| 1500012
|
|
Unsafe usage of CheckedInt #3
|
Core
|
Graphics
|
nobody
|
UNCO
|
---
|
2022-10-11
|
| 1368861
|
|
Graphite2: multiple integer overflows
|
Core
|
Graphics: Text
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1577531
|
|
IPC: signed integer overflow: [@RegionBuilder<mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> >::OrWith]
|
Core
|
Graphics: Layers
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1767836
|
|
Assertion failure: initialBytes + nbytes > initialBytes, at /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:762 while calling CanvasRenderingContext2D::AddAssociatedMemory()
|
Core
|
Graphics: Canvas2D
|
nobody
|
NEW
|
---
|
2024-03-04
|
| 1723707
|
|
Origin shown during alert() is controlled by child process
|
Toolkit
|
Content Prompts
|
nobody
|
NEW
|
---
|
2023-06-22
|
| 1332980
|
|
Assertion failure: aKernelUnitLengthX > 0 (aKernelUnitLengthX can not be a negative or zero value)
|
Core
|
Graphics
|
mstange.moz
|
REOP
|
---
|
2023-03-28
|
| 1730637
|
|
WebGL - Buffer overflow with 3D texture in Initialize4ComponentData().
|
Core
|
Graphics: CanvasWebG
|
ahale
|
RESO
|
FIXE
|
2024-05-30
|
| 1533554
|
|
Write beyond bounds in nsClipboard::GetGlobalData()
|
Core
|
Widget: Win32
|
alex.gaynor
|
RESO
|
FIXE
|
2024-05-30
|
| 1444668
|
|
Write beyond bounds caused by overlarge offset in WASM assembler
|
Core
|
JavaScript Engine: J
|
jdemooij
|
RESO
|
FIXE
|
2024-05-30
|
| 1546327
|
|
Bytecode length can overflow UINT32_MAX
|
Core
|
JavaScript Engine
|
jdemooij
|
RESO
|
FIXE
|
2020-06-04
|
| 1468552
|
|
BLRG-PT-18-009: Heap-Overflow in BSPatch File Handling
|
Toolkit
|
Application Update
|
jewilde
|
RESO
|
FIXE
|
2019-08-07
|
| 1292534
|
|
flex: buffer overflow in generated code
|
Core
|
Graphics: CanvasWebG
|
jgilbert
|
RESO
|
FIXE
|
2017-10-26
|
| 1836705
|
|
Firefox Container Overflow in WebGL Vulnerability
|
Core
|
Graphics: CanvasWebG
|
jgilbert
|
RESO
|
FIXE
|
2024-05-30
|
| 1741201
|
|
Out-of-bounds write due to integer overflow [@ ObjectStoreAddOrPutRequestOp::DoDatabaseWork]
|
Core
|
Storage: IndexedDB
|
jjalkanen
|
RESO
|
FIXE
|
2022-08-26
|
| 1602497
|
|
Intl.ListFormat can return empty string if input strings are too large
|
Core
|
JavaScript: Internat
|
jwalden
|
RESO
|
FIXE
|
2020-08-08
|
| 990794
|
|
heap overflow write from allocation size overflow in AllocateAudioBlock
|
Core
|
Web Audio
|
karlt
|
RESO
|
FIXE
|
2014-07-30
|
| 1339637
|
|
skia: signed integer overflow in SkClampRange::init()
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2017-02-22
|
| 1441941
|
|
Skia and Firefox: Integer overflow in SkTDArray leading to out-of-bounds write
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2019-05-24
|
| 1204580
|
|
Stagefright: crash [@stagefright::SampleTable::setCompositionTimeToSampleParams]
|
Core
|
Audio/Video: Playbac
|
mozbugz
|
RESO
|
FIXE
|
2016-07-02
|
| 1229167
|
|
FFMPEG: signed integer overflow in [@av_rescale_rnd]
|
Core
|
Audio/Video: Playbac
|
nobody
|
RESO
|
FIXE
|
2015-12-23
|
| 1454359
|
|
