The vulnerability occurs when parsing 16-bit integer in sizelength of impn, imgp and vrsg atoms in a quicktime movie file.

Basically it converts the 16-bit to 32-bit integer. Due to it’s a signed integer , it passes some comparison checks.

Then I think it uses this integer as an “unsigned” in a memory copy operation and that causes the crash.