Out-of-bounds read/write through neutering ArrayBuffer objects — Mozilla

Security researcher Jüri Aedla, via TippingPoint's Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for...

Integer overflow

Multiple integer overflows in Opera 11.60 and earlier allow remote attackers to cause a denial of service application crash via a large integer argument to the 1 Int32Array, 2 Float32Array, 3 Float64Array, 4 Uint32Array, 5 Int16Array, or 6 ArrayBuffer function. NOTE: the vendor reportedly...