Mistrusting some extended attributes, using them to calculate an offset leading to out-of-bound read/write primitives; presumably exploitable since these were used at Pwn2Own. In the fruit_pread function will read the org.netatalk.Metadata extended attribute which can unauthenticated user can set.

This attribute is parsed into an adouble structure, and the ADEID_FINDERI entry is ultimately controlled by an attacker. This is used to calculate a pointer from which is will read 32 bytes. The point does need to point within the data block, but by pointing it right at the veyr end it’ll read out of bounds by 31 bytes. A similar issue was found in fruit_pwrite same deal with the pointer, but it’ll write the data to a point, giving a 31 byte out of bound write.

The same issue was found with the ADEID_FILEDATESI entry, providing gadgets for a 3 byte out-of-bounds read/write