-
-
[分享]ios 6.x 阿拉伯的神灯带来的overflow
-
发表于: 2013-9-2 18:43 6190
-
原帖地址:http://user.qzone.qq.com/31840953/blog/1378111732#!app=2&via=QZ.HashRefresh&pos=1378111732
前天爆出了IOS 6.X 的拒绝服务漏洞,因为在路上(on the way),手头连个电脑也没有,只在手机上看到了这条消息,并在第一时间体验了这条消息带来的冲击.
so so.. 很有趣的样子,于是各种苦逼的情况下,在只有一台iphone的环境中,匆忙搭建环境来调戏。我比较在意的是溢出点,可惜涉及到的webcore面积很大,只能匆忙保存一个analyze log 了 其他的等有时间在进一步分析。
运行QQ 触发代码 进程崩溃 断点捕获如下
37 0x3befbd98 in __workq_kernreturn ()
36 0x3befbd98 in __workq_kernreturn ()
34 "com.apple.coremedia.player.asy" 0x3befb08c in __psynch_cvwait ()
18 "JavaScriptCore::Marking" 0x3befb08c in __psynch_cvwait ()
17 "JavaScriptCore::BlockFree" 0x3befb08c in __psynch_cvwait ()
16 0x3befb594 in select$DARWIN_EXTSN ()
15 0x3beeae30 in mach_msg_trap ()
14 0x3beeae30 in mach_msg_trap ()
13 0x3befb08c in __psynch_cvwait ()
12 0x3befb594 in select$DARWIN_EXTSN ()
11 0x3befb08c in __psynch_cvwait ()
10 0x3befb594 in select$DARWIN_EXTSN ()
9 "com.apple.CFSocket.private" 0x3befb594 in select$DARWIN_EXTSN ()
8 0x3befb6a4 in __semwait_signal ()
7 "com.apple.NSURLConnectionLoade" 0x3beeae30 in mach_msg_trap ()
6 "com.apple.root.default-priorit" 0x3befb08c in __psynch_cvwait ()
5 0x3beeae30 in mach_msg_trap ()
4 0x3beeae30 in mach_msg_trap ()
3 "WebThread" 0x3beeae30 in mach_msg_trap ()
2 "com.apple.libdispatch-manager" 0x3beeb5d0 in kevent64 ()
* 1 "com.apple.main-thread" 0x3beeae30 in mach_msg_trap ()
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x85921cd0
0x3a66b95a in <redacted> ()
#0 0x3a66b95a in <redacted> ()
#1 0x3a668952 in <redacted> ()
#2 0x3a66880a in <redacted> ()
#3 0x3a66c994 in <redacted> ()
#4 0x3a66c866 in <redacted> ()
#5 0x3a3ee688 in WebCore::Font::drawText ()
#6 0x3a815496 in WebCore::GraphicsContext::drawBidiText ()
#7 0x3ad1cd66 in <redacted> ()
#8 0x3ad1e49c in <redacted> ()
#9 0x3ad1cfe4 in <redacted> ()
#10 0x3ad1cf5c in <redacted> ()
#11 0x3ad1cedc in <redacted> ()
#12 0x3ad1ed94 in <redacted> ()
#13 0x3630f452 in <redacted> ()
#14 0x04b2f5b8 in $NSString$_drawInRect$withFont$lineBreakMode$alignment$lineSpacing$includeEmoji$truncationRect$ ()
#15 0x3630f33e in <redacted> ()
#16 0x3630f2da in <redacted> ()
#17 0x3630437e in <redacted> ()
#18 0x362c7c9e in <redacted> ()
#19 0x362c6a5a in <redacted> ()
#20 0x362c6894 in <redacted> ()
#21 0x362c5d60 in <redacted> ()
#22 0x36076314 in <redacted> ()
#23 0x360758c2 in <redacted> ()
#24 0x36075036 in <redacted> ()
#25 0x3606c0b6 in <redacted> ()
#26 0x3606bfe0 in <redacted> ()
#27 0x3606b9c2 in <redacted> ()
#28 0x3606b7d4 in <redacted> ()
#29 0x3606b638 in <redacted> ()
#30 0x34482940 in <redacted> ()
#31 0x34480c38 in <redacted> ()
#32 0x34480f92 in <redacted> ()
#33 0x343f423c in CFRunLoopRunSpecific ()
#34 0x343f40c8 in CFRunLoopRunInMode ()
#35 0x37fd233a in GSEventRunModal ()
#36 0x363102b8 in UIApplicationMain ()
#37 0x0012e846 in main ()
Segmentation fault: 11
dealloc 重复release ?继续深入
(gdb) c
Continuing.
