: curr->isRenderBlock(), UNKNOWN in WebCore::RenderBlock::splitBlocks-2016-10-02
189250Security: pango loads config options from $HOME/.pangorc-2016-10-02
189091Heap-use-after-free in extensions::ObjectBackedNativeHandler::Router-2016-10-02
189084Bad cast in WebKit::WebPageSerializerImpl::endTagToString-2016-10-02
187243Heap-use-after-free in WebCore::InlineBox::deleteLine-2016-10-02
181617Security: Possible path traversal in file_util::AbsolutePath (Windows XP/2K3)$1,3372016-10-02
181580Heap-use-after-free in extensions::ModuleSystem::LazyFieldGetterInner-2016-10-02
187245Heap-use-after-free in SkTypeface::getTableSize-2016-10-02
188092Invalid pointer read in WebCore::WaveShaperProcessor::process-2016-10-02
183741arbitrary number of popups in response to single user action-2016-10-02
181083Security: H.264 scaling list parsing overflow$40,0002016-10-02
180920Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList-2016-10-02
181438TransportDIB::Map doesn't validate size of mapped section on Windows-2016-10-02
180763PWN2OWN: Bad cast in SVGViewSpec::viewTarget-2016-10-02
180593Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine-2016-10-02
180555Security: DevTools renderer navigation is handled in renderer and allows opening any URL in DevTools window.-2016-10-02
181375Heap-use-after-free in WebCore::AXObjectCache::getOrCreate-2016-10-02
180909Buffer overflow in URLLoader::ReadResponseBodyAck-2016-10-02
180051Use after free in PersistentTabRestoreService (during shutdown?)-2016-10-02
179653ANGLE shader compiler: struct size overflow-2016-10-02
179634Heap-use-after-free in (anonymous-2016-10-02
179632Heap-use-after-free in sigslot::_signal_base1<bool, sigslot::single_threaded>::disconnect-2016-10-02
179631Heap-use-after-free in WebCore::SegmentedString::SegmentedString-2016-10-02
179580Devtools uses dangling WebContents* when extension reloads-2016-10-02
180058Security: Loading NaCl from Web via permissive extension-2016-10-02
179654ANGLE shader compiler: validate numBytes in TPoolAllocator::allocate-2016-10-02
178848Chrome_Linux: Crash Report - Stack Signature: extensions::UserScriptSlave::GetDataSourceU...-2016-10-02
178706Mac AVCConfigRecordBuilder: integer overflow leading to heap-buffer-overflow-2016-10-02
178780Security: Chrome extensions whitelist leaks IDs-2016-10-02
178761Heap-use-after-free in WebCore::FrameView::maintainScrollPositionAtAnchor-2016-10-02
178760Heap-use-after-free in gtk_floating_container_add_floating-2016-10-02
179287ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderSliderContainer::layout-2016-10-02
179522Heap-use-after-free in WebCore::AudioNodeOutput::pull$3,1332016-10-02
178797Use-after-free under CachedRawResource::responseReceived-2016-10-02
178266Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
178242NavigationController can copy wrong NavigationEntry when committing a new page-2016-10-02
178269Heap-use-after-free in WebCore::FrameLoader::stopForUserCancel-2016-10-02
178130ASSERTION FAILED: node->treeScope() == m_oldScope, Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope-2016-10-02
178581Heap-use-after-free in BrowsingDataRemover::DoClearCache-2016-10-02
178264Heap-use-after-free in WebCore::Frame::setPageAndTextZoomFactors-2016-10-02
178002Heap-use-after-free in WebCore::LiveNodeList::namedItem-2016-10-02
177933ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue-2016-10-02
178003ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::HTMLElementStack::popCommon-2016-10-02
177956cross-process memory address leak via sa_restorer$1,0002016-10-02
62987Use after free in EventSource-2016-10-02
62925<Unloaded_S.DLL>+0x42cd17f crash$1,0002016-10-02
62718renderer crash in PDF viewer (possibly due to overlapping memcpy)-2016-10-02
62674Valgrind detected invalid read in net::SingleRequestHostResolver::Cancel() - use-after-free?-2016-10-02
62623Crash at NULL IP in PDF when evaluating strange expression$1,0002016-10-02
62401Crash in WebCore::SMILTimeContainer::begin$1,0002016-10-02
62358Integer overflow in SVG Parsing-2016-10-02
62791Crash loading invalid crx extension file-2016-10-02
62354Bad cast in SVGImageBufferTools::renderSubtreeToImageBuffer-2016-10-02
62296Bad cast from renderinline to renderbox in animations-2016-10-02
62281Use after free due to overhanging floats in LEGEND block-2016-10-02
62276Out of bound memory access in webp decoder-2016-10-02
