645811
|
Crash in mojo::internal::Router::OnConnectionError
|
-
|
2016-12-31
|
648031
|
Heap-use-after-free in pp::MacroExpander::expandMacro
|
-
|
2016-12-31
|
647922
|
Crash in SuperBlitter::blitH
|
-
|
2016-12-31
|
648935
|
Crash in FindBit
|
-
|
2016-12-31
|
649826
|
Heap-use-after-free in CPDF_ViewerPreferences::IsDirectionR2L
|
-
|
2016-12-31
|
622271
|
Security: Adobe Flash ContextMenu Use After Free
|
$3000
|
2016-12-30
|
622634
|
Security: use-after-free vulnerability in flash player 22.0.0.192
|
$3000
|
2016-12-30
|
630544
|
Security: use-after-free vulnerability in flash player 22.0.0.209
|
$3000
|
2016-12-30
|
630547
|
Security: use-after-free vulnerability in Adobe flash player
|
$3000
|
2016-12-30
|
640177
|
Security: use-after-free vulnerability in flash player latest version
|
$3000
|
2016-12-30
|
647791
|
Heap-buffer-overflow in gpu::gles2::ShaderTranslator::Translate
|
-
|
2016-12-30
|
648620
|
CRASH() writes to a fixed mappable address
|
-
|
2016-12-30
|
649056
|
Assertion failed: !object || (object->isBox())
|
-
|
2016-12-30
|
649095
|
Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutBox::firstChildBox;blink::ThemePainterDefault::setupMenuListArrow
|
-
|
2016-12-30
|
649058
|
Use-of-uninitialized-value in blink::BoxPainter::paint
|
-
|
2016-12-30
|
649599
|
Crash in blink::ThemePainterDefault::setupMenuListArrow
|
-
|
2016-12-30
|
502871
|
Security: adobe flash NetStream.appendBytes ByteArray data Use-After-Free
|
$3000
|
2016-12-29
|
646278
|
Security: Address Bar URL Spoofing
|
$500
|
2016-12-29
|
648671
|
Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl;webrtc::CongestionController::TimeUntilNextProcess;webrtc::ProcessThreadImpl::Process
|
-
|
2016-12-29
|
647329
|
Use-after-poison in fuzz_wasm_section
|
-
|
2016-12-28
|
645540
|
Update It2Me host to show confirmation prompt for incoming connections.
|
-
|
2016-12-28
|
648373
|
Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE
|
-
|
2016-12-28
|
645028
|
Web accessible resources checks should work with blob: and filesystem: URLs that have chrome-extension:// inner URLs
|
-
|
2016-12-27
|
647612
|
Heap-use-after-free in CPDF_RenderStatus::LoadSMask
|
-
|
2016-12-27
|
647893
|
Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp
|
-
|
2016-12-27
|
647683
|
Wrong security state when going back/forward after HTML5 history push
|
-
|
2016-12-27
|
639750
|
XSS using Dropjacking
|
-
|
2016-12-26
|
646351
|
Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE
|
-
|
2016-12-26
|
640233
|
Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase
|
-
|
2016-12-25
|
645729
|
Use-after-poison in blink::TimerBase::runInternal
|
$3500
|
2016-12-25
|
646178
|
Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor
|
-
|
2016-12-25
|
647197
|
Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule
|
-
|
2016-12-24
|
647110
|
Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule
|
-
|
2016-12-24
|
647027
|
Heap-use-after-free in v8::internal::wasm::ThreadImpl::Execute
|
-
|
2016-12-24
|
647481
|
Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase
|
-
|
2016-12-24
|
647267
|
Crash in blink::TopDocumentRootScrollerController::globalRootScroller
|
-
|
2016-12-24
|
644674
|
Attempting free in void v8::internal::LocalArrayBufferTracker::Free<
|
-
|
2016-12-23
|
647269
|
Bad-cast to blink::TopDocumentRootScrollerController from blink::RootScrollerController;blink::PaintLayerCompositor::updateClippingOnCompositorLayers;blink::PaintLayerCompositor::updateIfNeeded
|
-
|
2016-12-23
|
646258
|
Crash in ReadUnalignedValue<int>
|
-
|
2016-12-23
|
627399
|
Use-of-uninitialized-value in CCodec_TiffContext::Decode
|
-
|
2016-12-22
|
621838
|
Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData
|
-
|
2016-12-22
|
645745
|
Unable to block cookies
|
$500
|
2016-12-22
|
646786
|
Use-of-uninitialized-value in SkMatrix44::computeTypeMask
|
-
|
2016-12-22
|
646350
|
Heap-use-after-free in ash::WmWindowAura::StackChildAbove
|
-
|
2016-12-22
|
641239
|
Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture
|
-
|
2016-12-21
|
638159
|
Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue
|
-
|
2016-12-21
|
642070
|
Use-of-uninitialized-value in update_current_folder_get_info_cb
|
-
|
2016-12-21
|
643939
|
Crash in v8::internal::Invoke
|
-
|
2016-12-21
|
645839
|
Heap-use-after-free in cc::Scheduler::BeginImplFrameWithDeadline
|
-
|
2016-12-21
|
644733
|
Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP
|
-
|
2016-12-21
|
645777
|
Use-of-uninitialized-value in base::time_internal::SaturatedSub
|
-
|
2016-12-20
|
645186
|
Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData
|
-
|
2016-12-20
|
645201
|
Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse
|
-
|
2016-12-19
|
645770
|
Heap-buffer-overflow in void std::vector<aura::Window*, std::allocator<aura::Window*> >::_M_insert_aux<a
|
-
|
2016-12-18
|
644373
|
Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer.
|
-
|
2016-12-17
|
645034
|
Use-of-uninitialized-value in blink::TraceMethodDelegate<blink::PersistentBase<blink::DOMArrayBuffer,
|
-
|
2016-12-17
|
645657
|
Use-of-uninitialized-value in base::Pickle::WriteBytes
|
-
|
2016-12-17
|
641995
|
value.isFunctionValue()
|
-
|
2016-12-16
|
632709
|
Heap-use-after-free in CPDFSDK_Widget::SetAppModified
|
-
|
2016-12-15
|
642803
|
Heap-use-after-free in cc::SurfaceManager::UnregisterBeginFrameSource
|
-
|
2016-12-15
|
643726
|
Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData
|
-
|
2016-12-15
|
643173
|
Wrong security state when redirecting to HTTP
|
$2000
|
2016-12-15
|
644182
|
Heap-buffer-overflow in unibrow::Utf8::Validate
|
-
|
2016-12-15
|
648971
|
Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink
|
$100000
|
2016-12-14
|
632848
|
!object || (object->isBox())
|
-
|
2016-12-14
|
637899
|
Heap-buffer-overflow in Decode
|
-
|
2016-12-14
|
640998
|
Crash in CPDF_Parser::LoadCrossRefV5
|
-
|
2016-12-14
|
643431
|
Crash in v8::internal::Object::SetPropertyInternal
|
-
|
2016-12-14
|
643665
|
Crash inside SuperBlitter::blitH
|
-
|
2016-12-14
|
643933
|
Crash in SuperBlitter::blitH
|
-
|
2016-12-14
|
643935
|
Heap-buffer-overflow in gpu::gles2::Texture::SetLevelInfo
|
-
|
2016-12-14
|
640999
|
Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver
|
-
|
2016-12-13
|
642987
|
Heap-buffer-overflow in unibrow::Utf8::Validate
|
-
|
2016-12-13
|
643137
|
Heap-use-after-free in blink::TimerBase::getTimerTaskRunner
|
-
|
2016-12-13
|
643970
|
Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor
|
-
|
2016-12-13
|
644003
|
Use-of-uninitialized-value in mojo::edk::ChannelPosix::WriteNoLock
|
-
|
2016-12-13
|
624011
|
Security: UAF with namespace nodes in XPointer ranges
|
$3500
|
2016-12-11
|
638220
|
Heap-buffer-overflow in test_runner::BoundsForCharacter
|
-
|
2016-12-10
|
638166
|
Heap-use-after-free in content::RenderFrameImpl::NavigateInternal
|
-
|
2016-12-09
|
642867
|
Crash in v8::internal::wasm::WasmFullDecoder::AnalyzeLoopAssignment
|
-
|
2016-12-09
|
642639
|
<no crash state available>
|
-
|
2016-12-09
|
643071
|
Crash in v8::internal::NewSpace::Verify
|
-
|
2016-12-09
|
640576
|
Heap-use-after-free in base::WaitableEvent::Signal
|
-
|
2016-12-08
|
642028
|
Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La
|
-
|
2016-12-08
|
497302
|
Integer-overflow in sfntly::FontData::Bound
|
$1000
|
2016-12-06
|
642063
|
Crash in v8::internal::HeapObject::SizeFromMap
|
-
|
2016-12-06
|
641575
|
Crash in v8::internal::InstantiateObject
|
-
|
2016-12-05
|
623992
|
Use-of-uninitialized-value in unicodetoupper
|
-
|
2016-12-04
|
622197
|
Heap-buffer-overflow in u16_u8
|
-
|
2016-12-03
|
633473
|
Use-of-uninitialized-value in Hunspell::spell
|
-
|
2016-12-03
|
638570
|
Use-of-uninitialized-value in AffixMgr::compound_check
|
-
|
2016-12-03
|
638562
|
Stack-buffer-overflow in SfxEntry::checkword
|
-
|
2016-12-03
|
625915
|
Mac: 'Press Esc to exit fullscreen' covered up by permission prompts
|
-
|
2016-12-02
|
638615
|
Security: heap-buffer-overflow in ImageBitmap::ImageBitmap
|
$5500
|
2016-12-02
|
619368
|
Heap-buffer-overflow in content::WriteMemory
|
-
|
2016-12-01
|
631375
|
Security: mbspatch: Malform patch file may access heap out of bound
|
-
|
2016-12-01
|
635602
|
Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface
|
-
|
2016-12-01
|
635879
|
Security: Format String Vulnerability in Chrome OS
|
$1000
|
2016-12-01
|
638223
|
Use-of-uninitialized-value in Break
|
-
|
2016-12-01
|
638742
|
Security: Universal XSS using ThreadDebugger::setMonitorEventsCallback
|
$2000
|
2016-12-01
|
617124
|
Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32
|
-
|
2016-11-30
|
637594
|
Security: Universal XSS using DevTools
|
$2000
|
2016-11-30
|
639658
|
Security: Navigating to "chrome://" URLs via 'about:' protocol
|
$500
|
2016-11-30
|
637546
|
Security: UNKOWN in CFX_Edit_Provider::GetCharWidthW
|
$1000
|
2016-11-29
|
639451
|
Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje
|
-
|
2016-11-29
|
639984
|
Heap-use-after-free in FORM_DoDocumentAAction
|
-
|
2016-11-29
|
639985
|
Use-of-uninitialized-value in shell::internal::InterfaceFactoryBinder<IPC::mojom::ChannelBootstrap>::BindInter
|
-
|
2016-11-29
|
633306
|
CSP can be abused to disclose URIs cross-origin
|
-
|
2016-11-25
|
638571
|
Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered
|
-
|
2016-11-25
|
638928
|
!m_deletionHasBegun
|
-
|
2016-11-25
|
628942
|
Security: Universal XSS with ScopedPageLoadDeferrer and RemoteFrame
|
$17500
|
2016-11-24
|
630654
|
Heap-use-after-free in CPDFSDK_Document::KillFocusAnnot
|
$3000
|
2016-11-24
|
633474
|
Negative-size-param in blink::LayoutGrid::populateExplicitGridAndOrderIterator
|
-
|
2016-11-24
|
638186
|
Use-after-poison in blink::SVGLengthContext::convertValueToUserUnits
|
-
|
2016-11-24
|
638192
|
Use-after-poison in blink::ElementResolveContext::ElementResolveContext
|
-
|
2016-11-24
|
638226
|
Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits<
|
-
|
2016-11-24
|
619381
|
Crash in GrCircleBlurFragmentProcessor::CreateCircleBlurProfileTexture
|
-
|
2016-11-23
|
633385
|
CUPS domain socket should only be openable by user chonos
|
-
|
2016-11-23
|
635848
|
Security: Crash in CPDF_Dictionary::GetObjectBy
|
$1000
|
2016-11-23
|
638185
|
Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren
|
-
|
2016-11-23
|
638219
|
Bad-cast to blink::LayoutBox from blink::LayoutSVGEllipse;blink::LayoutObject::positionForPoint;blink::LayoutBox::clippingRect
|
-
|
2016-11-23
|
622033
|
Heap-buffer-overflow in sctp_send_deferred_reset_response
|
-
|
2016-11-22
|
630870
|
Security: Universal XSS by intercepting a UA shadow tree
|
$7500
|
2016-11-22
|
636268
|
Security: heap-buffer-overflow in SkColorSpace
|
$3500
|
2016-11-22
|
634557
|
Security: Blob file entries aren't checked against security policy
|
-
|
2016-11-22
|
628999
|
Crash in blink::Geolocation::onGeolocationPermissionUpdated
|
-
|
2016-11-21
|
635577
|
Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect
|
-
|
2016-11-19
|
637320
|
Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer
|
-
|
2016-11-19
|
625404
|
Security: use-after-free in AttachFilteredEvent on event_bindings.cc
|
$3000
|
2016-11-18
|
628920
|
Security: Address bar spoofing on iOS
|
-
|
2016-11-18
|
625575
|
Security: bypassing CORS by XHR + MemoryCache + ServiceWorker
|
-
|
2016-11-18
|
633687
|
Security: Full browser crash when trying to open missing 'downloaded' resource file.
|
-
|
2016-11-18
|
626893
|
Security: Arbitrary memory write in v8::internal::GlobalHandles::IterateNewSpaceWeakUnmodifiedRoots()
|
$3000
|
2016-11-17
|
628542
|
Heap-buffer-overflow in unibrow::Utf8::Validate
|
-
|
2016-11-17
|
631368
|
Crash in blink::getPropertyNameString
|
-
|
2016-11-17
|
634954
|
Security: Address bar spoofing with itunes page on iOS
|
-
|
2016-11-17
|
636194
|
Crash in void SkLinearGradient::LinearGradientContext::shade4_dx_clamp<false, false>
|
-
|
2016-11-17
|
635571
|
Crash in blink::EventTarget::fireEventListeners
|
-
|
2016-11-17
|
622420
|
Security: Type confusion in StylePropertySerializer::getCustomPropertyText.
