The WebGL implementation in Google Chrome before 37.0.2062.94 does not ensure that clear calls interact properly with the state of a draw buffer, which allows remote attackers to cause a denial of service (read of uninitialized memory) via a crafted CANVAS element, related to gpu/command_buffer/service/framebuffer_manager.cc and gpu/command_buffer/service/gles2_cmd_decoder.cc.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/69403 | vdb entry |
| https://src.chromium.org/viewvc/chrome?revision=275338&view=revision | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/95473 | vdb entry |
| http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html | |
| http://secunia.com/advisories/60424 | third party advisory |
| https://crbug.com/376951 | |
| http://secunia.com/advisories/61482 | third party advisory |
| http://security.gentoo.org/glsa/glsa-201408-16.xml | vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00027.html | vendor advisory |
| http://secunia.com/advisories/60268 | third party advisory |
| http://www.securitytracker.com/id/1030767 | vdb entry |
| http://www.debian.org/security/2014/dsa-3039 | vendor advisory |