The IOCTL call 0x829C0964(IOCTL_ASWFW_COMM_PIDINFO_RESULTS) of 'aswFW.sys' kernel driver Shiped with 'Avast! Internet Security 5.0' uses the user controlled First 4 bytes value To allocate a NonPagedPool without any value range checking then an integer overrun occurs. If 'aswFW.sys' received a first 4 bytes about to '0xFFFFFFFF' with an Irp then an invalid Sized Memory Pool allocated. After the invalid allocation, the kernel driver copys user controlled buffer into '[allocated pool+84h]' with too large copy length '0FFFFFFFFh' then the Memory Pool corrupted.