CVE-2015-6582

Vulnerability

The decompose function in platform/transforms/TransformationMatrix.cpp within Blink, used in Google Chrome prior to version 45.0.2454.85, does not verify whether a matrix inversion operation succeeded. This oversight allows an uninitialized memory access when the inversion fails, as the function proceeds to use the result without validation. The vulnerability is triggered when processing a crafted web page that supplies a non-invertible transformation matrix.

Exploitation

An attacker can exploit this vulnerability by hosting a malicious website that includes a crafted CSS or SVG transformation matrix that is non-invertible. No authentication or special privileges are required; the victim simply needs to visit the site using a vulnerable version of Chrome. The browser's rendering engine will call decompose on the matrix, and upon inversion failure, the uninitialized memory access leads to a crash.

Impact

Successful exploitation results in a denial of service (DoS) due to application crash caused by uninitialized memory access. The description also notes "possibly have unspecified other impact," but no further details are provided in the available references. The crash occurs in the browser process, affecting the user's session.

Mitigation

The vulnerability was fixed in Google Chrome version 45.0.2454.85, released on September 1, 2015. Users should update to this version or later. The fix is included in the Chromium repository at revision 195670 [1]. No workarounds are available for older versions; upgrading is the only mitigation.