AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption
In the function AppleAVDUserClient::decodeFrameFig, a location in the
decoder's IOSurface input buffer is calculated, and then bzero is called
on it. The size of this IOSurface's allocation is controllable by the
userspace caller, so the calculated pointer can go out of bounds, leading
to memory corruption. This issue could potentially allow an unprivileged
local application to escalate its privileges to the kernel.
https://packetstormsecurity.com/files/169930/GS20221118141944.tgz
Fri, 18 Nov 2022 14:22:44 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com