62261use after free in ContainerNode::willRemove-2016-10-02
62168Bad cast in WebDevToolsFrontendImpl::dispatchOnInspectorFrontend-2016-10-02
62158Exploitable-looking crash when simply selecting a drop-down value-2016-10-02
62293Bad cast in CSSStyleSelector::createTransformOperations-2016-10-02
62118Autosave - Password-2016-10-02
61975Page is shown before password is requested-2016-10-02
61919[Regression] Browser crash in GetMostVisitedThumbnailsOnDBThread-2016-10-02
61917[Regression] Purecall in TopSitesDatabase::UpdatePageThumbnail-2016-10-02
62127faulty webm file causes segfault$1,0002016-10-02
61954split webstorePrivate.install into two functions, one of which requires a gesture-2016-10-02
61719Chrome-2016-10-02
61691SECURITY FAIL-2016-10-02
61653MSVR-10-0108 - Integer Overflow in Chrome's VP8 decoding leads to memory corruption-2016-10-02
61634webstorePrivate.install method should not suppress install confirmation for extensions with NPAPI-2016-10-02
61721Security: Google Chrome 7.0.517.41 Multiple DLL Hijacking Vulnerability-2016-10-02
61701Security: google chrome crashes when a request passes through a proxy and recieves a 407 HTTP error code from the server-2016-10-02
61848Search results are displayed in bing.-2016-10-02
61555on double click of a password with comma in it, selects only the part separated by comma instead of selecting fully. The compromises security besides being an inconvenience.-2016-10-02
61502Floats left out of the incremental line break code due to failed image load.-2016-10-02
61338pdf viewer segfault after js syntax error$1,0002016-10-02
61577Security Bug: Google Docs Published Spreadsheets-2016-10-02
61255Bad cast in PageClickTracker::handleEvent-2016-10-02
61576WebKit 48831 - chrome.dll!WebCore::SVGLength::SVGLength WriteAV@Arbitrary (ab566cfad36b72d82883e59d51a1dbec)-2016-10-02
61313Use after free related to ApplyBlockElementCommand::formatSelection-2016-10-02
61129Double click selection behaviour exposes password information-2016-10-02
60978WebGL stencil buffers not correctly initialized-2016-10-02
60816Crash in hunspell::NodeReader::FindWord-2016-10-02
60769more bad casts in event handling.-2016-10-02
60761chrome_1c30000!TabContents::RemoveInfoBar(class InfoBarDelegate * delegate = 0x05dfe700)+0x1dfull tab crash-2016-10-02
61158Use after free in ApplyStyleCommand::removeInlineStyle-2016-10-02
60695Bad cast in RenderView docheight,docwidth calc due to adding non box childs-2016-10-02
60688chrome_55000000!WebCore::FEBlend::apply+0x1a5$1,0002016-10-02
60653Memory error inside WTF::String::format-2016-10-02
60496Speed tracer + AdBlock = Renderer Crash @ v8::internal::Invoke-2016-10-02
60327Bad cast to MouseEvent in Node::defaultEventHandler()$5002016-10-02
60238Use after free of m_frame in FrameLoader::loadWithDocumentLoader$5002016-10-02
60697CSS, background-repeat bug-2016-10-02
60029OOB read with StringImpl::find line 621-2016-10-02
59817Security: Add .html and .htm to the dangerous extensions list for OSX and OS_POSIX-2016-10-02
60055WebM crash in vp8_setup_intra_recon()$1,0002016-10-02
59663CSSPrimitiveValue::cssText() may cause a buffer overflow-2016-10-02
60013RenderIndicator childs not laid out at all.-2016-10-02
223145Security: <template> implementation fails to check for "template" in special list when handling "any other end tag for in body"-2016-10-02
223125Heap-buffer-overflow in WebCore::InlineIterator::atTextParagraphSeparator-2016-10-02
223032ASSERTION FAILED: !HashTranslator::equal(Extractor::extract(deletedValue), key), Heap-buffer-overflow in WebCore::Font::width-2016-10-02
222852Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
222770UNKNOWN in WebCore::QualifiedName* WTF::HashTable<WebCore::QualifiedName, WebCore::QualifiedName, WTF::Identity-2016-10-02
222754Multiple ffmpeg security issues found by j00ru.-2016-10-02
222539UNKNOWN in WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul>, 0ul>::reserveCapacity-2016-10-02
223034Heap-buffer-overflow in void media::ToInterleavedInternal<int, long>-2016-10-02
223238Heap-use-after-free in GIFImageReader::decode$1,0002016-10-02
222000Use after free - using speech API after loading a web page$1,0002016-10-02
222036Heap-use-after-free in cricket::WebRtcRenderAdapter::FrameSizeChange-2016-10-02
222136Heap-use-after-free in WebCore::AudioDSPKernelProcessor::reset-2016-10-02
221131HTML tags are not sanitized in chrome://network-2016-10-02
220039