AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption

In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.


SHA-256 | a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3e


Related Posts