Cherry-pick more upstream FreeType oss-fuzz fixes
|
Core
|
Graphics: Text
|
ryanvm
|
RESO
|
FIXE
|
2018-08-28
|
| 1532525
|
|
could be trigger oom problem with WebGLBuffer::BufferData
|
Core
|
Graphics: CanvasWebG
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2024-05-30
|
| 1174015
|
|
Overflow in prprf/GrowStuff can cause memory-safety bug
|
NSPR
|
NSPR
|
wtc
|
RESO
|
FIXE
|
2024-05-30
|
| 1379414
|
|
Potential read beyond bounds in ReadCompressedIndexDataValuesFromBlob()
|
Core
|
Storage: IndexedDB
|
bevistseng
|
RESO
|
FIXE
|
2024-05-30
|
| 1846694
|
|
Integer Overflow in RecordedSourceSurfaceCreation
|
Core
|
Graphics
|
bwerth
|
RESO
|
FIXE
|
2024-05-30
|
| 1741210
|
|
Potential out-of-bounds write due to integer overflow [@ SnappyUncompress]
|
Core
|
Storage: localStorag
|
jjalkanen
|
RESO
|
FIXE
|
2022-08-26
|
| 1379411
|
|
Latent write beyond bounds in MakeCompressedIndexDataValues()
|
Core
|
Storage: IndexedDB
|
shes050117
|
RESO
|
FIXE
|
2024-05-30
|
| 1544180
|
|
Latent out-of-bounds write in TexSubImage2DWithoutUnpackSubimage
|
Core
|
Graphics
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2024-05-30
|
| 1580317
|
|
UBSan runtime error: [@mozilla::image::ShouldUseHeap]
|
Core
|
Graphics: ImageLib
|
tnikkel
|
RESO
|
FIXE
|
2022-01-10
|
| 1413841
|
|
WebCryptoTask integer overflow
|
Core
|
DOM: Security
|
ttaubert
|
RESO
|
FIXE
|
2018-11-05
|
| 1367058
|
|
Integer overflow in dom/canvas/CanvasRenderingContext2D.cpp with getImageData
|
Core
|
Graphics: Canvas2D
|
aosmond
|
RESO
|
FIXE
|
2018-02-01
|
| 1293795
|
|
libpng: unsigned integer overflow in [@ png_do_check_palette_indexes]
|
Core
|
Graphics: ImageLib
|
glennrp+bmo
|
RESO
|
FIXE
|
2019-12-13
|
| 786797
|
|
Possible integer overflow when calculating jArray size/index
|
Core
|
DOM: HTML Parser
|
hsivonen
|
RESO
|
FIXE
|
2021-11-22
|
| 1438917
|
|
Possible integer overflow in GrResourceCache::changeUniqueKey
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2018-11-05
|
| 1463244
|
|
Buffer Overflow in gfx::SwizzleCopy
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2024-05-30
|
| 1820359
|
|
Logic error and overflow in nsSegmentedBuffer causes underallocation and write beyond bounds (latent)
|
Core
|
XPCOM
|
nika
|
RESO
|
FIXE
|
2024-05-30
|
| 1412313
|
|
ParamTraits<nsAString> Deserialization - Integer Overflow
|
Core
|
IPC
|
alex.gaynor
|
RESO
|
FIXE
|
2022-01-04
|
| 1167888
|
|
nsZipArchive::BuildFileList has memory-safety bug
|
Core
|
Networking: JAR
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1170794
|
|
Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers
|
Core
|
Internationalization
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1170809
|
|
Overflow in nsXMLHttpRequest::AppendToResponseText causes memory-safety bug
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1171166
|
|
Overflow in nsXMLHttpRequest::SendAsBinary causes memory-safety bug
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
WONT
|
2024-05-30
|
| 1171603
|
|
Overflow nsTSubstring::ReplacePrep causes memory-safety bugs in string library
