IGAccelVideoContextMain is the userclient used for GPU accelerated video encoding on the Intel HD integrated GPUs. It's userclient 0x100 of the IntelAccelerator IOService. IOConnectMapMemory type=0 of this userclient is a shared token buffer. Token 0x8a is ColorSpaceConversion, implemented in IGAccelVideoContextMain::process_token_ColorSpaceConversion
The dword at offset 0x14 of this token is used to compute the offset for a write without checking the bounds, allowing a controlled kernel memory write.
more here............https://code.google.com/p/google-security-research/issues/detail?id=32
The dword at offset 0x14 of this token is used to compute the offset for a write without checking the bounds, allowing a controlled kernel memory write.
more here............https://code.google.com/p/google-security-research/issues/detail?id=32