<<< Date Index >>>     <<< Thread Index >>>

Possible memory corruption problems in Apple Safari



Hello,

I was playing around with Safari the other day and noticed that it
crashes solid if you convince it to visit:

data://<h1>crash</h1>

Typing it into the address bar is sufficient for testing and crashes
the browser completely.  I loaded up Safari in gdb to see where it
crashes and got the following result:

> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x076fffff
> [Switching to process 266 thread 0x6403]
> 0xffff8ce4 in ___memcpy ()

The fact that random data from the Internet is causing problems with
memcpy worries me.  I haven't figured out how to change the arguments
to memcpy, but it seems possible.  Hopefully someone that knows more
about debugging threaded Objective-C programs running on PPC can
look into it.  I'm more of a simple x86/C person myself :)

Just for reference, it seems that Safari needs a very specific set of
inputs to actually crash:

data://<h>/ doesn't crash
but
data://<h>/< does

(also data://<crash>test</crash> doesn't crash... the h in <h1> seems
important somehow).

Regards (and good luck),
Jonathan Rockway