Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers memory corruption.
https://exchange.xforce.ibmcloud.com/vulnerabilities/41627
http://www.vupen.com/english/advisories/2008/1084/references
http://www.securityfocus.com/bid/28585
http://www.opera.com/support/search/view/882/
http://www.opera.com/docs/changelogs/linux/927/
http://security.gentoo.org/glsa/glsa-200804-14.xml
http://secunia.com/advisories/29735
http://secunia.com/advisories/29679
http://secunia.com/advisories/29662
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00007.html