|
-
|
2016-11-16
|
632124
|
Global-buffer-overflow in silk_NLSF2A
|
-
|
2016-11-16
|
635574
|
Use-after-poison in blink::CrossThreadPersistentRegion::shouldTracePersistentNode
|
$3500
|
2016-11-16
|
600352
|
Security: Cross-Protocol Theft from non-HTTP services via DNS rebinding + HTTP/0.9
|
-
|
2016-11-15
|
611955
|
//components/filesystem/public/interfaces/*.mojom files need security review
|
-
|
2016-11-15
|
618037
|
Security: Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings
|
$1000
|
2016-11-15
|
633472
|
Use-of-uninitialized-value in segment
|
-
|
2016-11-15
|
632849
|
Heap-buffer-overflow in SkA8_Blitter::blitH
|
-
|
2016-11-13
|
628890
|
Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate
|
$3500
|
2016-11-12
|
628304
|
Security: heap-buffer-overflow in opj_v4dwt_interleave_h
|
$3500
|
2016-11-12
|
634238
|
Security: Adobe Flash Button.blendMode setter uninitialized stack variable
|
-
|
2016-11-12
|
635045
|
Use-of-uninitialized-value in blink::ImagePattern::isLocalMatrixChanged
|
-
|
2016-11-12
|
619429
|
Security: Able to bypass permission prompt on keypress
|
-
|
2016-11-11
|
624514
|
Heap-buffer-overflow in CWeightTable::Calc
|
$3500
|
2016-11-11
|
634114
|
Heap-use-after-free in blink::LayoutFieldset::adjustInnerStyle
|
-
|
2016-11-11
|
634394
|
Security: UAF in PDFium's TimerProc()
|
-
|
2016-11-11
|
627355
|
Crash in _platform_memmove$VARIANT$Nehalem
|
-
|
2016-11-10
|
632965
|
Security: OOB read with CallSite and wasm
|
-
|
2016-11-10
|
633585
|
Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer
|
-
|
2016-11-10
|
633471
|
Use-of-uninitialized-value in GrPipeline::CreateAt
|
-
|
2016-11-08
|
633486
|
Tracking bug for internal fixes: Chrome M52, release 1
|
-
|
2016-11-08
|
479961
|
Apply wpa_supplicant P2P vulnerability fixes
|
-
|
2016-11-07
|
632634
|
Security: Universal XSS with static methods and ScriptState::forHolderObject
|
$7500
|
2016-11-07
|
610644
|
Heap-buffer-overflow in ps_table_add
|
$1500
|
2016-11-06
|
632850
|
Crash in CPDFSDK_InterForm::GetWidget
|
-
|
2016-11-06
|
632851
|
Heap-use-after-free in CJS_Timer::KillJSTimer
|
-
|
2016-11-06
|
632860
|
Heap-buffer-overflow in copy
|
-
|
2016-11-05
|
616429
|
Security: Saving WebPage with file: resources access SMB resources
|
$1000
|
2016-11-04
|
631052
|
Use-after-poison in blink::CompositorAnimationPlayer::NotifyAnimationStarted
|
$3500
|
2016-11-04
|
631320
|
Heap-use-after-free in content::WebRTCEventLogHost::PeerConnectionRemoved
|
-
|
2016-11-04
|
629919
|
Security: heap-buffer-overflow in opj_tcd_update_tile_data
|
$5000
|
2016-11-03
|
631050
|
Crash in v8::internal::JSObject::UpdateAllocationSite
|
-
|
2016-11-03
|
573131
|
Security: some extension bindings incorrectly injected into about:blank frames
|
$7500
|
2016-11-02
|
627414
|
Crash in MaskSuperBlitter::blitH
|
-
|
2016-11-02
|
630377
|
Heap-use-after-free in ProfileIOData::FromResourceContext
|
-
|
2016-11-02
|
629455
|
Heap-buffer-overflow in SuperBlitter::blitH
|
-
|
2016-11-02
|
631319
|
Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM
|
-
|
2016-11-02
|
631752
|
Tracking bug for internal fixes: Chrome OS 52.0.2743.85 (Platform version: 8350.60.0)
|
-
|
2016-11-02
|
628992
|
Heap-use-after-free in SuperBlitter::blitH
|
-
|
2016-11-01
|
627454
|
Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture
|
-
|
2016-11-01
|
630736
|
Crash in segment
|
-
|
2016-11-01
|
630369
|
Use-of-uninitialized-value in GrShape::attemptToSimplifyPath
|
-
|
2016-10-31
|
630749
|
Heap-use-after-free in mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding
|
-
|
2016-10-31
|
623195
|
Use-of-uninitialized-value in base::Pickle::WriteData
|
-
|
2016-10-29
|
630649
|
Stack-buffer-overflow in SkDCubic::searchRoots
|
-
|
2016-10-29
|
399951
|
Security: Cross-origin information leak via ECMAScript harmony proxies
|
$1000
|
2016-10-28
|
614647
|
Use-of-uninitialized-value in get_advance
|
-
|
2016-10-28
|
621362
|
Security: Universal XSS with Flash calling into JavaScript inside Node::removedFrom
|
$7500
|
2016-10-28
|
629962
|
Use-of-uninitialized-value in segment
|
-
|
2016-10-28
|
628117
|
Heap-use-after-free in blink::PaintController::commitNewDisplayItems
|
$3500
|
2016-10-28
|
630378
|
Use-of-uninitialized-value in SkDPoint::approximatelyEqual
|
-
|
2016-10-28
|
624213
|
Security: Address bar RTL character spoofing on Mac
|
-
|
2016-10-27
|
624214
|
Security: Address bar RTL character spoofing on iOS
|
-
|
2016-10-27
|
629795
|
Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::HandleGetBufferParameteriv
|
-
|
2016-10-27
|
626186
|
Crash in SkOpAngle::setSpans
|
-
|
2016-10-26
|
627401
|
Crash in SkOpCoincidence::mark
|
-
|
2016-10-26
|
628995
|
Use-of-uninitialized-value in CPWL_List_Notify::IOnInvalidateRect
|
-
|
2016-10-26
|
629452
|
Crash in segment
|
-
|
2016-10-26
|
629454
|
Use-of-uninitialized-value in containsCoincidence
|
-
|
2016-10-26
|
616623
|
Use-of-uninitialized-value in walk_convex_edges
|
-
|
2016-10-25
|
629004
|
Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::DoDrawBuffersEXT
|
-
|
2016-10-25
|
629008
|
Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::WaitSyncTokenCHROMIUM
|
-
|
2016-10-25
|
629435
|
Crash in v8::internal::Invoke
|
-
|
2016-10-25
|
623319
|
URL Spoof due to subframes and NavigationEntry corruption
|
$2000
|
2016-10-21
|
627436
|
Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications
|
-
|
2016-10-21
|
627756
|
Security: SEGV on unknown address in toCSSValuePair
|
$3000
|
2016-10-21
|
627443
|
Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper
|
-
|
2016-10-21
|
628113
|
Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty
|
-
|
2016-10-21
|
628130
|
Stack-buffer-overflow in saturated_add
|
-
|
2016-10-21
|
626790
|
Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining
|
-
|
2016-10-20
|
627354
|
Negative-size-param in content::WebRTCEventLogHost::PeerConnectionRemoved
|
-
|
2016-10-20
|
627434
|
Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque
|
-
|
2016-10-20
|
627447
|
Use-of-uninitialized-value in ProfileChooserView::ButtonPressed
|
-
|
2016-10-20
|
627457
|
Use-after-poison in content::WebMessagePortChannelImpl::OnMessage
|
$3500
|
2016-10-20
|
611957
|
//components/leveldb/public/interfaces/leveldb.mojom needs a security review
|
-
|
2016-10-19
|
618295
|
Security: [PDFium]AddressSanitizer: negative-size-param
|
-
|
2016-10-19
|
623168
|
Use-of-uninitialized-value in v8::internal::Factory::NewNumber
|
-
|
2016-10-19
|
626182
|
Heap-use-after-free in blink::PaintController::commitNewDisplayItems
|
-
|
2016-10-19
|
623365
|
Heap Buffer Overflow in iframe URL Parse
|
-
|
2016-10-17
|
579934
|
Chromium allows to open popup window from Flash object without user gesture or blocking
|
$1000
|
2016-10-15
|
610986
|
ASSERTION FAILED: !object || (object->isBox())
|
-
|
2016-10-15
|
617648
|
Heap-use-after-free in content::FilteringNetworkManager::Initialize
|
-
|
2016-10-15
|
626562
|
Crash in v8::internal::HandleBase::IsDereferenceAllowed
|
-
|
2016-10-15
|
626792
|
Heap-use-after-free in GURL::GURL
|
-
|
2016-10-15
|
617105
|
Security: use-after-free vulnerability in flash player
|
$3000
|
2016-10-14
|
623072
|
Use-of-uninitialized-value in containsCoincidence
|
-
|
2016-10-14
|
625541
|
Security: heap-buffer-overflow in opj_tcd_init_tile
|
$3000
|
2016-10-14
|
625823
|
Security: SEGV in blink::DOMWindowV8Internal::blurMethodCallback
|
$1000
|
2016-10-14
|
625945
|
Security: browser history sniffing via HSTS + CSP (bypass previous fix)
|
$1000
|
2016-10-14
|
613949
|
Extension install crashes browser at onDownloadProgress and onInstallStageChanged
|
$500
|
2016-10-13
|
625903
|
Security: heap-use-after-free in blink::LayoutBox::pixelSnappedOffsetHeight
|
$2000
|
2016-10-13
|
624818
|
Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper
|
-
|
2016-10-13
|
623378
|
Security: UAF related to XPointer range-to function
|
$3500
|
2016-10-12
|
625752
|
Crash in v8::internal::LocalArrayBufferTracker::Free<1>
|
-
|
2016-10-12
|
625393
|
Security: Heap-use-after-free in ScriptInjector
|
$1000
|
2016-10-11
|
616907
|
Security: Universal XSS using a ScopedPageLoadDeferrer bypass
|
$8000
|
2016-10-10
|
619379
|
CharacterData::setData() should handle first-letter correctly
|
-
|
2016-10-06
|
620952
|
i < m_len
|
-
|
2016-10-06
|
624713
|
Security: Calling from WASM to JS should not pass the global object
|
-
|
2016-10-06
|
291417
|
Security: <webview>/App Request Contexts may not be so isolated
|
-
|
2016-10-05
|
561978
|
Vulnerability reported in media-libs/libpng
|
-
|
2016-10-05
|
609382
|
Security: Use after free of task_struct in Mali Midgard driver.
|
-
|
2016-10-05
|
612050
|
Heap-use-after-free in views::Widget::OnNativeWidgetDestroying
|
-
|
2016-10-05
|
609680
|
Chrome For Android Address Bar Spoofing Issue Due To Mishandling Of RTL Characters
|
$3000
|
2016-10-05
|
617882
|
Crash in v8::internal::PointerUpdateJobTraits<
|
-
|
2016-10-05
|
618333
|
Security: Parameter sanitization failure in DevTools leads to privileged script execution
|
$2000
|
2016-10-05
|
619414
|
Security: Devtools has Insuffient sanitization of remoteBase parameter
|
$2000
|
2016-10-05
|
620981
|
Crash in _platform_bzero$VARIANT$Merom
|
-
|
2016-10-05
|
621843
|
Heap-buffer-overflow in float blink::ShapeResultSpacing::computeSpacing<unsigned short>
|
-
|
2016-10-05
|
623985
|
Use-after-poison in blink::PersistentBase<blink::WorkerWebSocketChannel::Bridge,
|
$3500
|
2016-10-05
|
623996
|
Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes
|
-
|
2016-10-05
|
617084
|
Crash in v8::internal::HandleBase::IsDereferenceAllowed
|
-
|
2016-10-04
|
619377
|
Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup
|
-
|
2016-10-04
|
621095
|
SIGSEGV, RIP = 0x0
|
-
|
2016-10-04
|
118642
|
Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor
|
$1000
|
2016-10-02
|
118662
|
Regression(r109014): Heap-use-after-free in WebCore::InlineTextBox::isLineBreak
|
$500
|
2016-10-02
|
118593
|
Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded
|
$1000
|
2016-10-02
|
118490
|
Heap-use-after-free in WebCore::RenderObject::containingBlock
|
$1000
|
2016-10-02
|
118467
|
open.call(other_window) circumvents check in other_window.open()
|
-
|
2016-10-02
|
118633
|
Security: Frame sniffing is not fixed
|
-
|
2016-10-02
|
118414
|
Heap use after free on chrome_content_browser_client.cc with webrtc
|
$1000
|
2016-10-02
|
118374
|
Long autofilled value causes render issue
|
-
|
2016-10-02
|
118273
|
ZDI-CAN-1528: Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability
|
-
|
2016-10-02
|
118227
|
Security: cross-origin iframes can be resized from within in M18
|
-
|
2016-10-02
|
118018
|
Heap-buffer-overflow in S32_opaque_D32_nofilter_DXDY
|
-
|
2016-10-02
|
118317
|
Popup blocker bypass triggering mouse event on tag with rel=noreferrer
|
-
|
2016-10-02
|
118185
|
Heap-use-after-free in WebCore::V8HTMLBodyElement::wrapSlow
|
-
|
2016-10-02
|
117890
|
Use-after-free in CrashGenerationServer
|
-
|
2016-10-02
|
117912
|
Heap-buffer-overflow in memcmp
|
-
|
2016-10-02
|
117794
|
[LangFuzz] Crash on heap with invalid read through GetPropertyWithCallback
|
$500
|
2016-10-02
|
117736
|
No permission prompt when loading unpacked extension with NPAPI plugin
|
-
|
2016-10-02
|
117728
|
Heap-use-after-free in WebCore::InlineBox::root
|
$1000
|
2016-10-02
|
117724
|
Event handlers firing during Text::splitText trigger use-after-free.
|
-
|
2016-10-02
|
118009
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>
|
-
|
2016-10-02
|
117889
|
Dangerous download warnings are suppressed for a larger class of downloads than are handled by SafeBrowsing
|
-
|
2016-10-02
|
117698
|
Heap-use-after-free in WebCore::RenderLayer::addChild
|
$1000
|
2016-10-02
|
117696
|
Heap-use-after-free in WebCore::RenderBlock::addPositionedFloats
|
-
|
2016-10-02
|
117674
|
Heap-use-after-free in WebCore::GraphicsContext3D::getExtensions
|
-
|
2016-10-02
|
117672
|
Uptake angle security fix
|
-
|
2016-10-02
|
117656
|
Pwnium bug: GPU memory corruption
|
-
|
2016-10-02
|
117627
|
Security: IPC Channel does not validate the listener.
|
-
|
2016-10-02
|
117620
|
Pwnium bug: Prerendering issues with NACL
|
$60000
|
2016-10-02
|
117715
|
LoadExtension binding in chrome://extensions/ is too permissive
|
-
|
2016-10-02
|
117583
|
Iframe hijacking from Pwnium
|
-
|
2016-10-02
|
117588
|
Security: Memory Corruption in MaskSuperBlitter
|
$1000
|
2016-10-02
|
117545
|
ICU lang buffer overflow
|
-
|
2016-10-02
|
117471
|
Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled
|
$1000
|
2016-10-02
|
117446
|
App popup user gesture exemption should be based on process type, not just extent
|
-
|
2016-10-02
|
117418
|
Security: Don't grant WebUI bindings to a process shared with normal views
|
-
|
2016-10-02
|
117417
|
Security: Don't let a normal web renderer navigate to a privileged URL
|
-
|
2016-10-02
|
117413
|
Heap-use-after-free in WebCore::RenderScrollbar::getScrollbarPseudoStyle
|
-
|
2016-10-02
|
117409
|
Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...
|
-
|
2016-10-02
|
117400
|
Uptake fixes on weak node iteration patterns
|
-
|
2016-10-02
|
117511
|
Heap-use-after-free in WTF::equal
|
-
|
2016-10-02
|
117335
|
Occasional heap-use-after-free in non-virtual thunk to AudioDevice::OnStateChanged
|
$500
|
2016-10-02
|
117341
|
Heap-use-after-free in MessageLoop::AddToIncomingQueue
|
$1000
|
2016-10-02
|
117230
|
Part 2 of Pwnium Bug
|
-
|
2016-10-02
|
117226
|
Part 1 of Pwnium Bug: UXSS
|
$60000
|
2016-10-02
|
117150
|
REGRESSION(wk109285): Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved
|
$1000
|
2016-10-02
|
117110
|
Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren
|
-
|
2016-10-02
|
116994
|
Heap-use-after-free in chrome::ChromeContentBrowserClient::RequestMediaAccessPermission
|
-
|
2016-10-02
|
116967
|
Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement
|
-
|
2016-10-02
|
116927
|
Heap-buffer-overflow in av_freep
|
$1000
|
2016-10-02
|
116806
|
Heap-use-after-free in WebCore::RenderInline::continuationBefore
|
-
|
2016-10-02
|
116746
|
Heap-use-after-free in WebCore::RenderBlock::splitBlocks
|
$1000
|
2016-10-02
|
116637
|
Renderer process crash when doing WebGL canvas to 2D canvas drawImage()
|
-
|
2016-10-02
|
116524
|
Security: Off-by-one in OTS resulting in arbitrary code execution
|
-
|
2016-10-02
|
116461
|
Heap-use-after-free in WebCore::CSSCrossfadeValue::~CSSCrossfadeValue
|
$1000
|
2016-10-02
|
116405
|
Mitigate stale layout root bugs
|
-
|
2016-10-02
|
116398
|
Security: SSL proxy seems to not care about the cert
|
-
|
2016-10-02
|
116474
|
Merge SVG use fix to stable
|
-
|
2016-10-02
|
121926
|
Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware
|
-
|
2016-10-02
|
121937
|
glGetProgramInfoLog regression in ANGLE
|
-
|
2016-10-02
|
121734
|
Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener
|
-
|
2016-10-02
|
121726
|
Sandbox IPC length checking race
|
-
|
2016-10-02
|
121703
|
Crash in NSMutableRLEArray replaceObjectsInRange:withObject:length with long URL
|
-
|
2016-10-02
|
121692
|
Heap-use-after-free in WebCore::SelectorChecker::checkOneSelector
|
-
|
2016-10-02
|
121645
|
Heap-use-after-free in WebCore::RenderBlock::removeFloatingObject
|
-
|
2016-10-02
|
121899
|
Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer()
|
$1000
|
2016-10-02
|
121736
|
Heap-use-after-free in WebCore::EventDispatcher::dispatchEvent
|
-
|
2016-10-02
|
121347
|
Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak
|
$500
|
2016-10-02
|
121524
|
Use after free with reflections and composited layers
|
-
|
2016-10-02
|
121206
|
Heap-buffer-overflow in WebCore::HTMLSelectElement::setRecalcListItems
|
-
|
2016-10-02
|
121128
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>
|
-
|
2016-10-02
|
120977
|
Crash in texSubImage2D on Mozilla's WebGL performance regression tests
|
-
|
2016-10-02
|
121269
|
invalid cast in WebCore::toHTMLElement / WebCore::HTMLFieldSetElement::disabledAttributeChanged
|
-
|
2016-10-02
|
121223
|
Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadCreateWebSocketChannel
|
$500
|
2016-10-02
|
121407
|
[LangFuzz] Invalid write in v8::internal::ElementsAccessorBase<...>::CopyElements
|
$1000
|
2016-10-02
|
120648
|
UNKNOWN in SkARGB32_Blitter::blitV
|
$500
|
2016-10-02
|
120457
|
Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak
|
-
|
2016-10-02
|
120711
|
Heap-use-after-free in WebCore::Element::recalcStyle
|
$1000
|
2016-10-02
|
120944
|
Use-after-free due to issues in counter layout.
|
$1000
|
2016-10-02
|
120912
|
Heap-use-after-free in WebCore::RenderText::removeTextBox
|
$1000
|
2016-10-02
|
120320
|
Flash Broker Bypass 0x2B (CVE-2012-0724)
|
-
|
2016-10-02
|
120318
|
Flash Broker Bypass 0x2D (CVE-2012-0725)
|
-
|
2016-10-02
|
120222
|
Heap-use-after-free in WebCore::RenderTableSection::paintCell
|
$1000
|
2016-10-02
|
120205
|
Security: <svg:use> elements in the parser can create elements not marked as created by the parser
|
-
|
2016-10-02
|
120404
|
Heap-buffer-overflow in WebCore::Font::codePath
|
-
|
2016-10-02
|
120037
|
Heap-use-after-free in WebCore::ContainerNode::resumePostAttachCallbacks
|
$1000
|
2016-10-02
|
120007
|
Heap-use-after-free in WebCore::WorkerEventQueue::close
|
-
|
2016-10-02
|
120403
|
Heap-use-after-free in WebCore::ContainerNode::insertBefore
|
-
|
2016-10-02
|
120189
|
Heap-use-after-free in WebCore::V8RecursionScope::didLeaveScriptContext
|
-
|
2016-10-02
|
119926
|
Use after free in v8::internal::IncrementalMarking::Step
|
$1000
|
2016-10-02
|
119501
|
Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded
|
$1000
|
2016-10-02
|
119429
|
UNKNOWN in v8::Message::GetScriptResourceName
|
$500
|
2016-10-02
|
120006
|
Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo
|
-
|
2016-10-02
|
119525
|
Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
|
$1000
|
2016-10-02
|
119281
|
Heap-use-after-free in WebCore::GenericEventQueue::~GenericEventQueue
|
$500
|
2016-10-02
|
119230
|
Heap-use-after-free in WebCore::RenderBlock::splitBlocks
|
-
|
2016-10-02
|
119150
|
Sandboxed processes should not be able to open other sandboxed processes
|
-
|
2016-10-02
|
119084
|
Heap-use-after-free in utext_setNativeIndex_46
|
-
|
2016-10-02
|
118970
|
GPU process crash below DoDrawArrays (Nvidia)
|
$500
|
2016-10-02
|
119305
|
Heap-use-after-free in WebCore::Node::~Node
|
$1000
|
2016-10-02
|
119250
|
GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes
|
-
|
2016-10-02
|
118803
|
Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap
|
-
|
2016-10-02
|
118784
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short>
|
-
|
2016-10-02
|
118853
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
118664
|
Security: Swapped out URL must be a unique origin
|
-
|
2016-10-02
|
118721
|
Extensions resources can be fetched across incognito
|
-
|
2016-10-02
|
116162
|
Heap-buffer-overflow in wk_png_inflate
|
-
|
2016-10-02
|
116128
|
Content scripts should never be run in the webstore isolate
|
-
|
2016-10-02
|
116093
|
Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget
|
$1000
|
2016-10-02
|
116069
|
WebCore::MediaStreamListInternal::itemCallback
|
$500
|
2016-10-02
|
116224
|
Heap-use-after-free in WebCore::FrameLoader::urlSelected
|
-
|
2016-10-02
|
115998
|
Heap-use-after-free in WebCore::RenderMenuList::addChild
|
-
|
2016-10-02
|
115862
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
115756
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
115754
|
Heap-use-after-free in WebCore::RenderLayer::addChild
|
$1000
|
2016-10-02
|
115695
|
Heap-buffer-overflow in WebCore::StaticNodeList::itemWithName
|
$1000
|
2016-10-02
|
115681
|
Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer
|
$1000
|
2016-10-02
|
115680
|
Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation
|
-
|
2016-10-02
|
115807
|
Heap-use-after-free in WebCore::RenderMenuList::addChild
|
-
|
2016-10-02
|
116027
|
Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine
|
-
|
2016-10-02
|
115159
|
Security: Setting innerText allows DOMSubtreeModified listeners to cause crashes
|
-
|
2016-10-02
|
115028
|
Bad cast in splitAnonymousBlocksAroundChild (part 3)
|
$1000
|
2016-10-02
|
115003
|
Heap-use-after-free in WebCore::RenderObject::previousInPreOrder
|
-
|
2016-10-02
|
115299
|
Use-after-free in AudioDeviceThread::Callback::InitializeOnAudioThread
|
$500
|
2016-10-02
|
115471
|
Heap-buffer-overflow in SkAlphaRuns::add
|
$1000
|
2016-10-02
|
114924
|
Bad cast in splitAnonymousBlocksAroundChild
|
$1000
|
2016-10-02
|
114911
|
Heap-buffer-overflow in WebCore::Element::setAttribute
|
-
|
2016-10-02
|
114858
|
Heap-use-after-free in WebCore::RenderTableSection::willBeDestroyed
|
-
|
2016-10-02
|
114960
|
Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap
|
-
|
2016-10-02
|
114219
|
Heap-use-after-free in WebCore::RenderTableSection::nodeAtPoint
|
$1000
|
2016-10-02
|
114152
|
Heap-use-after-free in WebCore::InspectorStyleSheet::deleteRule
|
-
|
2016-10-02
|
114144
|
Crash by clicking the time field of maps.google.com
|
-
|
2016-10-02
|
114068
|
Heap-use-after-free in WebCore::HTMLElement::isPresentationAttribute
|
$1000
|
2016-10-02
|
114056
|
Heap-buffer-overflow in WebCore::previousBoundary
|
$500
|
2016-10-02
|
114054
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>
|
$500
|
2016-10-02
|
113924
|
[LangFuzz] Crash at v8::internal::HashTable<...>::FindEntry with invalid read
|
$1000
|
2016-10-02
|
114342
|
Stack-buffer-overflow at strcpy
|
$1000
|
2016-10-02
|
113837
|
Heap-use-after-free in WebCore::Document::unregisterForPageCacheSuspensionCallbacks
|
$1000
|
2016-10-02
|
113800
|
Heap-use-after-free in WebCore::RenderBlock::computeOverflow
|
-
|
2016-10-02
|
113902
|
Heap-use-after-free in WebCore::InlineBox::root
|
$1000
|
2016-10-02
|
113799
|
Heap-use-after-free in WebCore::RenderTable::layout
|
-
|
2016-10-02
|
113801
|
Heap-use-after-free in WebCore::RenderBlock::outlineStyleForRepaint
|
-
|
2016-10-02
|
113733
|
Security: Flash deployed via component updater runs outside the sandbox
|
-
|
2016-10-02
|
113755
|
Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren
|
-
|
2016-10-02
|
113707
|
Heap-use-after-free in WebCore::RenderQuote::placeQuote
|
$1000
|
2016-10-02
|
113690
|
Heap-use-after-free in WebCore::RenderButton::removeChild
|
-
|
2016-10-02
|
113567
|
Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle
|
-
|
2016-10-02
|
113562
|
Heap-use-after-free in WebCore::NavigationScheduler::schedule
|
-
|
2016-10-02
|
113730
|
Integer wrap in CSSParser::quoteCSSString() can cause a buffer overflow
|
-
|
2016-10-02
|
113497
|
Heap-use-after-free in WebCore::InlineFlowBox::computeUnderAnnotationAdjustment
|
$1000
|
2016-10-02
|
113496
|
Links in settings page (like learn more, google dashboard) are opened in the webui renderer process
|
-
|
2016-10-02
|
113439
|
Bad casts due to issues in splitAnonymousBlocksAroundChild
|
$1000
|
2016-10-02
|
113415
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
113258
|
Bad cast in WebCore::RenderBlock::createLineBoxes
|
$1000
|
2016-10-02
|
113178
|
Adding a ShadowRoot to a SELECT element causes crashes
|
-
|
2016-10-02
|
113174
|
Attaching a ShadowRoot to a VIDEO element causes heap-use-after-free
|
-
|
2016-10-02
|
113160
|
Security: Tracking bug for WK77971 - Replaces the [CheckNodeSecurity] IDL attribute
|
-
|
2016-10-02
|
113119
|
Security: Report bad translation link uses http://
|
-
|
2016-10-02
|
112976
|
Heap-use-after-free in vorbis_decode_frame
|
-
|
2016-10-02
|
112961
|
TCP and UDP IPCs should not be exposed to arbitrary renderers
|
-
|
2016-10-02
|
112983
|
Browser crash with FTP video source
|
-
|
2016-10-02
|
125462
|
Security: libxml2 1-byte heap-buffer-overflow in xmlXPtrEvalXPtrPart
|
$1500
|
2016-10-02
|
125436
|
Heap-use-after-free in WebCore::HTMLFormControlElement::disabled
|
-
|
2016-10-02
|
125249
|
Heap-buffer-overflow in seg_to
|
-
|
2016-10-02
|
125225
|
Domui process can be ptraced from a compromised renderer leading to sandbox escape, take 2
|
-
|
2016-10-02
|
125159
|
Chrome chrashes when pressing back button on a page that is still downloading a big gif image
|
$1337
|
2016-10-02
|
125151
|
Heap-use-after-free in WebCore::Node::compareDocumentPosition
|
-
|
2016-10-02
|
125010
|
Stealing AutoFill data with window.getSelection() before users actually select form contents
|
-
|
2016-10-02
|
125494
|
Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag
|
-
|
2016-10-02
|
125374
|
Heap-use-after-free in WebCore::RenderSVGContainer::paint
|
$1000
|
2016-10-02
|
124992
|
Heap-use-after-free in WebCore::swapInNodePreservingAttributesAndChildren
|
-
|
2016-10-02
|
124923
|
Heap-use-after-free in WebCore::parseToDoubleForNumberType
|
-
|
2016-10-02
|
124919
|
Heap-use-after-free in WebCore::RenderBlock::addOverflowFromFloats
|
-
|
2016-10-02
|
124895
|
Heap-use-after-free in WebCore::ScriptController::executeIfJavaScriptURL
|
-
|
2016-10-02
|
124893
|
Heap-buffer-overflow in WebCore::HTMLOptionElement::selected
|
-
|
2016-10-02
|
124870
|
Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply
|
-
|
2016-10-02
|
124868
|
Heap-use-after-free in WebCore::RenderObject* WebCore::bidiNextShared<WebCore::BidiResolver<WebCore::InlineIterator, WebCor
|
-
|
2016-10-02
|
124836
|
NSS should reject DH public values equal to one
|
-
|
2016-10-02
|
125000
|
Heap-buffer-overflow in WTF::VectorMover<false, WebCore::Attribute>::move
|
-
|
2016-10-02
|
124924
|
Heap-buffer-overflow in WebCore::XPath::sortBlock
|
-
|
2016-10-02
|
124652
|
Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect
|
-
|
2016-10-02
|
124625
|
Chrome: Crash Report - Stack Signature: WebCore::npObjectNamedGetter<WebCore::V8HTM...
|
-
|
2016-10-02
|
124617
|
Heap-buffer-overflow in WebCore::RenderBlock::createLineBoxes
|
-
|
2016-10-02
|
124669
|
Heap-use-after-free in WebCore::SVGLength::value
|
-
|
2016-10-02
|
124530
|
Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects
|
-
|
2016-10-02
|
124594
|
UNKNOWN in v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing
|
$500
|
2016-10-02
|
124479
|
Use after free in PDF with corrupt CID font encoding name
|
-
|
2016-10-02
|
124356
|
Heap-use-after-free in WebCore::GraphicsContext::restore
|
$1000
|
2016-10-02
|
124263
|
OOB read with PDF in cell sorting
|
-
|
2016-10-02
|
124228
|
Security: Component updater parses unauthenticated XML with libxml in the browser process
|
-
|
2016-10-02
|
124216
|
Security: MSVR:159 - Google Chrome NPAPI Plugin Insecure Loading Elevation of Privilege Vulnerability
|
-
|
2016-10-02
|
124191
|
OOB read in PDF when parsing / processing text
|
-
|
2016-10-02
|
124190
|
OOB read, off-by-one in PDF predictor code with specific decode parameters
|
-
|
2016-10-02
|
124184
|
OOB read with 1bpp image and ICC profile
|
-
|
2016-10-02
|
124183
|
OOB read in PDF fax codec
|
-
|
2016-10-02
|
124389
|
Heap-use-after-free in WebCore::TargetListener::clear
|
-
|
2016-10-02
|
124182
|
Out of bounds write in PDF with sample function with lots of inputs
|
-
|
2016-10-02
|
124179
|
PDF crash under ASAN with character maps
|
-
|
2016-10-02
|
123929
|
Out-of-bounds read in PDF with undersized "O" key and revision 3 crypto
|
-
|
2016-10-02
|
123858
|
Use-after-free in WebPagePopupImpl instance
|
-
|
2016-10-02
|
123735
|
OOB reads in PDF AES support due to buffer mismanagement
|
-
|
2016-10-02
|
123733
|
Out-of-bounds reads with bad parameters to PDF "sampled function" function
|
-
|
2016-10-02
|
123709
|
Breakpad ClientInfo::PopulateCustomInfo() integer wrap leads to heap overflow
|
-
|
2016-10-02
|
123656
|
OOB read in PDF whilst scanning for "startxref"
|
-
|
2016-10-02
|
123631
|
Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled
|
-
|
2016-10-02
|
123544
|
Heap-use-after-free in WebCore::CachedResource::checkNotify
|
-
|
2016-10-02
|
123530
|
Heap-use-after-free in AutocompleteMatch::AutocompleteMatch
|
-
|
2016-10-02
|
123484
|
Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak
|
-
|
2016-10-02
|
123481
|
Security: ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fde15ff9890 at pc 0x7fde364c5034
|
$1000
|
2016-10-02
|
123105
|
Heap-buffer-overflow in Color32_SSE2
|
-
|
2016-10-02
|
123054
|
Security: renderer can grant itself read permissions to arbitrary files
|
-
|
2016-10-02
|
123029
|
OOB write in SkARGB32_Black_Blitter::blitAntiH -> sk_memset32_SSE2
|
$1000
|
2016-10-02
|
123012
|
Chrome: Crash Report - Stack Signature:WebCore::V8BindingPerContextData::constructorForType(WebCore::WrapperTypeInfo *)
|
-
|
2016-10-02
|
122925
|
Security: Autofill info can be captured by innocuous social engineering
|
$1000
|
2016-10-02
|
122865
|
Heap-use-after-free in SkCanvas::internalDrawBitmapRect
|
-
|
2016-10-02
|
122760
|
Heap-use-after-free in WebCore::RenderTable::computePreferredLogicalWidths
|
-
|
2016-10-02
|
122692
|
UNKNOWN in /lib/libc-2.11.1.so+Unknown
|
-
|
2016-10-02
|
122681
|
[LangFuzz] CHECK(fixed_size + height_in_bytes == input_frame_size) failed or crash with invalid read
|
$500
|
2016-10-02
|
122654
|
Chrome: Crash Report: SocketStreamDispatcherHost::CancelSSLRequest
|
-
|
2016-10-02
|
122586
|
Global-buffer-overflow in HB_TibetanShape
|
-
|
2016-10-02
|
122585
|
Security: stack-buffer-overflow in WebCore::GlyphPage::fill with surrogate characters
|
$500
|
2016-10-02
|
122573
|
Heap-use-after-free in WebCore::CachedRawResource::didAddClient
|
-
|
2016-10-02
|
122854
|
Security: Potential (racy) use after free error in DownloadResourceHandler::OnResponseCompletedInternal
|
-
|
2016-10-02
|
122503
|
Heap-buffer-overflow in erode
|
-
|
2016-10-02
|
122337
|
[LangFuzz] Crash on heap with invalid write (32 bit only).
|
$1000
|
2016-10-02
|
122208
|
GCing a node observed by a WebKitMutationObserver can cause an invalid HashSet iterator
|
-
|
2016-10-02
|
122029
|
Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine
|
-
|
2016-10-02
|
122014
|
Heap-use-after-free in WorkerEventQueue::close
|
-
|
2016-10-02
|
121968
|
Heap-use-after-free in WebCore::GraphicsLayer::willBeDestroyed
|
-
|
2016-10-02
|
122562
|
Heap-use-after-free in ModuleSystem::LazyFieldGetter
|
$1000
|
2016-10-02
|
112847
|
Bad cast in addChildToAnonymousColumnBlocks
|
$1000
|
2016-10-02
|
112833
|
Heap-use-after-free in webkit_media::BufferedResourceLoader::Start
|
$1000
|
2016-10-02
|
112822
|
Security: Heap-buffer-overflow in png_decompress_chunk
|
$1337
|
2016-10-02
|
112814
|
Safe Browsing client doesn't always check for MAC field in response
|
-
|
2016-10-02
|
112775
|
Heap-use-after-free in WebCore::Node::traverseNextNode
|
-
|
2016-10-02
|
112764
|
Heap-use-after-free in RendererAccessibility::SendPendingAccessibilityNotifications
|
-
|
2016-10-02
|
112738
|
Security: User Interface - infobar confusion, spamming, and spoofing
|
-
|
2016-10-02
|
112735
|
Bad cast in FormSubmission::create
|
-
|
2016-10-02
|
112694
|
Heap-use-after-free in WebCore::Node::normalize
|
-
|
2016-10-02
|
112670
|
avcodec_53!ff_h264_get_profile - crash
|
$500
|
2016-10-02
|
112451
|
X509UserCertResourceHandler::OnResponseCompleted crash
|
-
|
2016-10-02
|
112443
|
[Mac] Regular SSL certificate incorrectly displayed with EV color badge
|
-
|
2016-10-02
|
112542
|
Heap-use-after-free in WebCore::TextIterator::rangeFromLocationAndLength
|
-
|
2016-10-02
|
112411
|
Heap-use-after-free in WebCore::SVGUseElement::expandSymbolElementsInShadowTree
|
$1000
|
2016-10-02
|
112391
|
Heap-use-after-free in ExtensionHost
|
-
|
2016-10-02
|
112339
|
Security: chrome allows TDR looping leading to win7 OS crash through page refresh html tag + WebGL
|
-
|
2016-10-02
|
112325
|
Security: Copy-paste preserves <embed> tags containing active content
|
-
|
2016-10-02
|
112317
|
Heap-buffer-overflow in WebCore::Font::codePath
|
$500
|
2016-10-02
|
112259
|
Heap-use-after-free in WebCore::EventTarget::dispatchEvent
|
$500
|
2016-10-02
|
112236
|
Security: Chrome translation script downloaded over HTTP
|
-
|
2016-10-02
|
112212
|
Heap-use-after-free in WebCore::ContainerNode::appendChild
|
$2000
|
2016-10-02
|
112151
|
Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle
|
$1000
|
2016-10-02
|
112093
|
Heap-use-after-free in WebCore::Node::dispatchSubtreeModifiedEvent
|
-
|
2016-10-02
|
112055
|
Heap-buffer-overflow in WebCore::CSSParser::lex
|
-
|
2016-10-02
|
111779
|
Heap-use-after-free in WebCore::SubframeLoader::loadSubframe
|
$1000
|
2016-10-02
|
111748
|
Heap-use-after-free in WebCore::SVGElement::removedFromDocument
|
$1000
|
2016-10-02
|
111656
|
Security: Accessibility bad cast
|
-
|
2016-10-02
|
111575
|
Security: NaCl dynamic code modification allows direct calls inside existing super instructions.
