diff --git a/extra/chromium/PKGBUILD b/extra/chromium/PKGBUILD
index 79812977d..ec9bce7a3 100644
--- a/extra/chromium/PKGBUILD
+++ b/extra/chromium/PKGBUILD
@@ -21,7 +21,7 @@
 buildarch=4
 
 pkgname=chromium
-pkgver=39.0.2171.99
+pkgver=40.0.2214.91
 pkgrel=1
 pkgdesc="The open-source project behind Google Chrome, an attempt at creating a safer, faster, and more stable browser"
 arch=('armv6h' 'armv7h')
@@ -48,15 +48,17 @@ source=(https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
         arm-webrtc-fix.patch
         chromium-arm-r0.patch
         skia.patch
-        v6-ffmpeg.patch)
-sha256sums=('6d527003a7dc3256a266d33fa42185c75934efd6de14f51cde345701ba2ae449'
+        v6-ffmpeg.patch
+        chromium-webkit-buffer-overflow.patch)
+sha256sums=('f72fda9ff1ea256ab911610ee532eadf8303137d431f2481d01d3d60e5e64149'
             '09bfac44104f4ccda4c228053f689c947b3e97da9a4ab6fa34ce061ee83d0322'
             '478340d5760a9bd6c549e19b1b5d1c5b4933ebf5f8cfb2b3e2d70d07443fe232'
             '4999fded897af692f4974f0a3e3bbb215193519918a1fa9b31ed51e74a2dccb9'
             '9db0f01517c52e3236ff52e8a664840542a19144a54923ae6aabea3dcfa92c52'
             'df4be49770d508b772f98eda9fc5f37fa71d4c0459437e12f7f3db5892aa1611'
             'd53c0af6636611ee190083361d100cbbdc18515d94f59c2750da121022554226'
-            '3fbabcbd512494b529e0a0e17560735887acf2291a74653750f9b29f5d45774d')
+            '3fbabcbd512494b529e0a0e17560735887acf2291a74653750f9b29f5d45774d'
+            '870ca4516a0a5407b1e2da822a1ca4f201349c8699877f6bd248cd8e08e7f2f1')
 
 # Google API keys (see http://www.chromium.org/developers/how-tos/api-keys)
 # Note: These are for Arch Linux use ONLY. For your own distribution, please
@@ -84,6 +86,10 @@ prepare() {
   # https://groups.google.com/a/chromium.org/d/topic/chromium-packagers/BNGvJc08B6Q
   find third_party/icu -type f \! -regex '.*\.\(gyp\|gypi\|isolate\)' -delete
 
+  # Fix a buffer overflow in blink::HarfBuzzShaper::resolveCandidateRuns()
+  # https://code.google.com/p/chromium/issues/detail?id=445075#c10
+  patch -d third_party/WebKit -Np1 <../chromium-webkit-buffer-overflow.patch
+
   MAKEFLAGS=-j4
 
   # Use Python 2
diff --git a/extra/chromium/chromium-webkit-buffer-overflow.patch b/extra/chromium/chromium-webkit-buffer-overflow.patch
new file mode 100644
index 000000000..c20bd7825
--- /dev/null
+++ b/extra/chromium/chromium-webkit-buffer-overflow.patch
@@ -0,0 +1,23 @@
+diff --git a/Source/platform/fonts/shaping/HarfBuzzShaper.cpp b/Source/platform/fonts/shaping/HarfBuzzShaper.cpp
+index 87441d9..a90b925 100644
+--- a/Source/platform/fonts/shaping/HarfBuzzShaper.cpp
++++ b/Source/platform/fonts/shaping/HarfBuzzShaper.cpp
+@@ -702,7 +702,7 @@ static inline void resolveRunBasedOnScriptValue(Vector<CandidateRun>& runs,
+ 
+ static inline bool resolveCandidateRuns(Vector<CandidateRun>& runs)
+ {
+-    UScriptCode scriptExtensions[8];
++    UScriptCode scriptExtensions[USCRIPT_CODE_LIMIT];
+     UErrorCode errorCode = U_ZERO_ERROR;
+     size_t length = runs.size();
+     size_t nextResolvedRun = 0;
+@@ -714,7 +714,8 @@ static inline bool resolveCandidateRuns(Vector<CandidateRun>& runs)
+             run.script = i > 0 ? runs[i - 1].script : USCRIPT_COMMON;
+ 
+         int extensionsLength = uscript_getScriptExtensions(run.character,
+-            scriptExtensions, sizeof(scriptExtensions), &errorCode);
++            scriptExtensions, sizeof(scriptExtensions) / sizeof(scriptExtensions[0]),
++            &errorCode);
+         if (U_FAILURE(errorCode))
+             return false;
+