There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.
f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2c
Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.
abb9276b4c8cee616bfc25479b09e2f8ab0da107b3ec925b2b2b9a99239cd34a
Apple Security Advisory 2022-07-20-5 - tvOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, out of bounds read, out of bounds write, and spoofing vulnerabilities.
5209bdb94ef16d387824a9f8926bb84768b4a1eda8e1b68f138bd6ab866d2a6f
Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.
e78e010a4bea2ea77407fa1f36dd85e44d56dc1216952e6d8cdb14def80805a3