|
-
|
2016-10-02
|
111491
|
AddressSanitizer reports a heap-use-after-free in icu_46::RuleBasedBreakIterator::handleNext in DownloadTest.CrxLargeTheme (browser_tests) on Chrome OS
|
-
|
2016-10-02
|
111088
|
Heap-use-after-free in WebCore::FrameLoader::checkTimerFired
|
-
|
2016-10-02
|
111467
|
Heap-buffer-overflow in WebCore::SVGSVGElement::currentViewBoxRect
|
$1000
|
2016-10-02
|
110849
|
Heap-buffer-overflow in matroska_parse_block
|
-
|
2016-10-02
|
110764
|
Heap-use-after-free in WebCore::DocumentLoader::detachFromFrame
|
$1000
|
2016-10-02
|
110723
|
Heap-use-after-free in WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation
|
-
|
2016-10-02
|
111342
|
Heap-use-after-free in AudioDevice::FireRenderCallback
|
-
|
2016-10-02
|
110559
|
Heap-buffer-overflow in GPU ShaderTranslator
|
-
|
2016-10-02
|
110374
|
Heap-use-after-free in WebCore::EventHandler::mouseMoved
|
$1000
|
2016-10-02
|
110360
|
Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled
|
-
|
2016-10-02
|
110277
|
Heap-buffer-overflow in xsltCompilePatternInternal
|
$500
|
2016-10-02
|
110172
|
Heap-buffer-overflow in SkAlphaRuns::add
|
$1000
|
2016-10-02
|
110545
|
Security: AssociatedURLLoader exposes non-whitelisted response headers when loading with access control (CORS)
|
-
|
2016-10-02
|
110076
|
Heap-use-after-free in WebCore::CompositeEditCommand::ensureComposition
|
-
|
2016-10-02
|
109743
|
Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList
|
$1000
|
2016-10-02
|
109717
|
Security: crash when viewing a certificate without issuer signature
|
-
|
2016-10-02
|
109716
|
Heap-use-after-free in xsltParseGlobalVariable
|
$1000
|
2016-10-02
|
109691
|
Security: Losing user-set pin data on HSTS header receipt
|
-
|
2016-10-02
|
110112
|
Heap-use-after-free in WebCore::FrameView::forceLayoutParentViewIfNeeded
|
$1000
|
2016-10-02
|
109912
|
Security: read sandbox escape: NaCl validator for x86-64 allow REP string instructions to have out-of-bound source addresses
|
-
|
2016-10-02
|
109623
|
Chrome: Crash Report - Stack Signature: WebKit::WebMediaPlayerClientImpl::loadInter...
|
-
|
2016-10-02
|
109574
|
Potential XSS attack with [0x8E][0xE3] in EUC-JP page
|
$500
|
2016-10-02
|
109556
|
Heap-buffer-overflow in WebCore::HTMLTreeBuilder::HTMLTreeBuilder
|
$1000
|
2016-10-02
|
109411
|
Regression: Crash in WebCore::DynamicSubtreeNodeList::length()
|
-
|
2016-10-02
|
109245
|
Security: Chrome Drag Spoofing
|
-
|
2016-10-02
|
109664
|
safe_browsing::SignatureUtil::CheckSignature() - crash
|
-
|
2016-10-02
|
109094
|
Possible wild read in internal PDF-reader
|
-
|
2016-10-02
|
108958
|
Heap-use-after-free in WebCore::RenderBlock::determineStartPosition
|
-
|
2016-10-02
|
129158
|
Heap-use-after-free in WebCore::AccessibilityObject::getAttribute
|
-
|
2016-10-02
|
129191
|
UNKNOWN in WebCore::HTMLDocumentParser::prepareToStopParsing
|
$1000
|
2016-10-02
|
128971
|
Heap-use-after-free in WebCore::InlineBox::deleteLine
|
-
|
2016-10-02
|
128711
|
Run-in UAF crashes relating to generated content and inline line box tree not clearing.
|
-
|
2016-10-02
|
128704
|
Crash when opening and closing chrome://chrome
|
-
|
2016-10-02
|
128688
|
Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl
|
-
|
2016-10-02
|
128800
|
Use after free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap
|
-
|
2016-10-02
|
128597
|
RenderViewImpl's shared_popup_counter_ isn't incremented properly
|
-
|
2016-10-02
|
128498
|
Heap-buffer-overflow in WebCore::CSSSelector::specificityForOneSelector
|
-
|
2016-10-02
|
128497
|
CachedImage does not clear the ImageObserver pointer when dropping its Image ref
|
-
|
2016-10-02
|
128458
|
Security: NTP Promo data is downloaded via HTTP, but then rendered on the NTP
|
-
|
2016-10-02
|
128665
|
Heap-use-after-free in WebCore::Node::isInShadowTree
|
-
|
2016-10-02
|
128342
|
Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement
|
-
|
2016-10-02
|
128336
|
Heap-buffer-overflow in WebCore::SubframeLoader::createJavaAppletWidget
|
-
|
2016-10-02
|
128256
|
tabs permission exploit on the Chrome RSS Extension
|
-
|
2016-10-02
|
128204
|
Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot()
|
-
|
2016-10-02
|
128178
|
Heap-use-after-free in fileapi::FileSystemOperation::DidGetUsageAndQuotaAndRunTask
|
$3133
|
2016-10-02
|
128163
|
Heap-buffer-overflow in GIFImageReader::read
|
-
|
2016-10-02
|
128159
|
Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait
|
-
|
2016-10-02
|
128157
|
Heap-use-after-free in WebCore::HTMLFormControlElement::disabled
|
-
|
2016-10-02
|
128151
|
Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks::didSucceed
|
-
|
2016-10-02
|
128146
|
UNKNOWN in v8::internal::DescriptorArray::Set
|
-
|
2016-10-02
|
128018
|
[LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read
|
$1000
|
2016-10-02
|
127889
|
Use after free in WebCore::Font::characterRangeCodePath / WebCore::Font::codePath
|
-
|
2016-10-02
|
127764
|
Heap-use-after-free in WebCore::RenderBlock::xPositionForFloatIncludingMargin
|
-
|
2016-10-02
|
127701
|
Heap-use-after-free in WebCore::RenderObject::repaint
|
-
|
2016-10-02
|
127648
|
Out of bounds read in WebCore::Region::Shape::compareShapes
|
-
|
2016-10-02
|
127624
|
Security: pepper plugins - protect plugin's data files from other plugins and the renderer itself.
|
-
|
2016-10-02
|
127525
|
Dragging a file into a web renderer exposes the file: scheme
|
$500
|
2016-10-02
|
127522
|
Security: Chrome Allows "Carpet Bomb" from File Download
|
-
|
2016-10-02
|
127727
|
Heap-use-after-free in WebCore::ContextDestructionObserver::contextDestroyed
|
-
|
2016-10-02
|
127449
|
PPAPI processes hold privileged process handles
|
-
|
2016-10-02
|
127418
|
Heap-use-after-free in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath
|
$1000
|
2016-10-02
|
127417
|
Security: Arbitrary memory read in libxslt
|
$500
|
2016-10-02
|
127371
|
Heap-use-after-free in WebCore::AXObjectCache::postNotification
|
-
|
2016-10-02
|
127368
|
Heap-use-after-free in WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal
|
-
|
2016-10-02
|
127367
|
Heap-use-after-free in WebCore::ApplyStyleCommand::joinChildTextNodes
|
-
|
2016-10-02
|
127366
|
Heap-use-after-free in WebCore::ReplaceSelectionCommand::performTrivialReplace
|
-
|
2016-10-02
|
127424
|
Heap-use-after-free in WebKit::WebPagePopupImpl::closePopup
|
$1000
|
2016-10-02
|
127234
|
Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::FloatRect>::commitChange
|
-
|
2016-10-02
|
126723
|
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
|
-
|
2016-10-02
|
126652
|
Heap-buffer-overflow in bool WebCore::Region::Shape::compareShapes<WebCore::Region::Shape::CompareIntersectsOperation>
|
-
|
2016-10-02
|
126475
|
Heap-use-after-free in WebCore::InlineBox::root
|
-
|
2016-10-02
|
126414
|
[LangFuzz] Crash on heap with invalid read from random address (32 bit)
|
$500
|
2016-10-02
|
126406
|
Heap-use-after-free in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
|
-
|
2016-10-02
|
126343
|
OOB write in PDF character code mapping
|
-
|
2016-10-02
|
126337
|
Stack buffer overflow in character range parsing
|
-
|
2016-10-02
|
126296
|
Security: Browser crash document.createEvent("MouseEvents").initMouseEvent in background tab
|
$1000
|
2016-10-02
|
125730
|
Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved
|
-
|
2016-10-02
|
126105
|
Global-buffer-overflow in RgnOper::addSpan
|
-
|
2016-10-02
|
126074
|
Heap-use-after-free in WebCore::SpellChecker::didCheckSucceeded
|
-
|
2016-10-02
|
126048
|
Heap-use-after-free in SpeechRecognitionManagerImpl::DispatchEvent
|
$1000
|
2016-10-02
|
126040
|
Heap-use-after-free in WebCore::ContainerNode::insertBefore
|
-
|
2016-10-02
|
126015
|
Heap-use-after-free in WebCore::HTMLFormControlElement::disabled
|
-
|
2016-10-02
|
125921
|
Heap-buffer-overflow in WebCore::FontCache::releaseFontData
|
-
|
2016-10-02
|
125919
|
Heap-buffer-overflow in WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue
|
$500
|
2016-10-02
|
125821
|
The Linux setuid sandbox has becomre (even more) insanely complex
|
-
|
2016-10-02
|
126075
|
Stack-buffer-overflow in SuggestMgr::forgotchar_utf
|
-
|
2016-10-02
|
125563
|
Heap-use-after-free in WebCore::RenderBlock::determineStartPosition
|
-
|
2016-10-02
|
125557
|
Heap-use-after-free in WebCore::AudioParam::disconnect
|
-
|
2016-10-02
|
125555
|
Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait
|
-
|
2016-10-02
|
125529
|
Heap-use-after-free in WebCore::HTMLLinkElement::setCSSStyleSheet
|
-
|
2016-10-02
|
125515
|
[LangFuzz] Crash on heap with invalid write to random address
|
$1000
|
2016-10-02
|
108918
|
Heap-use-after-free in WebCore::RenderTableSection::rowLogicalHeightChanged
|
-
|
2016-10-02
|
108901
|
Heap-buffer-overflow in compute_pos_tan
|
$500
|
2016-10-02
|
108894
|
Heap-use-after-free in WebCore::HTMLCollection::length
|
-
|
2016-10-02
|
108871
|
IndexedDB with autoincrement fails on object put and crashes chrome
|
$1000
|
2016-10-02
|
108605
|
Use of uninitialized value in SkAlphaRuns::Break
|
$1000
|
2016-10-02
|
108798
|
Heap-use-after-free in WebCore::(anonymous namespace)::AllowFileSystemMainThreadBridge::signalCompleted
|
-
|
2016-10-02
|
108695
|
Heap-use-after-free in WebKit::WebFrameImpl::viewImpl
|
$1000
|
2016-10-02
|
108648
|
Security: Malicious extension could avoid being blacklisted via extension blacklist
|
-
|
2016-10-02
|
108476
|
Heap-buffer-overflow in WebCore::Font::codePath
|
$500
|
2016-10-02
|
108544
|
Heap-use-after-free in SubresourceLoader::didFinishLoading
|
$1000
|
2016-10-02
|
108579
|
Heap-buffer-overflow in void WTF::Vector<WTF::RefPtr<WebCore::TextTrack>, 0ul>::insert<WTF::RefPtr<WebCore::TextTrack> >
|
-
|
2016-10-02
|
108461
|
Heap-use-after-free in WebCore::HTMLInputElement::copyNonAttributeProperties
|
-
|
2016-10-02
|
108416
|
Global-buffer-overflow in render_line
|
$500
|
2016-10-02
|
108071
|
Browser process heap-use-after-free with indexeddb cursors
|
$3133
|
2016-10-02
|
108037
|
Heap-buffer-overflow in WebCore::SVGLength::valueAsString
|
$1000
|
2016-10-02
|
108006
|
Stack-buffer-overflow in HB_MyanmarShape
|
-
|
2016-10-02
|
108267
|
Heap-use-after-free in WebCore::RenderBlock::selectionGaps
|
-
|
2016-10-02
|
108207
|
Heap-use-after-free in WebCore::RenderTable::borderBefore
|
$1000
|
2016-10-02
|
107758
|
Heap-use-after-free in WebCore::RenderRegion::offsetFromLogicalTopOfFirstPage
|
$1000
|
2016-10-02
|
107565
|
Security: dragging a file URL between two http-spawned windows goes remote->local
|
-
|
2016-10-02
|
107873
|
Heap-use-after-free in WebCore::DatabaseTracker::interruptAllDatabasesForContext
|
-
|
2016-10-02
|
107616
|
UXSS in v8 bindings npCreateV8ScriptObject()
|
-
|
2016-10-02
|
107939
|
Heap-buffer-overflow in WebCore::RenderBlock::layoutRunsAndFloatsInRange
|
-
|
2016-10-02
|
107258
|
Freed m_renderer used in InlineBox::deleteLine
|
-
|
2016-10-02
|
107244
|
Heap-use-after-free in DatabaseObserver
|
$1000
|
2016-10-02
|
107376
|
Memory corruption crash in ExtensionPrefs::MigrateAppIndex.
