Possible memory corruption problems in Apple Safari

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Possible memory corruption problems in Apple Safari
From: Jonathan Rockway <jon@xxxxxxxx>
Date: Fri, 16 Sep 2005 22:07:34 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.7i

Hello,

I was playing around with Safari the other day and noticed that it
crashes solid if you convince it to visit:

data://<h1>crash</h1>

Typing it into the address bar is sufficient for testing and crashes
the browser completely.  I loaded up Safari in gdb to see where it
crashes and got the following result:

> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x076fffff
> [Switching to process 266 thread 0x6403]
> 0xffff8ce4 in ___memcpy ()

The fact that random data from the Internet is causing problems with
memcpy worries me.  I haven't figured out how to change the arguments
to memcpy, but it seems possible.  Hopefully someone that knows more
about debugging threaded Objective-C programs running on PPC can
look into it.  I'm more of a simple x86/C person myself :)

Just for reference, it seems that Safari needs a very specific set of
inputs to actually crash:

data://<h>/ doesn't crash
but
data://<h>/< does

(also data://<crash>test</crash> doesn't crash... the h in <h1> seems
important somehow).

Regards (and good luck),
Jonathan Rockway

Prev by Date: [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9
Next by Date: Re: PHP Nuke <= 7.8 Multiple SQL Injections
Previous by thread: [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9
Next by thread: [USN-184-1] umount vulnerability
Index(es):
- Date
- Thread