MoAB #20, iChat Format String

6 views
Skip to first unread message

Landon Fuller

unread,
Jan 21, 2007, 1:46:22 AM1/21/07
to moab...@googlegroups.com
Before I head off to not-computer-time, here's what I've fished out
so far. Anyone please feel free to dig in, otherwise I'll take a look
at this tomorrow.

http://projects.info-pull.com/moab/bug-files/MOAB-20-01-2007.html

PoC URL:
aim:gochat?roomname=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s

Adium will probably try to handle it, I had to move it to the trash
to hand aim:// to iChat.

Thread 0 Crashed:
0 com.apple.CoreFoundation 0x908110dc
_CFStringAppendFormatAndArgumentsAux + 4934
1 com.apple.CoreFoundation 0x9080fc8c
_CFStringCreateWithFormatAndArgumentsAux + 122
2 com.apple.Foundation 0x925e2a5d -[NSPlaceholderString
initWithFormat:locale:arguments:] + 162
3 com.apple.Foundation 0x92604670 -[NSString
initWithFormat:arguments:] + 55
4 com.apple.iChat 0x000da226 0x1000 + 889382
5 com.apple.iChat 0x000bfbb6 0x1000 + 781238
6 libobjc.A.dylib 0x90a57c56 objc_msgSendv + 54
7 com.apple.Foundation 0x925fc43e -[NSInvocation invoke]
+ 932
8 com.apple.Foundation 0x9264974f -[NSConnection
dispatchInvocation:] + 487
9 com.apple.Foundation 0x92694244 _NSHandleDORequest + 394
10 com.apple.Foundation 0x925f2c92 +[NSConnection
doQueuedWork] + 436
11 com.apple.Foundation 0x925f2acd
__NSPortDelegateTickler + 158
12 com.apple.CoreFoundation 0x9082a155 __CFRunLoopDoObservers
+ 342
13 com.apple.CoreFoundation 0x908291f7 CFRunLoopRunSpecific +
827
14 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61
15 com.apple.HIToolbox 0x92dcdb90
RunCurrentEventLoopInMode + 285
16 com.apple.HIToolbox 0x92dcd1ce ReceiveNextEventCommon
+ 184
17 com.apple.HIToolbox 0x92dcd0ee
BlockUntilNextEventMatchingListInMode + 81
18 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572
19 com.apple.AppKit 0x9326f056 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
20 com.apple.AppKit 0x93268ddb -[NSApplication run] +
512
21 com.apple.AppKit 0x9325cd2f NSApplicationMain + 573
22 com.apple.iChat 0x00002b6e 0x1000 + 7022
23 com.apple.iChat 0x0007e63d 0x1000 + 513597

NSInvocation is invoking:
(gdb) po $edx
<NSInvocation[0x4f5060] selector: service:chat:showError: signature:
NSMethodSignature: types=Vv@:@@@ nargs=5 sizeOfParams=20
returnValueLength=0; >

(gdb) po [$edx target]
Service[AIM]

PGP.sig

William A. Carrel

unread,
Jan 21, 2007, 1:45:30 PM1/21/07
to moab...@googlegroups.com
Looks like the call into [ActiveChat showError: NSString arg1] is the
guilty party.

It passes arg1 along to the function at 0xda1db as well which in turn does:
[[NSString alloc] initWIthFormat: arg1 ...];

I'm digging to make sure there aren't other unsafe uses of arg1 within
the call at the moment.

William A. Carrel

unread,
Jan 21, 2007, 2:01:46 PM1/21/07
to moab...@googlegroups.com
So there is another [NSString stringWithFormat:...] in -[ActiveChat
showError:] but it looks safe...

l64 = [NSBundle mainBundle];
l71 = [l64 localizedStringForKey: @"%@ error:"
value:@""
table:0];
l78 = [... shortName];
l87 = [NSString stringWithFormat: l71, l78]; // comments in the
localization.strings suggest that l78 should be the service name.

And then comes the:
(void) (0xda1db)(l87, arg1, 0, 0, 0, 0)

William A. Carrel

unread,
Jan 21, 2007, 2:39:33 PM1/21/07
to moab...@googlegroups.com
Here's the patch for the fix for #20. Verified to work on my iChat.
ichat.patch
Reply all
Reply to author
Forward
0 new messages