Reading symbols for shared libraries .. done
Reading symbols for shared libraries ... done
Breakpoint 3, 0x39c57688 in WebCore::Font::drawText ()
崩溃的一瞬间,断下。查看堆栈
#0 0x39c57688 in WebCore::Font::drawText ()
#1 0x3a585d18 in <redacted> ()
#2 0x3a585824 in <redacted> ()
#3 0x3a5854d4 in <redacted> ()
#4 0x3a585476 in <redacted> ()
#5 0x3a58541a in <redacted> ()
#6 0x35b3199c in <redacted> ()
#7 0x04b0568c in $NSString$drawAtPoint$forWidth$withFont$lineBreakMode$letterSpacing$includeEmoji$ ()
#8 0x35b6d126 in <redacted> ()
#9 0x35b30c9e in <redacted> ()
#10 0x35b2fa5a in <redacted> ()
#11 0x35b2f894 in <redacted> ()
#12 0x35b2ed60 in <redacted> ()
#13 0x358df314 in <redacted> ()
#14 0x3590f050 in <redacted> ()
#15 0x3590e154 in <redacted> ()
#16 0x3590f280 in <redacted> ()
#17 0x3590e16c in <redacted> ()
#18 0x004bf1e6 in -[QQNavigationController drawLastControllerNavigationBar:context:] ()
#19 0x004bed22 in -[QQNavigationController captureLastScreen] ()
#20 0x004bdb68 in -[QQNavigationController navigationController:didShowViewController:animated:] ()
#21 0x35ba4910 in <redacted> ()
#22 0x35ba44e6 in <redacted> ()
#23 0x35b3aaba in <redacted> ()
#24 0x35baf8fc in <redacted> ()
#25 0x358e6308 in <redacted> ()
#26 0x3be215da in <redacted> ()
#27 0x3be24e44 in _dispatch_main_queue_callback_4CF ()
#28 0x33cea1b0 in <redacted> ()
#29 0x33c5d23c in CFRunLoopRunSpecific ()
#30 0x33c5d0c8 in CFRunLoopRunInMode ()
#31 0x3783b33a in GSEventRunModal ()
#32 0x35b792b8 in UIApplicationMain ()
#33 0x0010f846 in main ()
WebCore F 0x39c52000 dyld Y Y /System/Library/PrivateFrameworks/WebCore.framework/WebCore at 0x39c52000 (offset 0x2ba5000)
0x39c5768e in WebCore::Font::drawText ()
1: x/10i $pc
0x39c5768e: bd e8 00 0d ldmia.w sp!, {r8, r10, r11}
0x39c57692: f0 bd pop {r4, r5, r6, r7, pc}
0x39c57694: f0 b5 push {r4, r5, r6, r7, lr}
0x39c57696: 03 af add r7, sp, #12
0x39c57698: 2d e9 00 0d stmdb sp!, {r8, r10, r11}
0x39c5769c: ad f1 10 04 sub.w r4, sp, #16 ; 0x10
0x39c576a0: 24 f0 0f 04 bic.w r4, r4, #15 ; 0xf
0x39c576a4: a5 46 mov sp, r4
0x39c576a6: 04 f9 ef 8a vst1.64 {d8-d9}, [r4, :128]
0x39c576aa: ad f5 e0 4d sub.w sp, sp, #28672 ; 0x7000
(gdb) ni