|
-
|
2016-10-02
|
107128
|
Heap-buffer-overflow in xmlStringLenDecodeEntities
|
$4000
|
2016-10-02
|
107277
|
Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed
|
-
|
2016-10-02
|
107182
|
Heap use after free with malware blocking page
|
$3133
|
2016-10-02
|
106672
|
Security: Crash in requestAnimationFrame when removing a frame
|
$1000
|
2016-10-02
|
106671
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
106577
|
Heap-buffer-overflow in SkAAClipBlitter::blitAntiH
|
$500
|
2016-10-02
|
107032
|
Sad tab when visiting https://code.google.com and --no-displaying-insecure-content
|
-
|
2016-10-02
|
106441
|
Stack-buffer-overflow in _canonicalize
|
$1000
|
2016-10-02
|
106419
|
Global-buffer-overflow in SkFileDescriptorStream::read
|
-
|
2016-10-02
|
106413
|
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
|
-
|
2016-10-02
|
106340
|
Heap-use-after-free in WebCore::RenderTable::outerBorderAfter
|
$3000
|
2016-10-02
|
106336
|
Heap-use-after-free in WebCore::CounterNode::insertAfter
|
$500
|
2016-10-02
|
106334
|
Security: Popupblocker is ignored, downloads are invisible
|
-
|
2016-10-02
|
106484
|
Heap-use-after-free in WebCore::RenderObject::childAt
|
$1000
|
2016-10-02
|
106309
|
Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine (regions issue)
|
-
|
2016-10-02
|
106165
|
Heap-buffer-overflow in safe_browsing protocol parser
|
-
|
2016-10-02
|
105867
|
Use after free in V8HTMLElementWrapperFactory.cpp
|
$1000
|
2016-10-02
|
105803
|
PDF missing integer validation for Flate / LZW / Fax prediction codes and other parameters
|
-
|
2016-10-02
|
106200
|
Heap-use-after-free in WebCore::InlineBox::deleteLine
|
$500
|
2016-10-02
|
106316
|
Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag
|
-
|
2016-10-02
|
105482
|
Security: CSP connect-src and script-src not enforced on workers
|
-
|
2016-10-02
|
105459
|
Use-after frees and bad casts with -webkit-column-span
|
$2000
|
2016-10-02
|
105714
|
Nasty looking INVALID_POINTER_READ in internal PDF-reader
|
$500
|
2016-10-02
|
134123
|
Heap-use-after-free in WebCore::VisibleSelection::rootEditableElement
|
-
|
2016-10-02
|
105162
|
Stack-buffer-overflow in base::files::(anonymous namespace)::InotifyReaderTask::Run
|
-
|
2016-10-02
|
134305
|
Heap-use-after-free in WebCore::RenderObject::absoluteBoundingBoxRect
|
-
|
2016-10-02
|
133725
|
Security: public chromium site is leaking internal Google DNS names
|
-
|
2016-10-02
|
134088
|
Use-after-free: LabelsNodeList isn't updated properly after its owner node is adopted into a new document
|
-
|
2016-10-02
|
133892
|
Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation
|
-
|
2016-10-02
|
133288
|
Heap-buffer-overflow in WebCore::CSPSourceList::parseSource
|
-
|
2016-10-02
|
133571
|
Heap-use-after-free in SkARGB32_Black_Blitter::blitAntiH
|
$1000
|
2016-10-02
|
133418
|
Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects
|
-
|
2016-10-02
|
134101
|
Security: webRequest API allows extensions to XSS chrome.google.com and gain access to webstorePrivate API
|
$2000
|
2016-10-02
|
133214
|
UNKNOWN in WebCore::RenderTableSection::addCell
|
$1000
|
2016-10-02
|
133196
|
Heap-use-after-free in WebCore::RenderInline::willBeDestroyed
|
-
|
2016-10-02
|
132806
|
ChromeContentBrowserClient::AllowSocketAPI using allowed_socket_origins_ without scheme check
|
-
|
2016-10-02
|
132779
|
Security: WebM heap-buffer-overflow in matroskadec.c:matroska_parse_block()
|
$1000
|
2016-10-02
|
132699
|
Update Java version metadata for Jun 2012 CPU
|
-
|
2016-10-02
|
132690
|
Heap-use-after-free in WebCore::RenderSVGModelObject::checkIntersection
|
-
|
2016-10-02
|
132890
|
Crash when using Web Audio + media element with no audio or when user navigates
|
-
|
2016-10-02
|
131969
|
Heap-use-after-free in WebCore::AccessibilityObject::getAttribute
|
-
|
2016-10-02
|
132396
|
Heap-use-after-free in WebCore::RenderBlock::layoutRunsAndFloats
|
-
|
2016-10-02
|
132398
|
Global-buffer-overflow in D_Clear_BitmapXferProc
|
-
|
2016-10-02
|
132203
|
UAF in ValueStoreFrontend::Backend::Get
|
-
|
2016-10-02
|
132019
|
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
|
-
|
2016-10-02
|
132270
|
Global-buffer-overflow in WebCore::mediaControlElementType
|
-
|
2016-10-02
|
131968
|
Heap-use-after-free in WebCore::AccessibilityTable::isDataTable
|
-
|
2016-10-02
|
132241
|
Heap-use-after-free in WebCore::DocumentThreadableLoader::cancel
|
-
|
2016-10-02
|
131934
|
Heap-use-after-free in WTF::Vector<WebCore::Attribute, 0ul>::~Vector
|
-
|
2016-10-02
|
131348
|
Security: Use-after-free in safe_browseing::DownloadProtectionService found by Valgrind
|
-
|
2016-10-02
|
131347
|
heap-use-after-free in DictionaryValue while closing chrome, requires extension.
|
-
|
2016-10-02
|
131087
|
UAF due to Document::removePendingSheet re-entering JavaScript during Document cleanup
|
-
|
2016-10-02
|
130927
|
Heap-use-after-free in WebCore::CompositeEditCommand::breakOutOfEmptyListItem
|
-
|
2016-10-02
|
130824
|
Security: Linux crash report generation code reads past the end of an unterminated string buffer.
|
-
|
2016-10-02
|
130802
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>
|
-
|
2016-10-02
|
130743
|
Chromium is no more asking you for permissions to run WMP plugin via the Infobar. Is it intentional?
|
-
|
2016-10-02
|
130723
|
Use after free after setting -webkit-line-clamp to none
|
-
|
2016-10-02
|
130722
|
Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply
|
-
|
2016-10-02
|
130595
|
Heap-use-after-free in WebCore::RenderBlock::layoutBlockChildren
|
$1000
|
2016-10-02
|
130356
|
Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
|
$1000
|
2016-10-02
|
130276
|
Chrome attempts to load metro_driver.dll when Metro is not supported
|
-
|
2016-10-02
|
130241
|
[crash] WebCore::RenderStyle::fontMetrics(void)+0xa
|
-
|
2016-10-02
|
130240
|
Heap-buffer-overflow WRITE in read_markers third_party/libjpeg_turbo/jdmarker
|
$1000
|
2016-10-02
|
130237
|
Heap-use-after-free in WebCore::RenderObject::arenaDelete
|
-
|
2016-10-02
|
130235
|
Heap-use-after-free in WebCore::HTMLElement::adjustDirectionalityIfNeededAfterChildrenChanged
|
-
|
2016-10-02
|
130369
|
Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects
|
$1000
|
2016-10-02
|
129826
|
Chrome_Mac: Zombie <DownloadItemController: 0x1f1e6fd0> received -handleReveal: (via -performSelector:withObject:)
|
-
|
2016-10-02
|
129947
|
Heap-use-after-free in WebCore::RenderObject::setStyle
|
$1000
|
2016-10-02
|
129942
|
UNKNOWN in v8_i18n::IntlNumberFormat::JSInternalFormat
|
$1000
|
2016-10-02
|
129936
|
Heap-use-after-free in WebCore::InlineTextBox::nodeAtPoint
|
-
|
2016-10-02
|
129930
|
Security: libxml2 growBuffer integer overflow on 64-bit machines
|
$3000
|
2016-10-02
|
129898
|
Heap-use-after-free in WebCore::CounterNode::lastDescendant
|
$1000
|
2016-10-02
|
129890
|
Heap-use-after-free in WebCore::cancelAll
|
-
|
2016-10-02
|
129951
|
UNKNOWN in v8::Function::Call
|
$1000
|
2016-10-02
|
129394
|
Heap-use-after-free in WebCore::AccessibilityTable::isDataTable
|
-
|
2016-10-02
|
129569
|
Heap-use-after-free in WebCore::RenderLayer::updateCompositingLayersAfterScroll
|
-
|
2016-10-02
|
129396
|
Heap-buffer-overflow in WebCore::RenderTable::colElement
|
-
|
2016-10-02
|
129357
|
Heap-buffer-overflow in WebCore::RenderProgress::isDeterminate
|
-
|
2016-10-02
|
129301
|
Heap-use-after-free in WebCore::AXObjectCache::postPlatformNotification
|
-
|
2016-10-02
|
129299
|
Run-in UAFs part 2
|
-
|
2016-10-02
|
129360
|
Heap-use-after-free in WebCore::InlineFlowBox::removeChild
|
-
|
2016-10-02
|
105143
|
Cross-origin drag-and-drop prevention ineffective
|
-
|
2016-10-02
|
105157
|
Heap-use-after-free in WebCore::InlineFlowBox::removeChild
|
-
|
2016-10-02
|
105133
|
Heap-use-after-free in WebCore::RenderObject::isDescendantOf
|
-
|
2016-10-02
|
105012
|
Global-buffer-overflow in WebCore::RenderFlexibleBox::mainAxisBorderAndPaddingExtentForChild
|
-
|
2016-10-02
|
104935
|
Security: HSTS "cookies" do not obey expected policy.
|
-
|
2016-10-02
|
104863
|
Heap-use-after-free in WebCore::SubresourceLoader::didFail
|
$1000
|
2016-10-02
|
104859
|
Heap-use-after-free in WebCore::InlineFlowBox::computeOverAnnotationAdjustment
|
$1000
|
2016-10-02
|
104617
|
Heap-use-after-free in WebCore::CSSImageGeneratorValue::addClient
|
-
|
2016-10-02
|
104529
|
PDF-reader tab-crash with editable crash address.
|
$2000
|
2016-10-02
|
104959
|
Nasty looking crash on internal pdf-reader
|
$500
|
2016-10-02
|
104461
|
Security: chrome://workers/ crash
|
-
|
2016-10-02
|
104325
|
Heap-use-after-free in WebCore::RenderBlock::determineStartPosition
|
-
|
2016-10-02
|
104315
|
Heap-use-after-free WebCore::RenderObject::container
|
-
|
2016-10-02
|
104272
|
Security: Directory traversal in extension docs
|
-
|
2016-10-02
|
104266
|
Heap-use-after-free in WebCore::nextBreakablePosition
|
-
|
2016-10-02
|
104466
|
Schema check on navigations to chrome/file schemas should be avoided
|
-
|
2016-10-02
|
104317
|
Stale RenderObject in RenderBlock::addChildIgnoringAnonymousColumnBlocks()
|
-
|
2016-10-02
|
104056
|
Crash with PDF at bad IP
|
$1000
|
2016-10-02
|
104223
|
Security: MHTML can be used to steal cookies
|
-
|
2016-10-02
|
103867
|
Security: chrome.test.resetQuota extension API exposed to all extensions
|
-
|
2016-10-02
|
103750
|
minor self-inflicted xss on chrome://tracking2
|
-
|
2016-10-02
|
103738
|
Security: out of bounds array access in WebCore::RenderTableSection::rowLogicalHeightChanged
|
-
|
2016-10-02
|
104011
|
v8_i18n::BCP47ToICUFormat() - crash
|
$1000
|
2016-10-02
|
104151
|
Bad cast in WebCore::RenderThemeMac::paintMediaToggleClosedCaptionsButton
|
-
|
2016-10-02
|
103921
|
Use-after-free in DOM Range
|
$1000
|
2016-10-02
|
103239
|
Security: INVALID_POINTER_READ/WRITE_EXPLOITABLE_chrome!SkRgnBuilder::blitH
|
$1000
|
2016-10-02
|
103259
|
[LangFuzz] Crash at v8::internal::WriteQuoteJsonString with invalid write
|
$1000
|
2016-10-02
|
102810
|
Security: buffer overflow in link prefetching
|
$1000
|
2016-10-02
|
103630
|
Security: iFrame SandBox Unique Origin not enforced in extensions
|
-
|
2016-10-02
|
103126
|
Heap-use-after-free in WebCore::RenderTextFragment::styleDidChange
|
-
|
2016-10-02
|
103244
|
Pinning checks aren't enforced in the case of a minor error.
|
-
|
2016-10-02
|
103058
|
Security: missing xslt import causes crash w/preloading
|
$1000
|
2016-10-02
|
102037
|
Security: Use after free in CSSStyleDeclarationInternal::parentRuleAttrGetter
|
-
|
2016-10-02
|
101900
|
Security: bug rendering web pages with flash content
|
-
|
2016-10-02
|
101835
|
Exit full screen button crashs browser
|
-
|
2016-10-02
|
101779
|
OOB read with corrupt PDF; possible stability issue too
|
-
|
2016-10-02
|
101624
|
Security: buffer overrun leading to heap corruption in ANGLE shader translator
|
-
|
2016-10-02
|
102242
|
ZDI-CAN-1416: WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability
|
-
|
2016-10-02
|
101901
|
Security:scrolling web with flash content rendering bug
|
-
|
2016-10-02
|
102628
|
Security: Adobe regions use-after-free with multiple region css thingies
|
$1000
|
2016-10-02
|
102461
|
Failure to infobar JRE7
|
-
|
2016-10-02
|
102359
|
Use-after-free in SVG renderer
|
$1000
|
2016-10-02
|
101446
|
Use after free in TextTrack::~TextTrack
|
-
|
2016-10-02
|
101235
|
Security: Location bar spoofing when using replaceState in unload event handler
|
-
|
2016-10-02
|
101205
|
Security: marketplace
|
-
|
2016-10-02
|
101172
|
Seeking on webm 1080p video causes crash
|
-
|
2016-10-02
|
101580
|
Heap-use-after-free in WebCore::RenderObject::enclosingLayer
|
-
|
2016-10-02
|
101548
|
Test: ABCD
|
-
|
2016-10-02
|
101494
|
OOB read in media::ScaleYUVToRGB32
|
-
|
2016-10-02
|
101458
|
OOB read in WebM/vorbis vorbis_decode_frame()
|
$1000
|
2016-10-02
|
101018
|
Use after free in fullscreen unwraprenderer
|
-
|
2016-10-02
|
101010
|
Security: css/CSSParser.cpp memory corruption bug
|
-
|
2016-10-02
|
100958
|
Heap-use-after-free WebCore::RenderBlock::layoutPositionedObjects
|
-
|
2016-10-02
|
100879
|
Problem with full-screen infobar permission prompt
|
-
|
2016-10-02
|
100863
|
OOB read in SVG at WebCore::parseArcFlag
|
-
|
2016-10-02
|
100543
|
OOB read in WebM/vorbis at render_line()
|
$500
|
2016-10-02
|
101065
|
Use after free with counters and inline-table and :before content
|
-
|
2016-10-02
|
101127
|
BlackBerryĂÂź
|
-
|
2016-10-02
|
101136
|
Security: Search terms hijacked to return only one site for search terms
|
-
|
2016-10-02
|
138210
|
Information and credential disclosure by file:// URLs (Android)
|
$500
|
2016-10-02
|
138035
|
Security: Google Chrome for Android: Current-tab cross-application scripting (UXSS)
|
$500
|
2016-10-02
|
138012
|
Heap-buffer-overflow in WebCore::FontCache::releaseFontData
|
-
|
2016-10-02
|
137912
|
Heap-buffer-overflow in WebCore::DelayDSPKernel::process
|
-
|
2016-10-02
|
137891
|
Security: HTTPS proxy can run JavaScript on requested HTTPS sites
|
-
|
2016-10-02
|
137852
|
Heap-use-after-free in WebKit::WebElement::document
|
-
|
2016-10-02
|
137778
|
Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer
|
-
|
2016-10-02
|
138208
|
Crash in SkGlyphCache::findImage
|
$1000
|
2016-10-02
|
100492
|
Use after free in WebM/matroska at matroska_execute_seekhead()
|
$3000
|
2016-10-02
|
100465
|
OOB read in OGV at unpack_vlcs
|
$500
|
2016-10-02
|
100464
|
Use-after-free in WebM at decode_mb_mode
|
$1000
|
2016-10-02
|
100459
|
Use after free in RenderDeprecatedFlexibleBox::layoutHorizontalBox(bool) [and first-letter]
|
-
|
2016-10-02
|
100447
|
ClusterFuzz Account Check.
|
-
|
2016-10-02
|
100322
|
Security: Calling arbitrary V8 native functions from JavaScript
|
-
|
2016-10-02
|
138196
|
Stack-buffer-overflow in NPObjectProxy::NPNEvaluate
|
-
|
2016-10-02
|
138192
|
Heap-buffer-overflow in WebCore::HTMLInputElement::dataList
|
-
|
2016-10-02
|
100526
|
Use after free in floats and first-letter
|
-
|
2016-10-02
|
137623
|
Heap-buffer-overflow in WebPluginDelegateProxy::BackgroundChanged
|
-
|
2016-10-02
|
137532
|
Security: Android APIs exposed to JavaScript
|
$500
|
2016-10-02
|
137471
|
Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren
|
-
|
2016-10-02
|
137413
|
Heap-buffer-overflow in WebCore::RenderTableSection::setCellLogicalWidths
|
-
|
2016-10-02
|
137409
|
Heap-use-after-free in WebCore::RenderObject::container
|
-
|
2016-10-02
|
137407
|
Security: Chrome for iOS security bug
|
-
|
2016-10-02
|
137364
|
Heap-use-after-free in WebCore::CSSFontSelector::beginLoadTimerFired
|
-
|
2016-10-02
|
137707
|
Security: Chrome extensions bug cause crash in all Chrome processes
|
$500
|
2016-10-02
|
137671
|
Security: Bad cast in WebCore::CalendarPickerElement::hostInput()
|
$2000
|
2016-10-02
|
137541
|
Reproduceable crash. Changing tabs while a specific text field has focus.
|
-
|
2016-10-02
|
137233
|
Heap-buffer-overflow in WebCore::RenderBlock::handleTrailingSpaces
|
-
|
2016-10-02
|
137125
|
UNKNOWN in WebCore::StylePropertySet::addParsedProperties
|
$1000
|
2016-10-02
|
137208
|
Security: Mouse lock permission and iframe on different host
|
-
|
2016-10-02
|
137174
|
UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation
|
-
|
2016-10-02
|
137147
|
UNKNOWN in WebCore::RenderTable::cellBefore
|
-
|
2016-10-02
|
137303
|
Corrupted rendering with many MapsGL tabs open
|
-
|
2016-10-02
|
137052
|
Heap-use-after-free in WebCore::EllipsisBox::paint
|
-
|
2016-10-02
|
137363
|
Heap-use-after-free in WebCore::RenderBlock::removeChild
|
-
|
2016-10-02
|
137362
|
Heap-buffer-overflow in WebCore::CCLayerTreeHostImpl::CullRenderPassesWithNoQuads::shouldRemoveRenderPass
|
-
|
2016-10-02
|
137232
|
UNKNOWN in WebCore::ElementAttributeData::addAttribute
|
-
|
2016-10-02
|
136497
|
Security: XSS via Copy&Paste protection bypass using @formaction / General Iframe Sandbox Considerations regarding copy&paste / drag&drop
|
-
|
2016-10-02
|
136881
|
Security: race condition with workers and sync xmlhttprequests
|
$500
|
2016-10-02
|
136894
|
Heap-buffer-overflow in UpsampleBgraLinePairSSE2
|
$1000
|
2016-10-02
|
136952
|
Heap-use-after-free in WebCore::RenderLineBoxList::dirtyLinesFromChangedChild
|
-
|
2016-10-02
|
136226
|
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
|
-
|
2016-10-02
|
136182
|
Heap-use-after-free in WebCore::ImageLoader::updateRenderer
|
-
|
2016-10-02
|
136344
|
Heap-use-after-free in WebCore::FrameLoader::stopAllLoaders
|
-
|
2016-10-02
|
136116
|
Heap-use-after-free in WebCore::RenderLayer::enclosingFilterLayer
|
-
|
2016-10-02
|
136046
|
Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass
|
-
|
2016-10-02
|
136296
|
Heap-use-after-free in WebCore::SVGSMILElement::resetTargetElement
|
-
|
2016-10-02
|
136235
|
Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList
|
$1000
|
2016-10-02
|
136145
|
Security: Heap-buffer-overflow on TextFieldDecorationElement::defaultEventHandler
|
-
|
2016-10-02
|
135697
|
Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps
|
-
|
2016-10-02
|
135658
|
Turn off <iframe> seamless for m21
|
-
|
2016-10-02
|
135595
|
Heap-use-after-free in WebCore::ImageLoader::notifyFinished
|
-
|
2016-10-02
|
135705
|
Heap-buffer-overflow in WebCore::TextIterator::handleTextBox
|
-
|
2016-10-02
|
135432
|
Heap-buffer-overflow in skia::BGRAConvolve2D
|
$1000
|
2016-10-02
|
135698
|
Heap-use-after-free in WebCore::HTMLInputElement::isPresentationAttribute
|
-
|
2016-10-02
|
135485
|
SPDY - Pushed stream - crash accessing https://jetty.intalio.com:10111/spdy
|
-
|
2016-10-02
|
135071
|
Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>
|
-
|
2016-10-02
|
134897
|
Bad cast with run-ins and <input>
|
$1000
|
2016-10-02
|
135173
|
Heap-use-after-free in WebCore::RenderQuote::rendererRemovedFromTree
|
-
|
2016-10-02
|
135043
|
Heap-use-after-free in media_stream::
|
$3133
|
2016-10-02
|
134429
|
Heap-use-after-free in WebCore::Document::clearNodeListCaches
|
-
|
2016-10-02
|
134639
|
Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
|
-
|
2016-10-02
|
134428
|
Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget
|
-
|
2016-10-02
|
134519
|
Security: memory address disclosure through JavaScript in WebUI's cookies page
|
-
|
2016-10-02
|
134402
|
Heap buffer overflows in WebCore::CSSParser::lex
|
-
|
2016-10-02
|
134324
|
Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects
|
-
|
2016-10-02
|
134325
|
Security: Use after free with mouse lock and window.open
|
$1000
|
2016-10-02
|
100177
|
Use after free in first-letter container destruction handling.
|
-
|
2016-10-02
|
100149
|
Use after free in AX Scrollbars
|
-
|
2016-10-02
|
99991
|
Use after free in ImageBuffer::toDataURL
|
-
|
2016-10-02
|
100059
|
Generic fix: Register custom fonts at creation time, rather than retire time.
|
$1337
|
2016-10-02
|
99652
|
OOB read in vp8_decode_frame
|
$1000
|
2016-10-02
|
99732
|
Use after free in table parts.
|
-
|
2016-10-02
|
99603
|
Use after free due to flexible box not laying some of its children.
|
-
|
2016-10-02
|
99597
|
Use after free in tables, float, :after content
|
-
|
2016-10-02
|
99840
|
Windows OpenGL performance drops by 2/3 with GPU sandbox on
|
-
|
2016-10-02
|
99880
|
Use after free in table :before, :after content.
|
$1000
|
2016-10-02
|
99901
|
BinScope reports SafeSEH not supported on video DLLs
|
-
|
2016-10-02
|
99615
|
Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled
|
-
|
2016-10-02
|
99465
|
Security: AccessibilityImageMapLink holds onto it's parent even after it's been freed
|
-
|
2016-10-02
|
99348
|
Use after free in tables
|
-
|
2016-10-02
|
99338
|
Use after free in RenderTableSection::splitColumn
|
-
|
2016-10-02
|
99596
|
Use after free in media::FFmpegDemuxerStream::Read
|
-
|
2016-10-02
|
99553
|
repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources
|
-
|
2016-10-02
|
99480
|
OOB read in media::ScaleYUVToRGB32
|
-
|
2016-10-02
|
99294
|
Use after free with :after in display table and :first-letter
|
$1000
|
2016-10-02
|
99167
|
[LangFuzz] Crash on Heap involving GC (invalid write)
|
$1000
|
2016-10-02
|
99104
|
WebKit: invalid cast in WebCore::toRenderBlock / WebCore::RenderBlock::blockSelectionGaps
|
-
|
2016-10-02
|
99016
|
Security: HTTPS Address Bar Spoofing Using View-source And Redirection
|
$1000
|
2016-10-02
|
99003
|
changing proxy
|
-
|
2016-10-02
|
99229
|
WebKit: Use after free in ~Node because ~HTMLLinkElement triggers script execution
|
-
|
2016-10-02
|
99211
|
Heap buffer overflow in Webaudio FFTFrame::doFFT
|
$2000
|
2016-10-02
|
99138
|
Use-after-free with plugin and editing
|
$1000
|
2016-10-02
|
98556
|
Use after free with first-letter
|
$1000
|
2016-10-02
|
98262
|
Chrome 16 crash when resizing window
|
-
|
2016-10-02
|
98161
|
Bug 68816 - Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption
|
-
|
2016-10-02
|
98773
|
[LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read
|
$1000
|
2016-10-02
|
98809
|
Renderer crash with PDF at isalnum
|
$500
|
2016-10-02
|
98582
|
Security: invalid memory reference to window object
|
-
|
2016-10-02
|
97994
|
Use after free due to stale fonts
|
-
|
2016-10-02
|
97952
|
Stale layout root generic fix from Mitz
|
-
|
2016-10-02
|
97898
|
Regression: Use after free in RenderBlock::linkToEndLineIfNeeded
|
-
|
2016-10-02
|
97867
|
Security: Major Google Plus and Google Chrome Problem
|
-
|
2016-10-02
|
98089
|
memory corruption in ANGLE shader translator
|
-
|
2016-10-02
|
98064
|
Use-after-free when font is missing
|
$1000
|
2016-10-02
|
97784
|
[v8] Stale pointer in CSSStyleSheet, Invalid cast in V8ListenerList::doFindWrapper
|
$1500
|
2016-10-02
|
97608
|
Use after free in counters in :before, :after content
|
$500
|
2016-10-02
|
97596
|
Security: anonymous proxy
|
-
|
2016-10-02
|
97553
|
Clicking a link on a page that has been fullscreened by JS doesn't exit fullscreen
|
-
|
2016-10-02
|
97546
|
Use after free in ruby text :after, :before content due to stale styles.
|
-
|
2016-10-02
|
97278
|
Security: Tracking bug for CachedResourceLoader::canRequest in a redirect chain
|
-
|
2016-10-02
|
97148
|
Crashes in PhishingDOMFeatureExtractor::ExtractFeaturesWithTimeout
|
-
|
2016-10-02
|
97092
|
Stale canvas used in WebCore::PlatformContextSkia::save()
|
$1000
|
2016-10-02
|
97674
|
Security: Extension can get at tabs details (url/title) without requesting tabs permission
|
-
|
2016-10-02
|
97599
|
More stale styles in listmarkers
|
$1000
|
2016-10-02
|
96747
|
Security: Magic iframe transfer vulnerability for Pepper/NaCl plugins
|
-
|
2016-10-02
|
96902
|
Use-after-free in findPlaceForCounter
|
$1000
|
2016-10-02
|
97006
|
Use after free due to issues in element detachment when entering fullscreen
|
-
|
2016-10-02
|
96665
|
Use after free in Element::recalcStyle due to reparenting issues in treebuilder
|
-
|
2016-10-02
|
96382
|
out-of-bounds access in Gradient::sortStopsIfNecessary
|
-
|
2016-10-02
|
96292
|
Use after free in media BufferedResourceLoader::Start
|
-
|
2016-10-02
|
141815
|
Heap-use-after-free in WebCore::RenderQuote::detachQuote
|
-
|
2016-10-02
|
141651
|
Heap-buffer-overflow in SkA8_Blitter::blitAntiH
|
$500
|
2016-10-02
|
141564
|
Heap-use-after-free in WebCore::HTMLLinkElement::removedFrom
|
-
|
2016-10-02
|
141462
|
Extension resources that are not web accessible should not be able to be linked to from the web
|
-
|
2016-10-02
|
141444
|
Security: Support pinning for Google ccTLDs
|
-
|
2016-10-02
|
141395
|
UNKNOWN in v8::internal::SemiSpaceIterator::Next
|
$1000
|
2016-10-02
|
96499
|
Heap-use-after-free in WebCore::RenderLayer::updateVisibilityStatus
|
-
|
2016-10-02
|
96444
|
Freed scrollbar used in RenderScrollbarPart::imageChanged [not related to previous stale m_owner issues]
|
-
|
2016-10-02
|
96149
|
Use after free in WebCore::AudioChannel::sumFrom
|
-
|
2016-10-02
|
141093
|
Security: Dev only restriction for declarativeWebRequest does not seem to work
|
-
|
2016-10-02
|
96150
|
Use after free in OfflineAudioDestinationNode::notifyCompleteDispatch
|
-
|
2016-10-02
|
140805
|
Heap-use-after-free in WebCore::RenderRegion::restoreRegionObjectsOriginalStyle
|
-
|
2016-10-02
|
140803
|
Heap-buffer-overflow in SkA8_Blitter::blitH
|
$1000
|
2016-10-02
|
140720
|
Heap-use-after-free in WebCore::RenderBlock::removeChild
|
-
|
2016-10-02
|
140656
|
Heap-use-after-free in WebCore::CachedResource::didAddClient
|
$1000
|
2016-10-02
|
140647
|
UNKNOWN in ogg_calc_pts
|
-
|
2016-10-02
|
140642
|
Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect
|
-
|
2016-10-02
|
96131
|
Closing parent then child in gmail = sad tab
|
-
|
2016-10-02
|
96170
|
Use after free in InspectorPageAgent::resourceContent
|
-
|
2016-10-02
|
140495
|
Text box fails to render contents and does not accept user input.
|
-
|
2016-10-02
|
140484
|
Heap-use-after-free in WebCore::RenderBlock::determineStartPosition
|
-
|
2016-10-02
|
140368
|
Security: heap-use-after-free in xsltGenerateIdFunction
|
-
|
2016-10-02
|
140165
|
Heap-buffer-overflow in vorbis_decode_frame
|
-
|
2016-10-02
|
140142
|
Heap-use-after-free in base::internal::WeakReference::is_valid
|
-
|
2016-10-02
|
140532
|
Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
|
-
|
2016-10-02
|
140544
|
Security: CSP doesn't turn off eval, etc. in Web Workers
|
-
|
2016-10-02
|
140083
|
[LangFuzz] Crash on heap trying to execute address 0x0000000200000000.
|
$1000
|
2016-10-02
|
140045
|
REGRESSION(r122498): Assertion failure: m_nodeListCounts is sometimes not zero in the Document destructor
|
-
|
2016-10-02
|
139961
|
Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale target]
|
-
|
2016-10-02
|
139814
|
UAF in DOMContentLoaded
|
$2000
|
2016-10-02
|
139789
|
Heap-buffer-overflow in WebCore::CSSParser::updateLastSelectorLineAndPosition
|
-
|
2016-10-02
|
139772
|
AddressSanitizer reports a global buffer underflow in swizzle_for_size() in Mesa
|
-
|
2016-10-02
|
139744
|
Security: SSL compression infoleak
|
$5337
|
2016-10-02
|
140085
|
UNKNOWN in /mnt/scratch0/clusterfuzz/slave-bot/builds/revisions/asan-linux-release-149416/chrome+Unknown
|
-
|
2016-10-02
|
139685
|
OOB read atleast in WebCore::SVGListProperty<WebCore::SVGTransformList>::getItemValuesAndWrappers
|
-
|
2016-10-02
|
139690
|
Heap-use-after-free in WebCore::GenericEventQueue::timerFired
|
-
|
2016-10-02
|
139646
|
Heap-use-after-free in WebCore::DynamicNodeList::itemWithName
|
-
|
2016-10-02
|
139679
|
Bad cast in RenderFrameSet::computeEdgeInfo
|
-
|
2016-10-02
|
139530
|
Heap-use-after-free in WebCore::Node::~Node
|
-
|
2016-10-02
|
139475
|
Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale event listener]
|
-
|
2016-10-02
|
139462
|
Heap-use-after-free in SkCanvas::updateDeviceCMCache
|
-
|
2016-10-02
|
139541
|
UNKNOWN in v8::HandleScope::CreateHandle
|
-
|
2016-10-02
|
139464
|
Heap-use-after-free in WebCore::RenderSVGShape::calculateStrokeBoundingBox
|
-
|
2016-10-02
|
139321
|
Heap-use-after-free in WebCore::InlineBox::extractLine
|
-
|
2016-10-02
|
139402
|
Heap-use-after-free in D_Clear_BitmapXferProc
|
-
|
2016-10-02
|
139215
|
Heap-use-after-free in WebCore::StyleResolver::collectMatchingRules
|
-
|
2016-10-02
|
139168
|
Security: Creating a loop in the DOM tree (99% a DoS)
|
$500
|
2016-10-02
|
139131
|
Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList
|
-
|
2016-10-02
|
139290
|
Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
|
-
|
2016-10-02
|
139383
|
Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer
|
-
|
2016-10-02
|
139240
|
Heap-buffer-overflow in WebCore::TextTrackCueList::add
|
-
|
2016-10-02
|
138738
|
Crash in extensions::SetContentSettingFunction
|
-
|
2016-10-02
|
138915
|
Heap-use-after-free in WebCore::ContainerNode::cloneChildNodes
|
-
|
2016-10-02
|
138422
|
Heap-use-after-free in WebCore::Font::glyphDataAndPageForCharacter
|
-
|
2016-10-02
|
138404
|
Heap-use-after-free in WebCore::Document::page
|
-
|
2016-10-02
|
138673
|
Heap-buffer-overflow in xsltApplyTemplates
|
$1000
|
2016-10-02
|
138990
|
Heap-use-after-free in WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible
|
-
|
2016-10-02
|
138672
|
Heap-double-free in xsltCompileStepPattern
|
-
|
2016-10-02
|
138901
|
Heap-use-after-free in ProfileKeyedBaseFactory::GetProfileToUse
|
-
|
2016-10-02
|
138302
|
Stack-buffer-overflow in NPObjectProxy::NPInvokePrivate
|
-
|
2016-10-02
|
138318
|
UXSS with pointer lock
|
-
|
2016-10-02
|
138382
|
Heap-use-after-free in WebCore::AutoTableLayout::recalcColumn
|
-
|
2016-10-02
|
138316
|
Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
|
-
|
2016-10-02
|
95849
|
Security: any Chrome committer (or parhaps even any user with Google account?) can compromise Google Chrome
|
-
|
2016-10-02
|
95842
|
Security: Chrome Gives Unreliable Security Info
|
-
|
2016-10-02
|
95761
|
Use after free in ContainerNode::removeChild (looks related to plugin)
|
-
|
2016-10-02
|
95672
|
Use after free in ListIterms and RunIns rendering (from bug 88680)
|
$1000
|
2016-10-02
|
95669
|
Regression(r93913): Use after free in ScriptController::executeScript
|
-
|
2016-10-02
|
95992
|
Security: header injection when using embeded \0 in headerline
|
-
|
2016-10-02
|
95920
|
[LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read
|
$1000
|
2016-10-02
|
95917
|
Security: Chrome does not ask for approval when "not trusted" SSL cert. changes
|
-
|
2016-10-02
|
95563
|
OOB read in tibetan_nextSyllableBoundary
|
-
|
2016-10-02
|
95625
|
OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays
|
-
|
2016-10-02
|
95499
|
Use after free due to style not updated and having stale fonts.
|
-
|
2016-10-02
|
95485
|
[LangFuzz] Crash at v8::internal::Object::Lookup
|
$1000
|
2016-10-02
|
95639
|
Use after free in Document::fullScreenChangeDelayTimerFired
|
-
|
2016-10-02
|
95620
|
use-after-free in browser_tests
|
-
|
2016-10-02
|
95520
|
Child not placed correctly when :before, :after placed in same table part container causing stale style
|
-
|
2016-10-02
|
95359
|
Use after free in WebCore::SVGTRefElement::updateReferencedText
|
-
|
2016-10-02
|
95360
|
use after free in WebCore::ContainerNode::removeChild via Range.deleteContents()
|
-
|
2016-10-02
|
95083
|
Security: Reveal stored passwords using the Developer Tool
|
-
|
2016-10-02
|
95072
|
Use after free due to style not updated for svg text runs.
