Https://us.forums.blizzard.com/en/wow/t/freezing-of-screen-gpu-crashes-retail-and-classic/615324sic

Continuing the discussion from Freezing of screen (GPU crashes) retail and classic:

Continuing the discussion from Freezing of screen (GPU crashes) retail and classic:

Okay I think I figured it out everyone. The reason for the shut down and freezes is due tyo QuartzCore, also known as CoreAnimation, is a framework used by macOS and iOS to create animatable scene graphics. CoreAnimation uses a unique rendering model where the graphics operations are run in a separate process. On macOS, the process is WindowServer.

This then leads to com.apple.CARenderServer, which usually referenced as CARenderServer. This service exists in both macOS and iOS, and can be accessed from the Safari Sandbox. It lacked an bounds checking in the function CAGetColorSpace when the service com.apple.CARenderServer decoded the color space data. This then triggered the system integrity software as this leak could allow a malicious application to be able to read restricted memory.

Beginning withCA::Render::Decoder::decode_object(CA::Render::Decoder *this, CA::Render::Decoder *a2) is used to decode all kinds of object data.

The buffer data starting at offset 0x70000cc51d6e is a Layer object. CA::Render::Decoder::decode_int32() returnedthe value of the variable equal to 0 due to integer overflow. This function could then return 0, causing the change in the next program execution flow. Normally, it should return 1. but it returned 0 in your case which seems to be the problem.

The variable is then passed as the first argument to the function CAGetColorSpace. The function CAGetColorSpace is used to obtain the color space data from the array colorspaces. Since the index value is 0xfe, this then enabled the restricted memory data to be read. Thus making the index value larger than the maximum index of the array colorspaces.

This then leads to our culprit CAGetColorSpace being equal to 0x8000000010. Because this is an invalid memory address, the argument passed to CFRetain causes an EXC_BAD_ACCESS exception, basically the root cause of this issue is that it lacked an restricted bounds checking in the function CAGetColorSpace.

Further more I want to point that that this was apple’s vulnerability in their coding, blizzard had nothing to do with this at all. The reason you guys are seeing this now is cause these leaks were patched in 10.14.3. Can everyone who’s still having this issue please tell me what version their OS is running on?