|
Core
|
XPCOM
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1172055
|
|
Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1172144
|
|
Overflow in nsTextFragment::Append causes potential memory-safety bug
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1172189
|
|
Overflow in XULContentSinkImpl::AddText causes memory-safety bug
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1288561
|
|
Overflow in nsAttrAndChildArray::GrowBy() causes buffer overrun
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2024-05-30
|
| 1383951
|
|
Out-of-bounds access in js::frontend::TokenStream::TokenBuf::getRawChar
|
Core
|
JavaScript Engine
|
arai.unmht
|
RESO
|
FIXE
|
2024-05-30
|
| 1723826
|
|
Probably harmless integer overflow in ImportSymmetricKeyTask::BeforeCrypto()
|
Core
|
DOM: Web Crypto
|
bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1457288
|
|
heap-buffer-overflow in nsFloatManager::ShapeInfo::CreateCircleOrEllipse
|
Core
|
Layout: Floats
|
bwerth
|
RESO
|
FIXE
|
2024-05-30
|
| 1168207
|
|
Memory safety problem in ArrayBufferBuilder::append
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
RESO
|
FIXE
|
2024-05-30
|
| 1349340
|
|
Probable write beyond bounds in GetSurfaceDataImpl()
|
Core
|
DOM: Copy & Paste an
|
cervantes.yu
|
RESO
|
FIXE
|
2024-05-30
|
| 1371891
|
|
SEGV on unknown address in [@ ParseFTPList]
|
Core Graveyard
|
Networking: FTP
|
continuation
|
RESO
|
FIXE
|
2024-02-08
|
| 1794645
|
|
Potential refcount overflow with non-atomic Rust XPCOM
|
Core
|
XPCOM
|
continuation
|
RESO
|
FIXE
|
2023-06-12
|
| 827687
|
|
Out of bounds read [@ ElementAnimations::EnsureStyleRuleFor] with CSS animation
|
Core
|
CSS Parsing and Comp
|
dbaron
|
RESO
|
FIXE
|
2014-11-19
|
| 1348894
|
|
fix integer overflow in RecyclingPlanarYCbCrImage::CopyData
|
Core
|
Graphics
|
dbaron
|
RESO
|
FIXE
|
2017-10-26
|
| 1836550
|
|
Potential Integer Overflow from malicious content process
|
Core
|
DOM: Copy & Paste an
|
echen
|
RESO
|
FIXE
|
2024-03-21
|
| 1235605
|
|
Integer overflow in Deinterlacer::Deinterlacer leading to OOM crash
|
Core
|
Graphics: ImageLib
|
edwin.bugs
|
RESO
|
FIXE
|
2016-07-08
|
| 1348168
|
|
integer overflow in createImageBitmap() overload accepting ArrayBuffer and ArrayBufferView arguments (pwn2own 2017)
|
Core
|
Graphics
|
ehsan.akhgari
|
RESO
|
FIXE
|
2018-01-08
|
| 1837450
|
|
Potential Integer Overflow from malicious content process with custom cursors
|
Core
|
CSS Parsing and Comp
|
emilio
|
RESO
|
FIXE
|
2023-10-17
|
| 1236923
|
|
Heap read out-of-bound and crash in expat 2.1.0
|
Core
|
XML
|
ericrahm+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1274777
|
|
Possible integer overflow to fix inside XML_Parse in expat
|
Core
|
XML
|
ericrahm+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1295747
|
|
Latent overflow in AppendUTF16toUTF8() could cause buffer overrun
|
Core
|
XPCOM
|
ericrahm+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1318766
|
|
Write beyond bounds caused by nsTSubstringTuple_CharT::Length()
