Possible memory corruption problems in Apple Safari

2005-09-21T00:00:00
ID SECURITYVULNS:DOC:9766
Type securityvulns
Reporter Securityvulns
Modified 2005-09-21T00:00:00

Description

Hello,

I was playing around with Safari the other day and noticed that it crashes solid if you convince it to visit:

data://<h1>crash</h1>

Typing it into the address bar is sufficient for testing and crashes the browser completely. I loaded up Safari in gdb to see where it crashes and got the following result:

> Program received signal EXC_BAD_ACCESS, Could not access memory. > Reason: KERN_INVALID_ADDRESS at address: 0x076fffff > [Switching to process 266 thread 0x6403] > 0xffff8ce4 in ___memcpy ()

The fact that random data from the Internet is causing problems with memcpy worries me. I haven't figured out how to change the arguments to memcpy, but it seems possible. Hopefully someone that knows more about debugging threaded Objective-C programs running on PPC can look into it. I'm more of a simple x86/C person myself :)

Just for reference, it seems that Safari needs a very specific set of inputs to actually crash:

data://<h>/ doesn't crash but data://<h>/< does

(also data://<crash>test</crash> doesn't crash... the h in <h1> seems important somehow).

Regards (and good luck), Jonathan Rockway