Two vulns related to properties on a DirectComposition buffer. Adding a new property it adds it, then checks some values and potentially returns an error before finalizing, but the property gets added. It creates a disconnect between the propertyCount and the actual numerb of properties.

The main vuln is an an OOB write in updating properties. It user-land side of code doesn’t check propertyId to ensure it is within the array (kernel does, but thats where the Add issue is used to create a disconnect) It does also check a couple values at the propertyId offset so a bit of heap spraying and grooming to get around that to get the OOB write.