The WebGL implementation for setting uniform values with an ArrayBuffer argument do not properly handle large buffer sizes. As WASM now allows allocating large ArrayBuffers, this can lead to buffer overflows when writing to the GPU command buffer.
0bdf6d06a281ed2823e5f46ea472615509e7f1f676d5bd3238d8cfd3b783d262Chrome has an issue where raw_ptr broke implicit scoped_refptr for receivers in base::Bind.
608734695dfbbf56d37a25c6b0e92ec571e720ac20c50496dd9608c3ee36b587The code in cc::PaintImageReader::Read (cc::PaintImage*) does not properly check the incoming data when handling embedded image data, resulting in an out-of-bounds copy into the filter bitmap data.
3442a632be9dec3260619421059a97062f1e5b5331769ad612a11a97ecf3ec9bChrome suffers from a missing bounds check in WebGPUDecoderImpl::DoRequestDevice.
ef3fbfbf0d934cc45efe08abfdf55bd55ba171f52a654e23e476c7b46f1b6ccaChrome suffers from making use of an uninitialized on-stack pointer in storage::BlobBuilderFromStream.
7508021fc3ad459f9d4a21d3d34a8201df4467cbbf9015fe49fb42a0ad822203SandboxedUnpacker in Chrome uses shared memory in an unsafe fashion.
bc91dd004d418d7fd6b56285f99323944f8802e8dd4b5215b649c990046ed88aLooking at the Mojo implementation of Chrome's legacy IPC, the legacy ipc::Message type is transferred inside a BigBuffer.
f543ac8b2cefa9c2b0092803dc79ebe3d0ccba182ed6661ceb724163521a8580Chrome suffers from an out-of-bounds read vulnerability in network DataElement struct traits.
73bdb3c2018e4f00483c57023d4ad271b24afb3c0d0373d8371a68762c872680Chrome suffers from a use-after-free vulnerability due to a double call to IndexedDBConnection::Close.
224d81c1e2768b3a4b05adfeb30a609ac48d837bde76d9cc912b62b3f06e8733Chrome suffers from a use-after-free vulnerability in ~LevelDBIteratorImpl.
422a3b74a14e37e109fac59aed3661fc56ae4c327305a6990330758d6c77737fChrome suffers from a use-after-free vulnerability in FileChooserImpl.
0ecbde145d35a4fdef837ba560c9160db3335f5c84f0365d90e9552d8eb3e971There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService in Chrome. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.
e74b2b8256d75d7a1f9c0936ff14ed0a0b8cf12cea0653834d4403581f08f4b0Chrome suffers from a use-after-free vulnerability in MidiManagerWin.
5561abfbf792852e4be2a5a6f9908418ba3bb61c352292347a907340f971abf6Chrome suffers from a use-after-free vulnerability in FileSystemOperationRunner.
175e33f2fe84321b31ba9922dcb3c0c36eff272a29a2b1a39380be7b60162958There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently in Chrome.
153cc2f98cfe6458909e177b32d616e5357adc7532ae04962d456870e9b99131Chrome suffers from multiple use-after-free vulnerabilities in the PaymentRequest service.
fb9baf689c47875cf56ed6918386a270499142ea5e915be52d8936b09ba2adbbChrome suffers from a use-after-free vulnerability in FileWriterImpl.
2dd17dbd1895915d6546d52f25a07461fc335eb44dcded0bf7d33720916ebe5cChrome suffers from a use-after-free vulnerability in the RenderProcessHostImpl binding for P2PSocketDispatcherHost.
11fb3cadf252944e7b29e9069845929d7d4986f025488c7c0c80f5dc9b88bb27Chrome suffers from a use-after-free vulnerability in RenderFrameHostImpl::CreateMediaStreamDispatcherHost.
fb031633c01be0530ba93f915787ad97df1516fb4d5cc8dcbb8d0b436e7ca99aChrome has missing validation in the deserialization routines for both DataPipeConsumerDispatcher and DataPipeProducerDispatcher, which take from the incoming message a read_offset/write_offset respectively into shared memory. Providing an offset outside the bounds of the allocated memory will then result in an out-of-bounds read/write when the pipe is used.
d1c10f2bf9feaa3822d838795ee22e210b6fbe031a801f2821a9365aceb1fd14Chrome suffers from floating-point precision errors in Swiftshader blitting.
55329bd2920eaa9d39110322696bef158e0b340f65c27b63cceed9585601bc64Chrome suffers from a reference count leak in SwiftShader OpenGL texture bindings.
04d325a817231ab9f0764272b559378b2d3fe10f9b33e17341521360cd5f6b9eChrome suffers from an integer overflow vulnerability in Swiftshader texture allocation.
6587e8951f4e79c87ecd7b6a16fa91a40d27b5f94453f1ea87b0a9789512a6beChrome V8 suffers from an integer overflow vulnerability in object allocation size.
ff8f6ea3f286a12d25b238442f6fc1ab337a443b0622cd2b2f518a85f646b577Pdfium suffers from an out-of-bounds read vulnerability with shading pattern backed by pattern colorspace.
02680f03b5081f40044a2e4ca25561b68960dcd1b645e45aa7c8482ac2740d08
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed