The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow.
The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow.