AppleAVD AVC_RBSP::parseSliceHeader ref_pic_list_modification Overflow
Posted by deepcore on August 22, 2022 – 11:16 pm
There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.
Post a reply
You must be logged in to post a comment.