AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption

In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder’s IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface’s allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.Exploit Files ≈ Packet Storm  

 

More To Explore

Do You Want To Secure Your Business?

drop us a line and keep in touch

Cyber Security Automation
Generated by Feedzy