AppleAVD AVC_RBSP::parseSliceHeader ref_pic_list_modification Overflow

There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.

SHA-256 | f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2c

Related Posts