|
Core
|
XPCOM
|
ericrahm+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1349719
|
|
Probable write beyond bounds due to nsTSubstring_CharT::Adopt()
|
Core
|
XPCOM
|
ericrahm+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1356025
|
|
Possible write beyond bounds due to passing a large buffer to nsTSubstring_CharT::nsTSubstring_CharT()
|
Core
|
XPCOM
|
ericrahm+bz
|
RESO
|
FIXE
|
2017-10-26
|
| 1226804
|
|
UBSan: signed integer overflow in CERT_DecodeCertPackage
|
NSS
|
Libraries
|
franziskuskiefer
|
RESO
|
FIXE
|
2016-03-03
|
| 1483699
|
|
Latent (?) read and write beyond bounds in nsTArray_Impl::AppendElements()
|
Core
|
XPCOM
|
froydnj+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 1280043
|
|
Update bzip2 in tree to 1.0.6
|
Firefox Build System
|
General
|
gps
|
RESO
|
FIXE
|
2018-03-02
|
| 890277
|
|
ANGLE libGLESv2 Integer Overflow
|
Core
|
Graphics: CanvasWebG
|
guillaume.abadie
|
RESO
|
FIXE
|
2024-05-30
|
| 815795
|
|
stack buffer overflow with canvas
|
Core
|
Graphics: Canvas2D
|
gw
|
RESO
|
FIXE
|
2024-05-30
|
| 1334290
|
|
Truncation in nsScanner
|
Core
|
XML
|
hsivonen
|
RESO
|
FIXE
|
2024-05-30
|
| 1440926
|
|
Overflow in nsUnicodeToBIG5::GetMaxLength can create memory-safety bugs in callers
|
Core
|
Internationalization
|
hsivonen
|
RESO
|
FIXE
|
2024-05-30
|
| 1443891
|
|
Integer overflow in nsScriptableUnicodeConverter::ConvertFromByteArray can cause a heap buffer overflow
|
Core
|
Internationalization
|
hsivonen
|
RESO
|
FIXE
|
2024-05-30
|
| 1495011
|
|
Unsafe use of CheckedInt (possible buffer overflow) in ScriptLoader::ConvertToUTF16
|
Core
|
Internationalization
|
hsivonen
|
RESO
|
FIXE
|
2024-05-30
|
| 790879
|
|
integer overflow, invalid write w/webgl bufferdata
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2024-05-30
|
| 1208665
|
|
TempAllocPolicy::pod_* suffer from integer overflow issues
|
Core
|
JavaScript Engine
|
jcoppeard
|
RESO
|
FIXE
|
2016-07-02
|
| 1438522
|
|
Cherry-pick recent security bug fixes from upstream FreeType, while waiting for a new release
|
Core
|
Graphics: Text
|
jfkthame
|
RESO
|
FIXE
|
2019-05-24
|
| 1864587
|
|
Validation bypass in ANGLE Translator leads to an OOB read/write.
|
Core
|
Graphics
|
jgilbert
|
RESO
|
FIXE
|
2024-05-30
|
| 1279413
|
|
pixman: integer overflow in create_bits function
|
Core
|
Graphics
|
jmuizelaar
|
RESO
|
FIXE
|
2016-09-22
|
| 1411744
|
|
TBE-01-019: Integer Overflow in Attachment Code
|
MailNews Core
|
Attachments
|
jorgk-bmo
|
RESO
|
FIXE
|
2020-02-16
|
| 805121
|
|
String Replacement Heap Corruption Remote Code Execution Vulnerability (ZDI-CAN-1473)
|
Core
|
JavaScript Engine
|
jwalden
|
RESO
|
FIXE
|
2013-04-30
|
| 1246061
|
|
null-byte written out of bounds using .watch() due to generation count overflow
|
Core
|
JavaScript Engine
|
jwalden
|
RESO
|
FIXE
|
2016-09-22
|
| 1170344
|
|
int oveflow in libstagefright during mp4 parsing
|
Core
|
Audio/Video
|
jya-moz
|
RESO
|
FIXE
|
2024-05-30
|
| 1185115
|
|
MPEG4 saio Chunk Integer Overflow (libstagefright) (ZDI-CAN-2966)
|
Core
|
Audio/Video
|
jya-moz
|
RESO
|
FIXE
|
2016-07-02
|
| 991251
|
|
Heap-buffer-overflow in mozilla::AudioBlockCopyChannelWithScale triggered with ChannelMergerNode
|
Core
|
Web Audio
|
karlt
|
RESO
|
DUPL
|
2024-05-30
|
| 1206362
|
|
Assertion failure: aParam >= 0, at c:/Users/mozilla/debug-builds/mozilla-central/dom/media/webaudio/AudioBufferSourceNode.cpp:122
|
Core
|
Web Audio
|
karlt
|
RESO
|
FIXE
|
2015-11-10
|
| 1287515
|
|
int-overflow: 0xFFFFFFFFFFFFFFFF bytes requested in [@SkDashPathEffect::asPoints]
|
Core
|
Graphics: Canvas2D
|
lsalzman
|
RESO
|
FIXE
|
2016-07-28
|
| 1465686
|
|
Heap overflow write in SkEdgeBuilder::buildPoly
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2024-05-30
|
| 1525817
|
|
Skia integer-overflow in SkPathRef::resetToSize()
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2019-08-07
|
| 1287266
|
|
Integer overflow and memory corruption in WebSocketChannel
|
Core
|
Networking: WebSocke
|
michal.novotny
|
RESO
|
FIXE
|
2024-05-30
|
| 899499
|
|
Canvas2D crash [@mozilla::dom::CanvasRenderingContext2D::DrawImage]
|
Core
|
Graphics: Canvas2D
|
milaninbugzilla
|
RESO
|
WORK
|
2017-10-26
|
| 1349595
|
|
Possible integer overflow in allocation size in GMPVideoi420FrameImpl::CreateEmptyFrame?
|
Core
|
Audio/Video: GMP
|
mozbugz
|
RESO
|
FIXE
|
2018-06-04
|
| 1349604
|
|
Possible integer overflow in allocation size in WidevineVideoFrame::InitToBlack?
|
Core
|
Audio/Video: GMP
|
mozbugz
|
RESO
|
FIXE
|
2023-06-02
|
| 1463242
|
|
Out of bound access in graphics filters processing
|
Core
|
Graphics
|
mstange.moz
|
RESO
|
INVA
|
2023-07-07
|
| 1497246
|
|
integer overflow in nsTArray::ReplaceElementsAt
|
Core
|
XPCOM
|
nika
|
RESO
|
FIXE
|
2023-01-16
|
| 1500011
|
|
Unsafe use of CheckedInt32 in nsContentUtils::CalculateBufferSizeForImage
|
Core
|
DOM: Core & HTML
|
nika
|
RESO
|
FIXE
|
2024-05-30
|
| 932902
|
|
BluetoothOppManager.cpp unsafe type mixing
|
Firefox OS Graveyard
|
Bluetooth
|
nobody
|
RESO
|
INCO
|
2018-05-09
|
| 1172187
|
|
Overflow in nsXMLContentSink::AddText causes memory-safety bug
|
Core
|
XML
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 1215715
|
|
OpenH264: UBSan signed integer overflow in [WelsDec::BsGetUe]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1215757
|
|
OpenH264: UBSan signed integer overflow in [@WelsDec::ParseResidualBlockCabac]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1224081
|
|
OpenH264: UBSan signed integer overflow in [WelsDec::ParseResidualBlockCabac]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
DUPL
|
2022-09-09
|
| 1226996
|
|
Firefox Stagefright heap overflow
|
Core
|
Audio/Video: Playbac
|
nobody
|
RESO
|
INVA
|
2015-12-16
|
| 1229205
|
|
FFMPEG: signed integer overflow in [@update_initial_timestamps]
|
Core
|
Audio/Video: Playbac
|
nobody
|
RESO
|
FIXE
|
2016-01-06
|
| 1229208
|
|
FFMPEG: signed integer overflow in [@estimate_timings_from_bit_rate]
|
Core
|
Audio/Video: Playbac
|
nobody
|
RESO
|
FIXE
|
2016-07-02
|
| 1230286
|
|
FFMPEG: signed integer overflow in [@ff_h264_direct_ref_list_init]
|
Core
|
Audio/Video: Playbac
|
nobody
|
RESO
|
FIXE
|
2016-01-06
|
| 1253790
|
|
graphite2: UBSan signed integer overflow in [@graphite2::vm::Machine::run]
|
Core
|
Graphics: Text
|
nobody
|
RESO
|
FIXE
|
2016-09-22
|
| 1258737
|
|
OpenH264: SEGV on unknown address in [@WelsDec::WelsDecodeSlice]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1260800
|
|
OpenH264: UBSan signed integer overflow in [@WelsDec::ParseResidualBlockCabac]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1295044
|
|
libjpeg-turbo: unsigned integer overflow in [@realize_virt_arrays]
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
FIXE
|
2017-01-17
|
| 1314175
|
|
Crash at a weird memory address or Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:365
|
Core
|
JavaScript Engine
|
nobody
|
RESO
|
DUPL
|
2019-08-07
|
| 1348433
|
|
Latent incorrect static_assert in jsstr.cpp
|
Core
|
JavaScript Engine
|
nobody
|
RESO
|
INVA
|
2017-04-04
|
| 1349390
|
|
Integer overflow in dom/xslt/xslt/txNodeSorter.cpp, potentially leading to double-free or uninitialized memory
|
Core
|
XSLT
|
nobody
|
RESO
|
INVA
|
2018-06-05
|
| 1350057
|
|
Crash in OOM | large | mozilla::a11y::Accessible::HasGenericType
|
Core
|
Disability Access AP
|
nobody
|
RESO
|
WORK
|
2020-01-09
|
| 1473778
|
|
integer overflow in [@ mar_hash_name]
|
Toolkit
|
Application Update
|
nobody
|
RESO
|
INVA
|
2020-01-09
|
| 1485208
|
|
OpenH264: signed integer in [@ WelsDec::BaseMC]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1505681
|
|
TabParent::RecvSetCustomCursor passes a buffer and size without length checks
|
Core
|
DOM: Content Process
|
nobody
|
RESO
|
DUPL
|
2019-11-07
|
| 1881858
|
|
Potential accesses beyond bounds caused by UniFFIPointer::Read() et al
|
Core
|
XPConnect
|
peterv
|
RESO
|
FIXE
|
2024-05-30
|
| 1453653
|
|
Cherry-pick an upstream FreeType integer overflow fix
|
Core
|
Graphics: Text
|
ryanvm
|
RESO
|
FIXE
|
2018-08-28
|
| 1355046
|
|
Assertion failure: ptrdiff_t(column) + colspan >= 0, at js/src/jsscript.cpp:3102
|
Core
|
JavaScript Engine
|
shu
|
RESO
|
FIXE
|
2018-02-01
|
| 1348936
|
|
Possible integer overflow in allocation size in BasicPlanarYCbCrImage::CopyData?
|
Core
|
Graphics: Layers
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2017-10-26
|
| 1358300
|
|
Harmless (?) underflow in ArrayBufferObject::create()
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2017-05-09
|
| 1782558
|
|
Assertion failure: aValue <= (size_t(1) << (sizeof(size_t) * 8 - 1)) (can't round up -- will overflow!), at dist/include/mozilla/MathAlgorithms.h:391
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2024-05-30
|
| 1347075
|
|
negative size memmove in mozilla::a11y::Accessible::InsertChildAt
|
Core
|
Disability Access AP
|
surkov.alexander
|
RESO
|
FIXE
|
2024-05-30
|
| 1463240
|
|
Long standing crashes in performXDR
|
Core
|
JavaScript Engine
|
tcampbell
|
RESO
|
INVA
|
2020-01-09
|
| 1348941
|
|
Possible integer overflow in allocation size in nsBMPEncoder::AddImageFrame?
