A heap overflow that was found in-the-wild by Google’s Threat Analysis Group (TAG) in Chrome. This bug was in the texture subsystem for webGL GLES with textures created from a shared image, which bypasses the texture manager’s tracking of the max_levels for mipmaps.

Under normal circumstances, the texture’s max_levels is computed internally when initializing the level_infos vector, and anything accessing the mipmap will first call TextureManager::ValidForTarget() to ensure the level is in-bounds. Where shared image textures bypass the texture manager though, it manually sets max_levels = 1. Since TextureManager::ValidForTarget() isn’t aware of this, it’s possible for methods to access level_infos out-of-bounds.