This is only one POC which trigger the corrupt memory.
For other POC, most of them didnt even finish sending "font list pdu", and they call it a crash POC or a part of working exploit?

Nice work bro, I guess it needs more bytes in Virtual Channel PDU to cover more memory.

I'm wondering, how do you know the data structure of ms_t120's virtual channel data?

People just looking for the fame :P
Someone posted the partially RE’ed Channel and connection structures early on. The parts that matter you pick up on from looking at it in memory so much and seeing how the driver constantly parsed/used the data