The CoreGraphics framework for decoding JBIG2-encoded data in a PDF has an out of bounds write. This vulnerabilities originates in its attempt to calculate the number of symbols.

In calculating the number of symbols CoreGraphics will iterate over the available segments for symbol dictionary segments, then add the size of the segment to the number of symbols. It then allocates space for these symbols and fills them in. The bug comes from a lack of overflow detection when calculating the number of symbols. It is possible to increment the number of symbols beyond the range of the unsigned int, resulting in a smaller than expected allocation.

When CodeGraphics starts to fill in the symbol values it will end up outside of its allocated rage.