zlacker

'Text bomb' is latest Apple bug

submitted by Harvey+(OP) on 2018-01-18 15:02:48 | 194 points 105 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
4. devit+G8[view] [source] 2018-01-18 16:00:43
>>Harvey+(OP)
Based on a web search, https://bogdanz.me/work/diddu.html might be a working mirror of the proof of concept.

It appears to contain a 10MB long UTF-8 mess in both the og:title meta content and in a mailto: link.

I'd guess it's supposed to crash iOS apps by either posting that link if it displays links in a thumbnail element using og:title or otherwise by pasting the huge mailto link contained in the webpage, or perhaps only the e-mail address.

◧◩
6. stevea+Y8[view] [source] [discussion] 2018-01-18 16:02:48
>>NedIsa+v6
Here's an archived version: http://web.archive.org/web/20180117063656/https://iabem97.gi...
◧◩
9. Kikawa+4a[view] [source] [discussion] 2018-01-18 16:09:56
>>NedIsa+v6
https://mega.nz/#!X4piUYwA!zXH1vCliaO00V2v2554vegCnXzQ69jdAX...

11.7MB HTML file. It crashes the tab in Chrome 65.0.3324.2 64-bit and locks up Firefox 58.0 64-bit on Windows for me.

◧◩
36. 68c12c+qj[view] [source] [discussion] 2018-01-18 17:06:56
>>NedIsa+v6
a mirror of the page could be found here...

  view-source:https://web.archive.org/web/20180117063656/https://iabem97.github.io/chaiOS/
google chrome browser seems to have disabled the display of the content but other browsers may still be fine with it...
◧◩
39. osteel+jm[view] [source] [discussion] 2018-01-18 17:20:09
>>hotpxl+Pf
https://support.apple.com/en-us/HT201220 has a section for “Security and privacy researchers”. The process is to send mail to product-security@apple.com, optionally encrypted by Apple Product Security's PGP key. A developer account is not required.

Since this page is the top search engine hit for several obvious searches (for example “report apple security vulnerability”), hopefully Mr Masri reported it there.

◧◩◪
41. 68c12c+Vo[view] [source] [discussion] 2018-01-18 17:30:44
>>68c12c+qj
if viewed in a hex editor, this same block of patterns repeated over and over again...seemingly to be an effort to overrun the buffer....

  0x00007B90: A5CCBACD 8774CCB4 CD81CC8D CC92CD8C     .....t..........
  0x00007BA0: CD84CC86 CC8FCD8B CD97CD86 CC9BCC8F     ................
  0x00007BB0: CC8ECC95 CC87CC82 CC94CC9B CC92CC92     ................
  0x00007BC0: CC86CD91 CD9BCC86 CC8ECCBD CC84CC8B     ................
  0x00007BD0: CC91CC88 CD9DCC81 CD81CC81 CC84CCBE     ................
  0x00007BE0: CC85CCBE CC86CC84 CD82CC86 CD9DCC89     ................
  0x00007BF0: CC85CC87 CD8CCD9D CC81CC88 CCBFCC9A     ................
  0x00007C00: CC82CC86 CD8CCC90 CD9DCC82 CC9ACC80     ................
  0x00007C10: CC93CC9B CD84CC89 CD82CD8A CCBECD8B     ................
  0x00007C20: CDA0CC83 CC8ACC8E CD98CC89 CD97CC80     ................
  0x00007C30: CD80CC8A CC8FCDA0 CC80CC80 CD84CD80     ................
  0x00007C40: CD8CCD92 CD92CD91 CC90CD98 CC83CC88     ................
  0x00007C50: CD84CD9B CCBDCD9B CC84CC8D CDA0CC8C     ................
  0x00007C60: CC81CD97 CD8BCD86 CD9BCD91 CC8ECCAA     ................
  0x00007C70: CCA7CD87 CD95CCB1 CCA8CCBC CD9CCCA6     ................
  0x00007C80: CCA6CC9D CCAFCCAA CC97CCA0 CC9ECD85     ................
  0x00007C90: CCAACCA4 CCB2CCAB CD8ECCAB CD89CD8D     ................
  0x00007CA0: CCA2CCA8 CCAACC97 CCACCCA3 CCBACD93     ................
  0x00007CB0: CC9ECCA9 CD87CCA8 CD96CCAF CCBACCA7     ................
  0x00007CC0: CCB1CCBB CCA3CCAE CCABCCA7 CD96CCBA     ................
  0x00007CD0: CCAFCCA9 CCA0CCB2 CC96CD95 CCAACCAD     ................
  0x00007CE0: CD9ACCA8 CCB9CCB9 CCB0CCA0 CD88CCBA     ................
  0x00007CF0: CCA9CD9C CCA3CCA1 CCA0CD8D CC98CCA1     ................
  0x00007D00: CCAFCCA1 CC9DCD87 CCA6CC9D CCBACCBA     ................
  0x00007D10: CCAACD9A CCBACD8D CD88CD93 CCB1CCBC     ................
  0x00007D20: CCA1CCB1 CCB3CCA4 CD9ACCB0 CCA9CCB2     ................
  0x00007D30: CC9DCCAC CCADCCB9 CC9ECD89 CD89CD9C     ................
  0x00007D40: CCA5CCA8 CC9DCD89 CCBACCA2 CC9CCC9F     ................
  0x00007D50: CCA5CCBA CD8774CC B4CD81CC 8DCC92CD     ......t.........
The author comment at the top of the page says,

  <!-- hello, this was written by Abraham Masri @cheesecakeufo -->
  <!-- I discovered this bug in like 10 minutes -->
If the entire code in the page was whipped up in 10 minutes, then a large part might well be some repetitive copy-paste of a core part...Not exactly sure what this core part does...but given the obvious lack of printable ascii characters (code is way above '0x7F' ), it looks that it could be some unicode type of thing, which then is a bit reminiscing of an old iOS bug back in 2015, as described at this link,

https://www.reddit.com/r/iphone/comments/37eaxs/um_can_someo...

also notice the high frequency of 0xCC and 0xCD throughout the code, which are respectively Breakpoint and INT on x86 architecture -- with its 0xCD's always followed by a single byte whose value is less than 0xA0 -- possibly x86 was used as author's development platform...

42. alwill+7p[view] [source] 2018-01-18 17:31:33
>>Harvey+(OP)
Fixed in the latest beta: https://www.macrumors.com/2018/01/17/apple-seeds-ios-11-2-5-...
◧◩
45. roywig+7u[view] [source] [discussion] 2018-01-18 17:51:40
>>Orange+bh
Nokia's had one.

https://www.slashgear.com/nokia-curse-of-silence-sms-bug-pre...

◧◩◪
62. maxmcd+xK[view] [source] [discussion] 2018-01-18 19:23:19
>>zackif+fB
I believe the solution present on this linked page will help you: https://www.vincedes3.com/save.html

Opens imessage again with a message draft so that you can delete the conversation without fetching the linked bug

◧◩◪◨
79. B1FF_P+wV[view] [source] [discussion] 2018-01-18 20:32:35
>>Infern+QN
https://en.wikipedia.org/wiki/BLIT_(short_story)

(Langford's story and followup in the links)

◧◩◪◨
84. skymt+jY[view] [source] [discussion] 2018-01-18 20:48:51
>>kevin_+vJ
FreeType used to ignore TrueType hint bytecode to avoid infringing on related patents, but those patents expired in 2010 and FreeType's interpreter is now enabled by default.

http://freetype.sourceforge.net/patents.html

88. w0rd-d+821[view] [source] 2018-01-18 21:13:25
>>Harvey+(OP)
This again? It's eerily similar to https://m.huffpost.com/us/entry/7452324 (sorry for the mobile link). Only one other comment mentions the bug from 2015 that surprise, crashes the phone in the same way. It looks like this person just worked around the patch to cause it again.
◧◩◪◨
89. rspeer+G21[view] [source] [discussion] 2018-01-18 21:17:28
>>yesena+IQ
Similarly (and also featured in a Hofstadter book), there's the short story "The Riddle of the Universe and Its Solution" by Christopher Cherniak. https://en.wikipedia.org/wiki/The_Riddle_of_the_Universe_and...

I don't think anyone ever intended for text rendering to be a "sufficiently powerful formal system" like second-order logic, number theory, or like Hofstadter says the human brain is. I would hope that, in the absence of bugs, rendering text X on computer system Y would be a plain old computable function.

◧◩◪◨⬒⬓
101. rspeer+FJ2[view] [source] [discussion] 2018-01-19 17:37:30
>>68c12c+VI2
I saw a tweet about what it looks like (in some piece of software that at least manages to render something): https://twitter.com/BagusAlexandria/status/95347388267712921...

The fact that the embellished t's form these big overlapping blocks makes me think that it's hitting the worst-case behavior of some text layout algorithm.

I don't understand what all the hex digits and apostrophes are for, though.

[go to top]