Buffer overflow vulnerabilities in functions png_get_PLTE/png_set_PLTE, allowing remote attackers to cause DoS to application or have unspecified other impact. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.
Same-origin bypass in Blink. Credit to Mariusz Mlynski.
Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
Bad cast in Extensions.
Use-after-free in Blink. Credit to cloudfuzzer.
Use-after-free in Blink. Credit to Rob Wu.
SRI Validation Bypass. Credit to Ryan Lester and Bryant Zadegan.
Information Leak in Skia. Credit to Keve Nagy.
WebAPI Bypass. Credit to Rob Wu.
Use-after-free in WebRTC. Credit to Khalil Zhani.
Origin confusion in Extensions UI. Credit to Luan Herrera.
Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.
Various fixes from internal audits, fuzzing and other initiatives.