CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously, it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure, and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is possible to release the port (if the port got substituted) during the processing of jpeg request and end up with dangling pointer passed to _mach_msg_send_from_kernel_proper().
Note that the race window can be expanded by providing some valid inputs, and by calling several synchronous calls first, we can fill the jpeg request queue (see AppleJPEGDriver::queue_io_gated) and force the asynchronous call to be delayed, so the port could be replaced.
Fix : Apple removed releaseNotificationPort() from registerNotificationPort() and prevented port substitution. Actual for iOS 13.0 - 13.3.1. Fixed in iOS 13.4.