Security Techniques

Anatomy of a killer bug: How just 5 characters can murder iPhone, Mac apps

Anatomy of a killer bug: How just 5 characters can murder iPhone, Mac apps: Apple’s CoreText rendering system uses signed integers to pass around array indexes and string lengths. A negative length, -1, is passed unchecked to a library function which uses it as an unsigned long integer to set the bounds of an array. This causes the library to attempt to read beyond the end of an array and into unallocated memory, triggering a fatal exception.
If you’re au fait with disassembling software to debug it, what follows will be obvious to you. If you’re interested in what goes on under your Mac or iThing’s hood, then read on.

Standard