[webkit-dev] Fwd: Possible memory corruption problems in Apple Safari

Benjamin Listwon blistwon at mac.com
Thu Sep 29 12:04:20 PDT 2005


To help narrow this down, the "h" is irrelevant.

The following ...
     data://</<
     data://</>
... will crash it just fine.

Other permutations don't cause issues, such as:
     data://<<
     data://<>

Thus it seems that misplaced "/" chars make for problems.

--Ben



On Sep 29, 2005, at 11:51 AM, Boyd Waters wrote:

> From bugtraq, I had not seen this before.
>
> Basically, entering a URL of data://<h>/ will crash Safari?
>
> Is this a bug on bugzilla? I cannot find such with a brief search...
>
> ~ boyd
>
>
> Begin forwarded message:
>
>
>> From: Jonathan Rockway <jon at jrock.us>
>> To: bugtraq at securityfocus.com
>> Subject: Possible memory corruption problems in Apple Safari
>> Date: Fri, 16 Sep 2005 22:07:34 -0500
>> Message-ID: <20050917030734.GA9837 at jrock.us>
>> User-Agent: Mutt/1.5.7i
>>
>> Hello,
>>
>> I was playing around with Safari the other day and noticed that it
>> crashes solid if you convince it to visit:
>>
>> data://<h1>crash</h1>
>>
>> Typing it into the address bar is sufficient for testing and crashes
>> the browser completely.  I loaded up Safari in gdb to see where it
>> crashes and got the following result:
>>
>>
>>> Program received signal EXC_BAD_ACCESS, Could not access memory.
>>> Reason: KERN_INVALID_ADDRESS at address: 0x076fffff
>>> [Switching to process 266 thread 0x6403]
>>> 0xffff8ce4 in ___memcpy ()
>>>
>>
>> The fact that random data from the Internet is causing problems with
>> memcpy worries me.  I haven't figured out how to change the arguments
>> to memcpy, but it seems possible.  Hopefully someone that knows more
>> about debugging threaded Objective-C programs running on PPC can
>> look into it.  I'm more of a simple x86/C person myself :)
>>
>> Just for reference, it seems that Safari needs a very specific set of
>> inputs to actually crash:
>>
>> data://<h>/ doesn't crash
>> but
>> data://<h>/< does
>>
>> (also data://<crash>test</crash> doesn't crash... the h in <h1> seems
>> important somehow).
>>
>> Regards (and good luck),
>> Jonathan Rockway
>> ------- end -------
>>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at opendarwin.org
> http://www.opendarwin.org/mailman/listinfo/webkit-dev
>




More information about the webkit-dev mailing list