0x39c57692 in WebCore::Font::drawText ()
1: x/10i $pc
0x39c57692: f0 bd pop {r4, r5, r6, r7, pc}
0x39c57694: f0 b5 push {r4, r5, r6, r7, lr}
0x39c57696: 03 af add r7, sp, #12
0x39c57698: 2d e9 00 0d stmdb sp!, {r8, r10, r11}
0x39c5769c: ad f1 10 04 sub.w r4, sp, #16 ; 0x10
0x39c576a0: 24 f0 0f 04 bic.w r4, r4, #15 ; 0xf
0x39c576a4: a5 46 mov sp, r4
0x39c576a6: 04 f9 ef 8a vst1.64 {d8-d9}, [r4, :128]
0x39c576aa: ad f5 e0 4d sub.w sp, sp, #28672 ; 0x7000
0x39c576ae: 94 b0 sub sp, #80
(gdb) ni
0x3a585d18 in <redacted> ()
1: x/10i $pc
0x3a585d18: 40 ec 18 0b vmov d8, r0, r0
0x3a585d1c: 25 e0 b.n 0x3a585d6a
0x3a585d1e: 15 98 ldr r0, [sp, #84]
0x3a585d20: 05 90 str r0, [sp, #20]
0x3a585d22: 12 98 ldr r0, [sp, #72]
0x3a585d24: 00 68 ldr r0, [r0, #0]
0x3a585d26: 28 b1 cbz r0, 0x3a585d34
0x3a585d28: 50 f8 04 1f ldr.w r1, [r0, #4]!
0x3a585d2c: 01 29 cmp r1, #1
0x3a585d2e: 07 d0 beq.n 0x3a585d40
似乎崩了。继续执行看看
#0 0x04b0563c in $NSString$drawAtPoint$forWidth$withFont$lineBreakMode$letterSpacing$includeEmoji$ ()
#1 0x35b6d126 in <redacted> ()
#2 0x35b30c9e in <redacted> ()
#3 0x35b2fa5a in <redacted> ()
#4 0x35b2f894 in <redacted> ()
#5 0x35b2ed60 in <redacted> ()
#6 0x358df314 in <redacted> ()
#7 0x3590f050 in <redacted> ()
#8 0x3590e154 in <redacted> ()
#9 0x3590f280 in <redacted> ()
#10 0x3590e16c in <redacted> ()
#11 0x004bf1e6 in -[QQNavigationController drawLastControllerNavigationBar:context:] ()
#12 0x004bed22 in -[QQNavigationController captureLastScreen] ()
#13 0x004bdb68 in -[QQNavigationController navigationController:didShowViewController:animated:] ()
#14 0x35ba4910 in <redacted> ()
#15 0x35ba44e6 in <redacted> ()
#16 0x35b3aaba in <redacted> ()
#17 0x35baf8fc in <redacted> ()
#18 0x358e6308 in <redacted> ()
#19 0x3be215da in <redacted> ()
#20 0x3be24e44 in _dispatch_main_queue_callback_4CF ()
#21 0x33cea1b0 in <redacted> ()
#22 0x33c5d23c in CFRunLoopRunSpecific ()
#23 0x33c5d0c8 in CFRunLoopRunInMode ()
#24 0x3783b33a in GSEventRunModal ()
#25 0x35b792b8 in UIApplicationMain ()
#26 0x0010f846 in main ()
已经从WebCore中返回。
继续continue
几次断下后 成功。。崩溃
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x8cf66742
[Switching to process 2591 thread 0x2303]
