Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome's JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as 'hotpaths' (aka executed a lot)...
A rather complex-bug to trigger that was found being exploited in the wild against libwebp's VP8L compression and was reachable through an iMessage.
Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account's image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.
The Autofill Assistant has a chain of issues that could be abused for universal XSS in the context of an arbitrary website.
This is a interesting primitive, an unsigned 32bit integer can mistakenly be kept unsigned after it is supposedly converted to a signed 64bit integer and passed in somewhere expecting a signed value.
There is a use-after-free on Chrome for Android when fetching credit card details to autofill. This vulnerability does require the victim have credit card details saved by Chrome.
First a bit of background terminology as I understand it. Not being familiar with v8 there are likely some subtleties I am missing.