quotedStr() out-of-bounds array access crashes
| Originator: | vlad902 | ||
| Number: | rdar://49332752 | Date Originated: | 2019-03-27 |
| Status: | Duplicate | Resolved: | |
| Product: | macOS | Product Version: | |
| Classification: | Reproducible: |
Chrome observes occasional crashes in the AE framework's quotedStr(char const*, unsigned long) function. The function performs logic like the following:
quotedStr(unsigned char* ptr, size_t len) {
if (memchr(ptr, '"', len) || ptr[len] || memchr(ptr, 0, len-1)) {
/* ... */
When it accesses ptr[len] it performs an off-by-one OOB read. ptr[len - 1] is the last valid array value. This can lead to crashes when the 'ptr' allocation lands on the rightmost edge of the heap and ptr[len] accesses unmapped memory.
When quotedStr() crashes it is always reached from implAsStr(). implAsStr() is reached from either AESendMessage() calling descAsString() or AEProcessMessage() calling aeProcessIncomingEvent(AEDesc*).
Steps to Reproduce:
N/A, these crashes have been observed in the wild.
Version/Build:
These crashes have been observed in versions of macOS up to 10.14.3 and I have confirmed that assembly for this function in AE in 10.14.4 still includes the off-by-one array access.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Marked a duplicate of 48205906.