| |
ID ▼ |
Type ▼ |
Status ▼ |
Priority ▼ |
Milestone ▼ |
Owner ▼ |
Summary + Labels ▼ |
... |
|---|
|
|
139 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows out-of-bounds write in AGM.dll
CCProjectZeroMembers
|
|
|
|
140 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X for Windows out-of-bounds read/write in CoolType.dll
CCProjectZeroMembers
|
|
|
|
141 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows object use-after-free in AcroForm.api
CCProjectZeroMembers
|
|
|
|
142 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X for Windows out-of-bounds read in AGM.dll
CCProjectZeroMembers
|
|
|
|
143 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows out-of-bounds read in AcroRd32.dll
CCProjectZeroMembers
|
|
|
|
144 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows out-of-bounds write in CoolType.dll
CCProjectZeroMembers
|
|
|
|
145 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X for Windows out-of-bounds write in AcroRd32.dll
CCProjectZeroMembers
|
|
|
|
146 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows unmapped memory read in AGM.dll
CCProjectZeroMembers
|
|
|
|
147 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X for Windows out-of-bounds read in CoolType.dll
CCProjectZeroMembers
|
|
|
|
148 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows unmapped memory read in AGM.dll
CCProjectZeroMembers
|
|
|
|
149 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader X and XI for Windows out-of-bounds read in CoolType.dll
CCProjectZeroMembers
|
|
|
|
151 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 BDF parsing potential heap pointer disclosure
CCProjectZeroMembers
|
|
|
|
153 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 Mac font parsing heap-based buffer overflow due to multiple integer overflows
CCProjectZeroMembers
|
|
|
|
154 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 Mac font parsing heap-based buffer overflow due to integer signedness problems
CCProjectZeroMembers
|
|
|
|
155 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 Mac FOND resource parsing out-of-bounds read from stack
CCProjectZeroMembers
|
|
|
|
157 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow
CCProjectZeroMembers
|
|
|
|
158 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow
CCProjectZeroMembers
|
|
|
|
163 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 SFNT parsing multiple out-of-bounds reads due to integer overflows in "cmap" table handling
CCProjectZeroMembers
|
|
|
|
164 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 WOFF parsing heap-based buffer overflow due to integer overflow
CCProjectZeroMembers
|
|
|
|
166 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 SFNT parsing integer overflows
CCProjectZeroMembers
|
|
|
|
167 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 sbits parsing potential out-of-bounds read due to integer overflow
CCProjectZeroMembers
|
|
|
|
168 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 sbix PNG handling heap-based buffer overflow due to integer overflow
CCProjectZeroMembers
|
|
|
|
169 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL DoS via unlimited CharString program execution
CCProjectZeroMembers
|
|
|
|
174 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream
CCProjectZeroMembers
|
|
|
|
175 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL off-by-x oob reads/writes relative to the operand stack
CCProjectZeroMembers
|
|
|
|
176 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL kernel pool memory disclosure via uninitialized transient array
CCProjectZeroMembers
|
|
|
|
177 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL read/write-what-where in LOAD and STORE operators
CCProjectZeroMembers
|
|
|
|
178 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL pool-based buffer overflow in Counter Control Hints
CCProjectZeroMembers
|
|
|
|
179 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL pool-based buffer underflow due to integer overflow in STOREWV
CCProjectZeroMembers
|
|
|
|
180 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL unlimited out-of-bounds stack manipulation via BLEND operator
CCProjectZeroMembers
|
|
|
|
183 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 Type42 parsing out-of-bounds read in "ps_table_add"
CCProjectZeroMembers
|
|
|
|
184 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 SFNT cmap parsing out-of-bounds read in "tt_cmap4_validate"
CCProjectZeroMembers
|
|
|
|
185 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 CFF CharString parsing heap-based buffer overflow in "cff_builder_add_point"
CCProjectZeroMembers
|
|
|
|
187 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 Type42 parsing use-after-free in "FT_Stream_TryRead" (embedded BDF loading)
CCProjectZeroMembers
|
|
|
|
188 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 BDF parsing NULL pointer dereference in "_bdf_parse_glyphs"
CCProjectZeroMembers
|
|
|
|
190 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 CFF hintmap building stack-based arbitrary out-of-bounds write
CCProjectZeroMembers
|
|
|
|
194 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 SFNT kern parsing out-of-bounds read in "tt_face_load_kern"
CCProjectZeroMembers
|
|
|
|
195 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 TrueType parsing heap-based out-of-bounds read in "tt_face_load_hdmx"
CCProjectZeroMembers
|
|
|
|
196 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 OpenType parsing heap-based out-of-bounds read in "tt_sbit_decoder_load_image"
CCProjectZeroMembers
|
|
|
|
197 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.3 multiple unchecked function calls returning FT_Error
CCProjectZeroMembers
|
|
|
|
211 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts"
CCProjectZeroMembers
|
|
|
|
242 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium heap-based out-of-bounds read in CPDF_SampledFunc::v_Call
CCProjectZeroMembers
|
|
|
|
243 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium SIGSEGV in opj_j2k_update_image_data (libopenjpeg)
CCProjectZeroMembers
|
|
|
|
247 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader CoolType out-of-bounds reads from the input CharString stream
CCProjectZeroMembers
|
|
|
|
248 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader CoolType use of uninitialized memory in transient array
CCProjectZeroMembers
|
|
|
|
249 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader CoolType heap-based buffer overflow in Counter Control Hints
CCProjectZeroMembers
|
|
|
|
250 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader CoolType heap-based buffer underflow due to integer overflow in STOREWV
CCProjectZeroMembers
|
|
|
|
258 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Reader CoolType unlimited out-of-bounds stack manipulation via BLEND operator
CCProjectZeroMembers
|
|
|
|
259 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Microsoft Internet Explorer DirectWrite memory disclosure via uninitialized transient array
CCProjectZeroMembers
|
|
|
|
277 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Microsoft Windows Presentation Foundation memory disclosure via uninitialized transient array
CCProjectZeroMembers
|
|
|
|
281 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment memory disclosure via uninitialized transient array
CCProjectZeroMembers
|
|
|
|
282 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment memory disclosure via uninitialized operand stack
CCProjectZeroMembers
|
|
|
|
297 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment invalid memory access during TTF font rendering in sc_mark
CCProjectZeroMembers
|
|
|
|
298 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment heap corruption during TTF font rendering in ag_AnalyzeChar
CCProjectZeroMembers
|
|
|
|
299 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment heap corruption during TTF font rendering in fnt_IDEF
CCProjectZeroMembers
|
|
|
|
305 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment heap corruption during TTF/Type1 font rendering in sc_FindExtrema4
CCProjectZeroMembers
|
|
|
|
306 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Oracle Java Runtime Environment multiple NULL pointer dereferences during TTF/Type1 font rendering
CCProjectZeroMembers
|
|
|
|
307 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium heap-based out-of-bounds read in opj_dwt_decode_1 (libopenjpeg)
CCProjectZeroMembers
|
|
|
|
309 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium unmapped memory read (SIGSEGV) crash in CPDF_SampledFunc::v_Call
CCProjectZeroMembers
|
|
|
|
310 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium static out-of-bounds read in CXFA_ItemLayoutProcessor::CalculatePositionedContainerPos
CCProjectZeroMembers
|
|
|
|
350 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash bad free condition
CCProjectZeroMembers
|
|
|
|
361 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated SWF file
CCProjectZeroMembers
|
|
|
|
362 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated SWF file
CCProjectZeroMembers
|
|
|
|
363 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Adobe Flash out-of-bounds memory read while parsing a mutated TTF file embedded in SWF
CCProjectZeroMembers
|
|
|
|
368 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in the IUP[] program instruction
CCProjectZeroMembers
|
|
|
|
369 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table
