iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object,...

iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds

iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated...

Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow

Source: https://code.google.com/p/google-security-research/issues/detail?id=467 There is a heap overflow in daeElement::setElementName. The vulnerable method uses a fixed size 128 bytes heap-allocated buffer to copy the name of an arbitrary element. By setting the name of the element to something...

Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow

Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=467 There is a heap overflow in daeElement::setElementName. The vulnerable method uses a fixed size 128 bytes heap-allocated buffer to copy the name of a...