Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=737 Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed. The code is probably something like: window[++window_pos] = foo; if (window_pos > window.size()) return false; This means the overflow still occurs, resulting in memory corruption, and can be corrupted multiple times per stream as a single scan can contain multiple LZX compressed blobs. Scanning the attached testcase with page heap enabled results in the following error: (918.644): Unknown exception - code 000006ba (first chance) =========================================================== VERIFIER STOP 000000000000000F: pid 0x918: corrupted suffix pattern 0000000040C71000 : Heap handle 0000000040F76FE0 : Heap block 0000000000010018 : Block size 0000000040F86FF8 : corruption address =========================================================== > lmv munarch start end module name 000007fe`f44c0000 000007fe`f4562000 unarch (export symbols) C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav Loaded symbol image file: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav Image name: unarch.cav Timestamp: Mon Dec 29 04:52:14 2014 (54A14E7E) CheckSum: 000AC529 ImageSize: 000A2000 File version: 6.2.15068.1057 Product version: 6.2.15068.1057 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04e4 CompanyName: COMODO ProductName: COMODO Antivirus Scan Engine ProductVersion: 6, 2, 342748, 1057 FileVersion: 6, 2, 342748, 1057 FileDescription: COMODO Antivirus Scan Engine LegalCopyright: 2005-2014 COMODO. All rights reserved. Please note that many of the CAV modules used by Comodo do not use dynamic base, so ASLR does not work. Naturally, all files are scanned with NT AUTHORITY\SYSTEM and with no sandboxing. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39606.zip