Disclosed Chromium Security Bugs

Security: V8: JIT: JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null"

#40089898Reporter: lo...@google.com
$0
3/24/2018

Security: pdfium: out-of-bounds read with nested colorspaces

#40089904Reporter: ma...@google.com
$0
3/24/2018

Security: V8: JIT: Type confusion in GetSpecializationContext

#40089912Reporter: lo...@google.com
$0
3/24/2018

CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep

#40089901Reporter: cl...@chromium.org
$0
3/22/2018

Security: V8: JIT: Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement optimization bug

#40089761Reporter: lo...@google.com
$0
3/15/2018

Use-of-uninitialized-value in media::DecoderBuffer::timestamp

#40089202Reporter: cl...@chromium.org
$0
3/14/2018

pobfuzz: cc::DrawTextBlobOp::Deserialize -> use-of-uninitialized-value in int const& SkTMax

#40089606Reporter: cl...@chromium.org
$0
3/14/2018

CHECK failure: NumberToUint32 of kRepWord32 (Range(1, NUMBER)) cannot be changed to kRepTaggedS

#40089791Reporter: cl...@chromium.org
$0
3/14/2018

ServiceWorkerScriptURLLoader does not check for certificate errors properly

#40089722Reporter: es...@chromium.org
$0
3/9/2018

CHECK failure: frame_state->opcode() == IrOpcode::kFrameState || (node->opcode() == IrOpcode::k

#40089685Reporter: cl...@chromium.org
$0
3/6/2018
Showing 6841-6850 of 10955 bugs