|
Core
|
Graphics: ImageLib
|
tnikkel
|
RESO
|
FIXE
|
2017-10-26
|
| 1784835
|
|
use checkedint in webp encoder
|
Core
|
Graphics: ImageLib
|
tnikkel
|
RESO
|
FIXE
|
2023-01-16
|
| 1818674
|
|
fix a multiply in gfx/2d/DataSurfaceHelpers.cpp that can overflow signed int32
|
Core
|
Graphics: Canvas2D
|
tnikkel
|
RESO
|
FIXE
|
2023-10-17
|
| 1205157
|
|
NSPR overflow in PL_ARENA_ALLOCATE can lead to crash (under ASAN), potential memory corruption
|
NSPR
|
NSPR
|
wtc
|
RESO
|
FIXE
|
2016-05-04
|
| 1512758
|
|
Write beyond bounds in StringBuilder::ToString()
|
Core
|
DOM: Core & HTML
|
hsivonen
|
VERI
|
FIXE
|
2024-05-30
|
| 1563133
|
|
crash in [@ GlyphBufferAzure::OutputGlyph]
|
Core
|
Graphics: Text
|
lsalzman
|
VERI
|
FIXE
|
2020-06-05
|
| 1346648
|
|
ClearKeyDecryptor Integer Overflow Remote (ZDI-CAN-4535)
|
Core
|
Audio/Video: Playbac
|
mozbugz
|
VERI
|
FIXE
|
2017-10-26
|
| 1738237
|
|
heap buffer overflow in nsStructuredCloneContainer::GetDataAsBase64 from integer overflow
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2024-05-30
|
| 1551128
|
|
Crash [@ JS::BigInt::digit] or Assertion failure: idx < storage_.size(), at dist/include/mozilla/Span.h:679 with BigInt
|
Core
|
JavaScript Engine
|
wingo
|
VERI
|
FIXE
|
2023-12-06
|
| 1557655
|
|
Assertion failure: charcount <= std::numeric_limits<size_t>::max() / bitsPerChar, at js/src/vm/BigIntType.cpp:1417
|
Core
|
JavaScript Engine
|
wingo
|
VERI
|
FIXE
|
2023-12-06
|
| 1299686
|
|
Integer overflow leading to a buffer overflow in nsScriptLoadHandler
|
Core
|
DOM: Core & HTML
|
amarchesini
|
VERI
|
FIXE
|
2024-05-30
|
| 1268740
|
|
Crash [@ js::TypedArrayMethods]
|
Core
|
JavaScript Engine
|
arai.unmht
|
VERI
|
FIXE
|
2016-06-04
|
| 1524755
|
|
AddressSanitizer: Crash [@ bool InflateUTF8ToUTF16] or Assertion failure: mRangeStart <= mPtr, at dist/include/mozilla/RangedPtr.h:52
|
Core
|
MFBT
|
arai.unmht
|
VERI
|
FIXE
|
2023-12-06
|
| 1334246
|
|
Write beyond stack bounds caused by nsScannerString functions
|
Core
|
XML
|
hsivonen
|
VERI
|
FIXE
|
2024-05-30
|
| 1206211
|
|
Overflow in MPEG4Extractor::readMetaData causes memory-safety bug
|
Core
|
Audio/Video: Playbac
|
jya-moz
|
VERI
|
FIXE
|
2024-05-30
|
| 991533
|
|
limit AudioBuffer channel counts and sample rate range
|
Core
|
Web Audio
|
karlt
|
VERI
|
FIXE
|
2024-05-30
|
| 1418447
|
|
Heap overflow write in SkEdgeBuilder::buildPoly
|
Core
|
Graphics
|
lsalzman
|
VERI
|
FIXE
|
2024-05-30
|
| 1817442
|
|
AddressSanitizer: negative-size-param: (size=-1956016352) [@ __asan_memcpy]
|
Core
|
Graphics: Canvas2D
|
lsalzman
|
VERI
|
FIXE
|
2023-12-06
|
| 1313807
|
|
Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:365
|
Core
|
JavaScript Engine
|
nobody
|
VERI
|
FIXE
|
2023-12-06
|
| 956284
|
|
Fault in cycle collector: overflowing refcount
|
Core
|
DOM: Workers
|
ttaubert
|
VERI
|
FIXE
|
2016-12-01
|