Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985 The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the limit for a loop, leading to OOB reads and writes. The supplied PoC passes an invalid size of 0x41414141, which causes a crash in: __int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size) { __int64 i; // r11@2 if ( user_supplied_size ) { i = user_supplied_size; do { if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 ) *ptr = 0; ptr += 3; --i; } while ( i ); Crashing context on Win 10 x64, driver version 375.70: TRAP_FRAME: ffffd000266219e0 -- (.trap 0xffffd000266219e0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000 rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000 r8=ffffd000266228a8 r9=0000000041414141 r10=ffffd00026623004 r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc nvlddmkm+0x2fa50b: fffff801`0e34a50b 418b02 mov eax,dword ptr [r10] ds:ffffd000`26623004=???????? Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41364.zip # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-17]