After I informed Apple about the bug, Apple fixed it by adding an extra check for the user-supplied IOCTL data.

[..]
1081       case TIOCSETD: {        /* set line discipline */
1082           register int t = *(int *)data;
1083           dev_t device = tp->t_dev;
1084
1085           if (t >= nlinesw || t < 0)
1086               return (ENXIO);
1087           if (t != tp->t_line) {
1088               s = spltty();
1089               (*linesw[tp->t_line].l_close)(tp, flag);
1090               error = (*linesw[t].l_open)(device, tp);
1091               if (error) {
1092                   (void)(*linesw[tp->t_line].l_open)(device, tp);
1093                   splx(s);
1094                   return (error);
1095               }
1096               tp->t_line = t;
1097               splx(s);
1098           }
1099           break;
1100       }
[..]

Line 1085 now checks whether the value of t is negative. If so, the user-derived data will not be processed any further. This little change was enough to successfully rectify the vulnerability.