|
$1000
|
2016-10-02
|
95012
|
Add defensive bounds checking in AudioNode
|
-
|
2016-10-02
|
94834
|
Security: Thread safety with AudioChannelMerger
|
-
|
2016-10-02
|
95374
|
Redirect to chrome:// URIs via Location: header
|
$2337
|
2016-10-02
|
95465
|
4 OOB reads in XMLDocumentParser::doWrite
|
-
|
2016-10-02
|
95333
|
ERROR:the following pages have become unresponsive. you can wait to become responsive or kill them
|
-
|
2016-10-02
|
94820
|
Don't allow nodes of one context to be connected to nodes of another context
|
-
|
2016-10-02
|
94743
|
Regression(r93913): Use after free in ScheduledAction::execute(WebCore::V8Proxy*)
|
-
|
2016-10-02
|
94578
|
Security: Brute forcing Intranet WWW-Auth with script element
|
-
|
2016-10-02
|
94487
|
Security: JSC::Yarr regexp 32/48 to the left of 768 with workers
|
$1000
|
2016-10-02
|
94464
|
Security: e
|
-
|
2016-10-02
|
94463
|
Security: e
|
-
|
2016-10-02
|
94462
|
Security: e
|
-
|
2016-10-02
|
94461
|
Security: e
|
-
|
2016-10-02
|
94460
|
Security: e
|
-
|
2016-10-02
|
94459
|
Security: e
|
-
|
2016-10-02
|
94458
|
Security: e
|
-
|
2016-10-02
|
94810
|
Use after free with Floats and Ruby
|
-
|
2016-10-02
|
94809
|
Use after free in ruby overhang.
|
-
|
2016-10-02
|
94456
|
Security:
|
-
|
2016-10-02
|
94275
|
Make sure that AudioArray is 16-byte aligned
|
-
|
2016-10-02
|
94273
|
V8 custom bindings for AudioNode must do proper object checking and throw exception in case of error
|
-
|
2016-10-02
|
94186
|
WebAudio node lifetype crash when tearing down audio nodes / media element node
|
-
|
2016-10-02
|
94025
|
WebAudio: Integer overflows in AudioArray
|
-
|
2016-10-02
|
93978
|
Out of bounds reads and writes when FFT size is changed.
|
-
|
2016-10-02
|
93918
|
Regression(93122): Use after free in InspectorCSSAgent::clearFrontend
|
-
|
2016-10-02
|
94457
|
Security: e
|
-
|
2016-10-02
|
94278
|
Fix thread-safety of AudioNode deletion
|
-
|
2016-10-02
|
93596
|
Bad read in bundled PDF viewer
|
-
|
2016-10-02
|
93497
|
Security: Accessibility of the chrome.webstorePrivate-API
|
-
|
2016-10-02
|
93472
|
Yet another double-free caused by malformed XPath expression in XSLT
|
$1000
|
2016-10-02
|
93420
|
Use after free in FocusController::advanceFocusInDocumentOrder
|
$1000
|
2016-10-02
|
93788
|
Use after free in RenderText lineboxes.
|
$1000
|
2016-10-02
|
93587
|
Use after free in WebCore::Text::recalcStyle due to before after content issue in table parts
|
$1000
|
2016-10-02
|
93856
|
Use after free in RenderFlowThread::nextRendererForNode
|
-
|
2016-10-02
|
93146
|
Security: Possible race condition in Windows Policy reading that can lead to stale policy.
|
-
|
2016-10-02
|
93106
|
Failing assertion in IDBTransaction.cpp
|
-
|
2016-10-02
|
93097
|
Defensively null out danging pointers in the NaCl browser plugin memory safety for M14
|
-
|
2016-10-02
|
93059
|
OOB read in EventDispatcher::adjustToShadowBoundaries
|
-
|
2016-10-02
|
93416
|
Security: Arbitrary cross-origin bypass using __defineGetter__ prototype override
|
$2000
|
2016-10-02
|
93236
|
Stale Pointer Crash in PrintWebViewHelper::PrintPreviewContext::CreatePreviewDocument
|
-
|
2016-10-02
|
92959
|
Stale node in StyleSheetCandidateListHashSet
|
$1000
|
2016-10-02
|
92769
|
Use after free in TreeBuilder
|
-
|
2016-10-02
|
92651
|
Use after free due to style not updated for ANONYMOUS boxes (e.g RenderRow), inline-blocks (e.g. RenderRubyRun)
|
$1000
|
2016-10-02
|
92621
|
Use after free in VisibleSelection::selectionFromContentsOfNode
|
-
|
2016-10-02
|
92550
|
Chrome (main process) crashes when setVersion is called when all (Indexed) database name space is used up
|
-
|
2016-10-02
|
92226
|
Use after free in CounterNode::lastDescendant
|
-
|
2016-10-02
|
92840
|
Use after free in HarfbuzzFace::~HarfbuzzFace
|
-
|
2016-10-02
|
146433
|
Chrome_Mac: Crash Report - base::::CrMallocErrorBreak / invalid free in SkWriter32::rewindToOffset
|
-
|
2016-10-02
|
146235
|
WTF::equal is too aggressive and may trigger ASan reports
|
-
|
2016-10-02
|
146208
|
Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint
|
-
|
2016-10-02
|
146145
|
Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
|
-
|
2016-10-02
|
146144
|
Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath
|
-
|
2016-10-02
|
146111
|
Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
|
-
|
2016-10-02
|
145976
|
Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer
|
-
|
2016-10-02
|
145921
|
AddressSanitizer reports a UAF in WebCore::RenderStyle::letterSpacing
|
-
|
2016-10-02
|
146146
|
Heap-buffer-overflow in WebCore::FlowThreadController::unregisterNamedFlowContentNode
|
-
|
2016-10-02
|
145867
|
Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath
|
-
|
2016-10-02
|
145915
|
Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face
|
-
|
2016-10-02
|
145530
|
Mitigation: Kill OOB reads(or few writes) by preventing access to harmful locals in dirty text lineboxes
|
-
|
2016-10-02
|
145525
|
Security: heap buffer overflow in gpu process with webgl
|
$3500
|
2016-10-02
|
145492
|
Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (UAF)
|
-
|
2016-10-02
|
145544
|
Security: integer overflow in gpu process with webgl
|
$1000
|
2016-10-02
|
145272
|
Heap-use-after-free in WebCore::nextBreakablePosition
|
-
|
2016-10-02
|
145018
|
Heap-use-after-free in WebCore::StyleSheetContents::checkLoadCompleted
|
-
|
2016-10-02
|
144886
|
Security: webgl crash on mesa
|
$3133
|
2016-10-02
|
144866
|
Security: Chrome for Android Bypassing SOP for Local Files By Symlinks
|
$500
|
2016-10-02
|
144831
|
Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom
|
-
|
2016-10-02
|
145363
|
Security: Chrome extension DEP crash
|
-
|
2016-10-02
|
144899
|
SkPaint::SkPaint - crash
|
$1000
|
2016-10-02
|
144799
|
Heap-double-free in xmlFreeNodeList
|
-
|
2016-10-02
|
144813
|
Security: UXSS via com.android.browser.application_id Intent extra
|
$500
|
2016-10-02
|
144671
|
Heap-use-after-free in WebCore::GCPrologueVisitor<void, WebCore::SpecialCasePrologueObjectHandler>::visitDOMWrapper
|
-
|
2016-10-02
|
144466
|
Crash when verifying ECDSA certificate on XP
|
-
|
2016-10-02
|
144734
|
Heap-buffer-overflow in WebCore::RenderTable::removeCaption
|
-
|
2016-10-02
|
144810
|
Heap-use-after-free in WebCore::RenderTable::calcBorderEnd
|
-
|
2016-10-02
|
144704
|
Tracking bug for fixing rel=noreferrer aslr bypass
|
-
|
2016-10-02
|
143761
|
Heap-use-after-free in WebCore::GraphicsContext::restore
|
$1000
|
2016-10-02
|
143672
|
Flapper Crash in BrokerProcessDispatcher::GetSitesWithData
|
-
|
2016-10-02
|
143859
|
Security: World-writable shared memory segments for X/Linux UI
|
-
|
2016-10-02
|
144051
|
Security: Memory address disclosure through JavaScript in Print Preview WebUI
|
-
|
2016-10-02
|
143846
|
Security: Chromoting creates a world-writable shared memory segment
|
-
|
2016-10-02
|
143609
|
Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter
|
$1000
|
2016-10-02
|
143604
|
Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextLineBreak [SVG text]
|
-
|
2016-10-02
|
143593
|
Heap-buffer-overflow in WebCore::SurrogatePairAwareTextIterator::consume
|
-
|
2016-10-02
|
143582
|
Heap-use-after-free in WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener, 1ul> >::~OwnPtr
|
-
|
2016-10-02
|
143551
|
Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope
|
-
|
2016-10-02
|
143656
|
Heap-use-after-free in WebCore::SVGTRefElement::updateReferencedText
|
$1000
|
2016-10-02
|
143648
|
Heap-buffer-overflow in WebCore::StyleResolver::applyProperty
|
-
|
2016-10-02
|
143176
|
Heap-use-after-free in WebCore::AccessibilityNodeObject::document
|
-
|
2016-10-02
|
143409
|
Heap-buffer-overflow in SkScalerContext_FreeType::generateImage
|
-
|
2016-10-02
|
142956
|
Security: XSS in SSL Certificate error page
|
$500
|
2016-10-02
|
142876
|
Heap-buffer-overflow in WebCore::HarfBuzzShaperBase::isWordEnd
|
-
|
2016-10-02
|
143329
|
Bad cast in RenderGrid::layoutGridItems
|
-
|
2016-10-02
|
143004
|
Security: Untrustworthy Chrome OS user-wallpaper png's are loaded pre-login (in the sandboxed utility process)
|
-
|
2016-10-02
|
142310
|
ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test
|
-
|
2016-10-02
|
142395
|
Bad cast in computeReplacedLogicalHeightUsing
|
-
|
2016-10-02
|
142145
|
Heap-use-after-free in WebCore::RenderBlock::removeChild
|
-
|
2016-10-02
|
142746
|
Security: Potential use after destruction in ui/gfx/image
|
-
|
2016-10-02
|
142169
|
Heap-buffer-overflow in SkAlphaRuns::add
|
$500
|
2016-10-02
|
142088
|
UNKNOWN in v8::internal::Invoke
|
-
|
2016-10-02
|
142087
|
UNKNOWN in void v8::internal::String::WriteToFlat<char>
|
-
|
2016-10-02
|
141901
|
Security: mesa stack scribbling thingamadoo
|
$3133
|
2016-10-02
|
141889
|
Security: Cookie theft from Chrome by malicious Android app
|
$500
|
2016-10-02
|
91972
|
Regression(85705): Use after free on m_originatingLine in floats
|
-
|
2016-10-02
|
91940
|
Security: Romanian colloquialism meaning penis when viewing YouTube channels
|
-
|
2016-10-02
|
91939
|
Security: Romanian colloquialism meaning penis when viewing YouTube channels
|
-
|
2016-10-02
|
91921
|
Use after free in RenderRubyBase
|
-
|
2016-10-02
|
91911
|
Freed m_renderer used in InlineBox::deleteLine
|
-
|
2016-10-02
|
91973
|
Regression(90971): Use after free in Textarea placeholder
|
-
|
2016-10-02
|
91665
|
Crash on bad rip when opening a PDF
|
$1000
|
2016-10-02
|
91801
|
Use after free of RootInlineBox
|
-
|
2016-10-02
|
91577
|
file:// URL access is defaulting to opt-in
|
-
|
2016-10-02
|
91554
|
Possible use-after-free in AddToConsole
|
-
|
2016-10-02
|
91633
|
Security: When upgrade to 13.0.782.107, chrome will run js and load image which had be disabled in chrome
|
-
|
2016-10-02
|
91502
|
Security: Malware Page forbids user from closing a tab.(window.onunload hijack)
|
-
|
2016-10-02
|
91362
|
Regression(91331): Bad cast due to html renderer created for svg glyphref
|
-
|
2016-10-02
|
91312
|
Security: Native Client app can crash trusted code.
|
-
|
2016-10-02
|
91218
|
XSS in chrome://appcache-internals
|
-
|
2016-10-02
|
91517
|
Security: V8 asserts (crashes) when entering simple JS snippit
|
-
|
2016-10-02
|
91321
|
Regression(91788): Bad cast in WebCore::blockWithNextLineBox
|
-
|
2016-10-02
|
91020
|
Use after free in MediaTest.FLAKY_VideoBearWebm on Mac OS
|
-
|
2016-10-02
|
91099
|
OOB read in RenderScrollbarPart::computeScrollbarWidth
|
-
|
2016-10-02
|
91120
|
[LangFuzz] Crash at Runtime_QuoteJSONString with invalid write
|
$500
|
2016-10-02
|
91082
|
Security: Major Privacy Loop Hole !
|
-
|
2016-10-02
|
91079
|
where to submit Google account bug
|
-
|
2016-10-02
|
91093
|
Bad cast in paintMediaPlayButton
|
-
|
2016-10-02
|
91016
|
Security: Canvas toDataURL security error: It is taking page information and not the canvas when making the image
|
$500
|
2016-10-02
|
91013
|
[LangFuzz] Crash at RootMarkingVisitor::VisitPointers (32 bit)
|
$1000
|
2016-10-02
|
91010
|
[LangFuzz] Crash at JSObject::SetDictionaryElement with invalid read (32 bit)
|
$1000
|
2016-10-02
|
91197
|
Use after free or bad cast with empty .swf file
|
-
|
2016-10-02
|
91092
|
Use after free in SVGUseElement::buildShadowTree
|
-
|
2016-10-02
|
90978
|
read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData (WEBKIT 65352)
|
-
|
2016-10-02
|
90668
|
Use after free in WebCore::findPlainText
|
$1000
|
2016-10-02
|
90498
|
Security: automatically downloading of .crdownload-files
|
-
|
2016-10-02
|
91008
|
[LangFuzz] Crash at JSObject::PrepareElementsForSort with invalid read
|
$1000
|
2016-10-02
|
90357
|
OOB read in WebCore::previousBoundary
|
-
|
2016-10-02
|
90217
|
Prevent silent truncation of trailing characters in downloaded file names
|
-
|
2016-10-02
|
90173
|
OOB read in media::ScaleYUVToRGB32 due to failure to account for zero source width and accessing negative indices
|
-
|
2016-10-02
|
90134
|
OOB read in harfbuzz with khmer character
|
-
|
2016-10-02
|
90105
|
Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak
|
-
|
2016-10-02
|
89991
|
Regression(82144): OOB InlineIterator read in TrailingObjects::updateMidpointsForTrailingBoxes
|
$500
|
2016-10-02
|
90175
|
Security: remove any site from Google Index
|
-
|
2016-10-02
|
89795
|
Browser crash in net::WebSocketJob::SendPending
|
-
|
2016-10-02
|
89580
|
Use after free due to continuation splitting issues in -webkit-column-span
|
-
|
2016-10-02
|
89599
|
Freed SVGTRefElement used in SVGStyledElement::buildPendingResourcesIfNeeded
|
-
|
2016-10-02
|
89836
|
Tracking bug for ANGLE memory corruption on Windows
|
$1337
|
2016-10-02
|
89575
|
Use after free of markers in CompositeEditCommand::replaceTextInNodePreservingMarkers
|
-
|
2016-10-02
|
89564
|
Possible URL Bar Spoofing when history.forward() is ignored using forward button
|
$500
|
2016-10-02
|
89678
|
Use after free in ReplacementFragment::removeUnrenderedNodes
|
-
|
2016-10-02
|
89552
|
Use after free in CSSStyleSheet::checkLoaded
|
-
|
2016-10-02
|
89522
|
SVG animation API crashes on SVGAnimateTransform
|
-
|
2016-10-02
|
89511
|
Use after free in IDBRequest::abort
|
-
|
2016-10-02
|
89493
|
Use after free in SVG foreignobject rendering.
|
-
|
2016-10-02
|
89422
|
Two use after frees in NPObjectStub
|
-
|
2016-10-02
|
89558
|
Use after free in SVGUseElement::buildShadowTree
|
$500
|
2016-10-02
|
89402
|
Memory corruption (double free) caused by malformed XPath expression in XSLT
|
$1000
|
2016-10-02
|
89330
|
DocumentLoader use after free in KURL::strippedForUseAsReferrer
|
$1000
|
2016-10-02
|
89219
|
Use after free due to document destruction within unload event
|
$1000
|
2016-10-02
|
89142
|
PDF viewer crash
|
$500
|
2016-10-02
|
89020
|
Security: ftp
|
-
|
2016-10-02
|
88976
|
possible use after free WebCore::FontCache::getFontDataForCharacters
|
-
|
2016-10-02
|
88949
|
Security: Location Bar Spoofing using very long string on a web address in the location bar
|
-
|
2016-10-02
|
88944
|
Use-after free in leveldb
|
$3133
|
2016-10-02
|
88932
|
Security: Exploit in google+
|
-
|
2016-10-02
|
152691
|
chrome!std::_Tree<std::_Tmap_traits<tracked_objects::Location,tracked_objects::Births *,std::less<tracked_objects::Location>,std::allocator<std::pair<tracked_objects::Location const ,tracked_objects::Births *> >,0> >::find+15 - crash
|
$2000
|
2016-10-02
|
152585
|
Heap-use-after-free in WebCore::ContainerNode::removeAllChildren
|
-
|
2016-10-02
|
152420
|
Heap-use-after-free in content::P2PSocketClient::OnDataReceived
|
-
|
2016-10-02
|
152354
|
Mask RenderArena freelist entries.
