The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
b2733bc9c4f2368575e5664c639831ee56ed7c5575c89a4d6b41f8c514f1132a