CCProjectZeroMembers
|
|
|
|
370 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in win32k!scl_ApplyTranslation
CCProjectZeroMembers
|
|
|
|
378 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: out-of-bounds read in UTF conversion
CCProjectZeroMembers
|
|
|
|
382 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream
CCProjectZeroMembers
|
|
|
|
383 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x34072 / ATMFD+0x3407b)
CCProjectZeroMembers
|
|
|
|
384 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x3440b / ATMFD+0x3440e)
CCProjectZeroMembers
|
|
|
|
385 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL write to uninitialized address due to malformed CFF table
CCProjectZeroMembers
|
|
|
|
386 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL out-of-bounds read due to malformed Name INDEX in the CFF table
CCProjectZeroMembers
|
|
|
|
392 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel ATMFD.DLL out-of-bounds read due to malformed FDSelect offset in the CFF table
CCProjectZeroMembers
|
|
|
|
396 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash in drawing and bitmap handling
CCProjectZeroMembers
|
|
|
|
397 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash after continuing slow script
CCProjectZeroMembers
|
|
|
|
398 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: bad dereference at 0x23c on Linux x64
CCProjectZeroMembers
|
|
|
|
399 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer in button handling
CCProjectZeroMembers
|
|
|
|
400 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: wild pointer crash in XML handling
CCProjectZeroMembers
|
|
|
|
401 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: out-of-bounds pool memory access in win32k!fsc_RemoveDups
CCProjectZeroMembers
|
|
|
|
402 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: out-of-bounds pool write in win32k!fsc_BLTHoriz
CCProjectZeroMembers
|
|
|
|
425 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: heap-based buffer overflow loading FLV file with Nellymoser audio codec
CCProjectZeroMembers
|
|
|
|
426 |
----
|
Fixed
|
----
|
----
|
cevans@google.com
|
Flash: heap-based buffer overflow due to indexing error when loading FLV file
CCProjectZeroMembers
|
|
|
|
432 |
----
|
Duplicate
|
----
|
----
|
hawkes@google.com
|
Flash: wild read on audio thread
CCProjectZeroMembers
|
|
|
|
438 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: use-after-free in video decoding
CCProjectZeroMembers
|
|
|
|
446 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: wild pointer 0x1808121a502959a4 decoding h.264
CCProjectZeroMembers
|
|
|
|
447 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: corrupt stack leading to misaligned XMM instruction decoding h.264
CCProjectZeroMembers
|
|
|
|
448 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: out-of-bounds crash due to negative table indexing error loading 8-byte wide value
CCProjectZeroMembers
|
|
|
|
449 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: out-of-bounds read in AAC audio handling
CCProjectZeroMembers
|
|
|
|
450 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: information leak into video canvas; rendering of non-deterministic content that apparently contains pointers
CCProjectZeroMembers
|
|
|
|
452 |
----
|
Fixed
|
----
|
----
|
hawkes@google.com
|
Flash: wild write at 0x453b0cf0 in color conversion
CCProjectZeroMembers
|
|
|
|
506 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed OS/2 table
CCProjectZeroMembers
|
|
|
|
507 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed TrueType program
CCProjectZeroMembers
|
|
|
|
602 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.6.1 TrueType parsing heap-based out-of-bounds reads in "tt_cmap14_validate"
CCProjectZeroMembers
|
|
|
|
609 |
----
|
Fixed
|
----
|
----
|
natashenka@google.com
|
Adobe Flash: Heap Overflow in BitmapData.drawWithQuality
CCProjectZeroMembers
|
|
|
|
610 |
----
|
Invalid
|
----
|
----
|
natashenka@google.com
|
Adobe Flash: Crash in BitmapData.copyPixels
CCProjectZeroMembers
|
|
|
|
612 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium stack-based buffer overflow in CPDF_Function::Call
CCProjectZeroMembers
|
|
|
|
613 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium heap use-after-free in opj_t2_read_packet_header (libopenjpeg)
CCProjectZeroMembers
|
|
|
|
614 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
FreeType 2.6.1 TrueType parsing heap-based out-of-bounds read in "tt_sbit_decoder_load_bit_aligned"
CCProjectZeroMembers
|
|
|
|
622 |
----
|
Fixed
|
----
|
----
|
mjurczyk@google.com
|
pdfium SIGSEGV in IsFlagSet (v8 memory management)
CCProjectZeroMembers
|
|