|
-
|
2016-10-02
|
152569
|
Chrome_Mac: Crash Report - Stack Signature: CompositorOutputSurface::OnMessageReceived-...
|
$500
|
2016-10-02
|
152442
|
Heap-use-after-free in icu_46::RuleBasedCollator::RuleBasedCollator
|
-
|
2016-10-02
|
151895
|
Defense to throw "unauthorized" infobar for excessively crashing plug-in does not work for Pepper Flash!
|
-
|
2016-10-02
|
151888
|
Crash in v8::internal::SlotsBuffer::UpdateSlotsRecordedIn
|
-
|
2016-10-02
|
151854
|
Heap-use-after-free in WebCore::CachedResource::addClientToSet
|
-
|
2016-10-02
|
151795
|
Security: remove chrome.experimental.offscreenTabs API
|
-
|
2016-10-02
|
152104
|
out of bounds array access in WTF::TypedArrayBase<unsigned char>::item(unsigned int) / WebCore::FEMorphology::platformApplyGeneric
|
-
|
2016-10-02
|
151992
|
Heap-use-after-free in VideoCaptureImpl::RemoveClient
|
-
|
2016-10-02
|
151860
|
Heap-use-after-free in WebCore::DateTimeFieldElement::didBlur
|
$1000
|
2016-10-02
|
151008
|
Heap-use-after-free in WebCore::CanvasRenderingContext2D::setFont
|
$1000
|
2016-10-02
|
151424
|
Chrome: Crash Report - Stack Signature: WebCore::CachedImage::likelyToBeUsedSoon()-...
|
-
|
2016-10-02
|
151449
|
Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue
|
-
|
2016-10-02
|
150966
|
Heap-use-after-free in WebCore::Node::~Node
|
-
|
2016-10-02
|
151049
|
Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
|
-
|
2016-10-02
|
150571
|
Global-buffer-overflow in v128_copy_octet_string
|
-
|
2016-10-02
|
150067
|
Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxesInInlineDirection
|
-
|
2016-10-02
|
149999
|
Heap-use-after-free in WebCore::WebKitCSSSVGDocumentValue::load
|
-
|
2016-10-02
|
150842
|
Heap-use-after-free in content::P2PSocketClient::DeliverOnSocketCreated
|
-
|
2016-10-02
|
150545
|
UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer
|
-
|
2016-10-02
|
150650
|
MSI installer ships an out-of-date GoogleUpdate.exe with no ASLR or DEP (and may not be updating)
|
-
|
2016-10-02
|
150729
|
UNKNOWN in v8::internal::Invoke
|
$1500
|
2016-10-02
|
150737
|
IndexedDB causes V8 heap corruption
|
$1000
|
2016-10-02
|
149717
|
Security: integer overflow in webgl on osx
|
$1000
|
2016-10-02
|
149877
|
Security: Omnibox drop target enables navigation to restricted URLs
|
-
|
2016-10-02
|
149904
|
Security: webgl - after running out of memory, buffer can still be written
|
$1000
|
2016-10-02
|
149840
|
Heap-use-after-free in WebCore::StyleRuleImport::setCSSStyleSheet
|
-
|
2016-10-02
|
149871
|
Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing
|
-
|
2016-10-02
|
148612
|
Heap-use-after-free in WebCore::pushFullyClippedState
|
-
|
2016-10-02
|
148896
|
UNKNOWN in v8::internal::ElementsAccessorBase<v8::internal::ExternalUnsignedByteElementsAccessor, v8::internal:
|
-
|
2016-10-02
|
148378
|
[LangFuzz] Crash due to invalid free in v8::internal::Runtime_RegExpExecMultiple
|
$1000
|
2016-10-02
|
148692
|
Heap-buffer-overflow in ucstrTextExtract
|
$500
|
2016-10-02
|
148638
|
Heap-buffer-overflow in SkAAClipBlitter::blitAntiH
|
$500
|
2016-10-02
|
148567
|
Touch events allow cross-origin access
|
$500
|
2016-10-02
|
147625
|
Security: UXSS/SOP bypass with document.write (Chrome on iOS)
|
$500
|
2016-10-02
|
147499
|
Heap-use-after-free in media::AudioOutputDevice::AudioThreadCallback::Process
|
$3133
|
2016-10-02
|
147475
|
UNKNOWN in v8::internal::Deoptimizer::DoComputeOutputFrames
|
-
|
2016-10-02
|
147459
|
Heap-use-after-free in WebCore::ImageLoader::updateRenderer
|
-
|
2016-10-02
|
148376
|
[LangFuzz] Crash at v8::internal::MarkCompactCollector::EvacuateNewSpace with invalid read
|
$1000
|
2016-10-02
|
147700
|
Heap-use-after-free in WebCore::Document::fullScreenChangeDelayTimerFired
|
-
|
2016-10-02
|
147592
|
Chrome_ChromeOS: Crash Report - Stack Signature: WebKit::WebWorkerClientImpl::openFileSystem...
|
-
|
2016-10-02
|
146882
|
Heap-use-after-free in WebCore::InlineBox::adjustPosition
|
-
|
2016-10-02
|
146760
|
Security: URL bar spoofing with SSL error messages (Chrome on iOS)
|
$500
|
2016-10-02
|
146725
|
AddressSanitizer reports a use-after-free in WebKit::DateTimeChooserImpl::didClosePopup
|
-
|
2016-10-02
|
147435
|
Heap-use-after-free in WebCore::InlineBox::root
|
-
|
2016-10-02
|
147436
|
UNKNOWN in sk_memset32_SSE2
|
-
|
2016-10-02
|
147290
|
Heap-use-after-free in WebCore::DateTimeEditElement::setEmptyValue
|
$1000
|
2016-10-02
|
146492
|
Check behavior of "," in "content_security_policy" manifest attribute.
|
-
|
2016-10-02
|
88850
|
Use after free with fuzzed ogv file
|
$1000
|
2016-10-02
|
88846
|
Use-after-free in FrameLoader with no form post method
|
$1000
|
2016-10-02
|
88889
|
Stale pointer due to floats not removed (flexible box display)
|
$1000
|
2016-10-02
|
88858
|
[LangFuzz] Crash at JSObject::LocalLookupRealNamedProperty with invalid read on gc
|
$1000
|
2016-10-02
|
88757
|
AudioContext GainNode memory corruption
|
-
|
2016-10-02
|
88730
|
Use after free in SVGUseElement::invalidateShadowTree / SVGElementInstance::invalidateAllInstancesOfElement
|
-
|
2016-10-02
|
88723
|
REGRESSION (r85964): Use after free in WebCore::RenderObject::localToAbsolute
|
-
|
2016-10-02
|
88684
|
Stale m_owner in RenderScrollbar (m_owner is deleted body element)
|
-
|
2016-10-02
|
88670
|
ZDI-CAN-1283: Webkit fontface Invalid Font Family Remote Code Execution Vulnerability
|
-
|
2016-10-02
|
88649
|
HRTFDatabaseLoader memory corruption
|
-
|
2016-10-02
|
88647
|
webkitAudioContext can be called as a function instead of a constructor.
|
-
|
2016-10-02
|
88827
|
OOB read due to Integer overflow in SkDashPathEffect constructor (len and phase)
|
-
|
2016-10-02
|
88729
|
Security: PPB_Graphics2D_Create will lead to integer overflow in shm alloc
|
-
|
2016-10-02
|
88436
|
Ogg memory corruption
|
-
|
2016-10-02
|
88337
|
The beforeload event allows tracking URI changes in a frame
|
$500
|
2016-10-02
|
88131
|
Aw, Snap! with context.createBuffer(request.response, false) on certain files
|
-
|
2016-10-02
|
88093
|
Security: out-of-bounds read in v8 with defineProperty and arguments
|
$1000
|
2016-10-02
|
88591
|
[LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell
|
$1000
|
2016-10-02
|
88531
|
Use-after-free in SafeBrowsingResourceHandler::OnBrowseUrlCheckResult
|
-
|
2016-10-02
|
88216
|
Regression: Use-after-free in CounterNode::insertAfter
|
$1000
|
2016-10-02
|
87861
|
Security: OOB read in svg text run
|
-
|
2016-10-02
|
87815
|
chrome-devtools:// can be navigated from http
|
-
|
2016-10-02
|
87746
|
Security: Chrome content script listener
|
-
|
2016-10-02
|
87925
|
Use after free in range extract contents
|
$1000
|
2016-10-02
|
87965
|
webkitAudioContext multiple issues
|
-
|
2016-10-02
|
87862
|
Security: Use after free in svg text
|
-
|
2016-10-02
|
87701
|
Stale pointer in WebCore::PlatformContextSkia::save
|
-
|
2016-10-02
|
87548
|
use after free in skia blitter
|
-
|
2016-10-02
|
87520
|
Security: Webpage can gain access to extension content-script variables when content-script triggers events
|
-
|
2016-10-02
|
87478
|
[LangFuzz] Crash on heap with invalid read
|
$1000
|
2016-10-02
|
87339
|
XSS injection via prototype chain
|
$500
|
2016-10-02
|
87298
|
OOB read due to iterating over wrong textbox in TextIterator::emitText (first-letter + RTL)
|
$500
|
2016-10-02
|
87729
|
Use after free in third_party/WebKit/LayoutTests/fast/dom/HTMLLinkElement/link-and-subresource-test.html
|
$1000
|
2016-10-02
|
87728
|
Regression(89733): Use after free in fast/forms/text-control-intrinsic-widths.html
|
$1000
|
2016-10-02
|
87120
|
Use after free on 2-Step-Authentication-method-change
|
$500
|
2016-10-02
|
87148
|
use after free due to floats not removed
|
$1000
|
2016-10-02
|
86758
|
URL Bar Spoofing using History.back() and History.forward
|
$500
|
2016-10-02
|
86705
|
Use after free in Geolocation::fatalErrorOccurred
|
-
|
2016-10-02
|
87227
|
Use after free due to refcounting issue in MediaQueryMatcher::prepareEvaluator
|
$1000
|
2016-10-02
|
86900
|
Heap memory corruption in web database support (SQLite/ICU)
|
$1000
|
2016-10-02
|
86502
|
Use after free due to floats not cleared from parent's next siblings blocks (on losing ability to intrude floats)
|
$1000
|
2016-10-02
|
86191
|
Security: web-exposed manifest from Chrome extensions diverges from the real manifest in regards to NPAPI
|
-
|
2016-10-02
|
86304
|
Google Chrome Acess Violation in Frame manipulation
|
-
|
2016-10-02
|
86609
|
OOB read in fontfallbacklist due to issue in CSSPrimitiveValues clamping
|
-
|
2016-10-02
|
86178
|
URL bar introduces NUMEROUS vulnerabilities.
|
-
|
2016-10-02
|
86648
|
Use after free in formassociatedelement not removed from m_formElementsWithFormAttribute
|
-
|
2016-10-02
|
86367
|
Use after free of frame in Document::finishedParsing
|
-
|
2016-10-02
|
85992
|
Renderers can have registry handle which would allow a Windows sandbox escape
|
-
|
2016-10-02
|
85943
|
Use after free in Stylesheet due to issue in CLONE nodes
|
-
|
2016-10-02
|
85808
|
chrome_1c30000!webkit::ppapi::PPB_Widget_Impl::Invalidate crash
|
$500
|
2016-10-02
|
85559
|
Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
|
-
|
2016-10-02
|
86133
|
Add GRP to dangerous file list
|
-
|
2016-10-02
|
86108
|
Security: FileSystem API can be used to learn about installed software on the user's computer
|
-
|
2016-10-02
|
85418
|
Use-after-free in WebCore::RenderTextControl::isSelectableElement
|
$1000
|
2016-10-02
|
85309
|
Crash when closing a child window that uses a canvas
|
-
|
2016-10-02
|
85302
|
Crasher in WebCore::StyleBase::stylesheet
|
-
|
2016-10-02
|
85256
|
OOB read in UniscribleController::advance
|
-
|
2016-10-02
|
85211
|
Use after free in SVGUseElement::buildShadowTree
|
$1000
|
2016-10-02
|
85177
|
Renderer crash with javascript + setInterval
|
$500
|
2016-10-02
|
85158
|
Content script can gain access to the "window" object of the page using custom events
|
-
|
2016-10-02
|
85350
|
Browser Crash in ~TabContents caused by PrerenderManager::PeriodicCleanup
|
-
|
2016-10-02
|
156906
|
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
|
-
|
2016-10-02
|
156826
|
UNKNOWN in S32A_Blend_BlitRow32_SSE2
|
-
|
2016-10-02
|
156828
|
UNKNOWN in WebCore::Font::drawGlyphs
|
-
|
2016-10-02
|
156669
|
Origin.com somehow manages to open its result page in the previous tab (which was gmail)
|
-
|
2016-10-02
|
156619
|
Heap-use-after-free in WebCore::ApplyStyleCommand::cleanupUnstyledAppleStyleSpans
|
-
|
2016-10-02
|
156431
|
Security: Use after free in IDBDatabaseCallbacksImpl::onVersionChange
|
-
|
2016-10-02
|
156418
|
Heap-use-after-free in SpellCheckHostImpl::SaveDictionaryData
|
-
|
2016-10-02
|
156689
|
Heap-buffer-overflow in WTF::StringImpl::findIgnoringCase
|
-
|
2016-10-02
|
156567
|
Security: use-after-free in WebCore::GraphicsContext::paintingDisabled
|
$1000
|
2016-10-02
|
156282
|
Heap-use-after-free in WebCore::StyleResolver::pseudoStyleRulesForElement
|
-
|
2016-10-02
|
156383
|
Security: chrome_to_device makes use of HTTP for cloudprint
|
-
|
2016-10-02
|
156096
|
Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak
|
-
|
2016-10-02
|
156231
|
UNKNOWN in _wordcopy_fwd_aligned
|
$1000
|
2016-10-02
|
156366
|
Heap-use-after-free in PluginPlaceholder::ReplacePlugin
|
-
|
2016-10-02
|
156152
|
Issues with HSTS / public key pins state tracking
|
-
|
2016-10-02
|
155977
|
Security: remove uses of innerHTML in commented code for Getting Started Guide.
|
-
|
2016-10-02
|
155860
|
WebCore::SharedBuffer::append(data, 0) can cause unitialized memory to be added to the SharedBuffer
|
-
|
2016-10-02
|
155711
|
Security: forced oom in browser process due to indefinitely growing buffer in chunked decoder
|
-
|
2016-10-02
|
155643
|
Heap-use-after-free in content::RenderWidgetHostImpl::OnMsgInputEventAck
|
-
|
2016-10-02
|
156015
|
Heap-use-after-free in WebCore::FontPlatformData::uniqueID
|
-
|
2016-10-02
|
156051
|
Heap use-after-free in ExtensionFunctionDispatcher::Dispatch caught by ASan when using "Screen Capture by Google"
|
-
|
2016-10-02
|
155877
|
Chrome: RenderViewImpl::OnContextMenuClosed(content::CustomContextMenuContext const &)
|
-
|
2016-10-02
|
155293
|
Heap-use-after-free in WebCore::ContextMenu::appendItem
|
-
|
2016-10-02
|
155285
|
Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc
|
-
|
2016-10-02
|
155117
|
Security: GetReadonlyPnaclFD IPC security issues
|
-
|
2016-10-02
|
154987
|
Pwnium SVG use after free
|
-
|
2016-10-02
|
154983
|
Security: Pwnium 2 TCMalloc profile bug
|
$60000
|
2016-10-02
|
155421
|
Security: javascript scheme links auto-generated in devtools console
|
-
|
2016-10-02
|
154617
|
Heap-use-after-free in WebCore::Node::~Node
|
-
|
2016-10-02
|
155323
|
Out of bounds array access in GPU process
|
-
|
2016-10-02
|
154926
|
Heap-use-after-free in WebIntentPickerGtk::OnDestroyThunk
|
-
|
2016-10-02
|
154488
|
Heap-use-after-free in WebCore::FrameLoader::stopLoading
|
-
|
2016-10-02
|
154465
|
Bad cast in webkit_glue::GetSubResourceLinkFromElement
|
-
|
2016-10-02
|
154460
|
Heap-use-after-free in WebCore::ScrollableArea::scroll
|
-
|
2016-10-02
|
154448
|
Heap-use-after-free in TransportDIB::DecreaseInFlightCounter
|
-
|
2016-10-02
|
154362
|
Heap-buffer-overflow in WebCore::HTMLSelectElement::typeAheadFind
|
-
|
2016-10-02
|
154590
|
Stack-buffer-overflow in SkFontHost::GetAdvancedTypefaceMetrics
|
-
|
2016-10-02
|
154485
|
Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:
|
-
|
2016-10-02
|
154158
|
Security: ensure that a user has willing-fully logged-in to his Google account before triggering the one click Chrome login feature
|
-
|