0x39ed495a in <redacted> ()
(gdb) r r2
r2 0xcf66742 217474882
(gdb) r r1
r1 0xc0000000 -1073741824
0x39ed495a: 32 f8 11 60 ldrh.w r6, [r2, r1, lsl #1]
0x39ed495e: 0a e0 b.n 0x39ed4976
0x39ed4960: 2a 99 ldr r1, [sp, #168]
0x39ed4962: d1 f8 28 12 ldr.w r1, [r1, #552]
0x39ed4966: 51 f8 2c 20 ldr.w r2, [r1, r12, lsl #2]
0x39ed496a: d1 68 ldr r1, [r2, #12]
0x39ed496c: d2 f8 24 21 ldr.w r2, [r2, #292]
0x39ed4970: 12 68 ldr r2, [r2, #0]
0x39ed4972: 31 f8 12 60 ldrh.w r6, [r1, r2, lsl #1]
0x39ed4976: 00 21 movs r1, #0
往前看
(gdb) x /10i 0x39ed4950
0x39ed4950: a5 42 cmp r5, r4
0x39ed4952: 05 d2 bcs.n 0x39ed4960
0x39ed4954: 53 f8 25 10 ldr.w r1, [r3, r5, lsl #2]
0x39ed4958: 20 9a ldr r2, [sp, #128]
0x39ed495a: 32 f8 11 60 ldrh.w r6, [r2, r1, lsl #1]
0x39ed495e: 0a e0 b.n 0x39ed4976
0x39ed4960: 2a 99 ldr r1, [sp, #168]
0x39ed4962: d1 f8 28 12 ldr.w r1, [r1, #552]
0x39ed4966: 51 f8 2c 20 ldr.w r2, [r1, r12, lsl #2]
0x39ed496a: d1 68 ldr r1, [r2, #12]
0x39ed495a: 32 f8 11 60 ldrh.w r6, [r2, r1, lsl #1]
#0 0x39ed495a in <redacted> ()
#1 0x39ed1952 in <redacted> ()
#2 0x39ed180a in <redacted> ()
#3 0x39ed5994 in <redacted> ()
#4 0x39ed5866 in <redacted> ()
#5 0x39c57688 in WebCore::Font::drawText () // 这里调用字体类来把文字的编码变成位图
r0 0x1e 30
r1 0x3c05effc 1007022076
r2 0xc93b812 211007506
r3 0x1fd60024 534118436
r4 0xffffffff -1
r5 0x1f 31
r6 0x1 1
r7 0x4ca7a40 80378432
r8 0x20 32
r9 0x0 0
r10 0x0 0
r11 0xd80fa00 226556416
r12 0x3 3
sp 0x4ca7910 80378128
lr 0x39ed4ba3 971852707
pc 0x39ed495a 971852122
cpsr {
0x30,
n = 0x0,
z = 0x0,
c = 0x0,
v = 0x0,
q = 0x0,
j = 0x0,
ge = 0x0,
e = 0x0,
a = 0x0,
i = 0x0,
f = 0x0,
t = 0x1,
mode = 0x10
} {
0x30,
n = 0,
z = 0,
c = 0,
v = 0,
q = 0,
j = 0,
ge = 0,
e = 0,
a = 0,
i = 0,
f = 0,
t = 1,
mode = usr
这里的r2 r1 寄存器的内容相加 得出一个fake address 所以导致 EXC_BAD_ACCESS 错误,导致应用闪退。
r2 来源
0x39ed4958: 20 9a ldr r2, [sp, #128]
r1 来源
0x39ed4954: 53 f8 25 10 ldr.w r1, [r3, r5, lsl #2]
测试过多个应用(QQ、空间、微信、多个文本处理软件),崩溃点始终如一(在WebCore::Font::drawText()中)
所以暂时可以假定r1获取到的值为真。
因为r1的值是由r3 r5 联合运算后确定的地址中取出的值。如果这里存在数据被改写问题即溢出问题,这里的值应该也会跟报错点处一样存在很大几率触发EXC_BAD_ACCESS 错误。
但是测试了2天,我还没有遇到,所以可以暂时假定这里的值为真值。
r2 来源取自 堆栈,这里存在很大的被修改几率,如果内存中发生overflow,这里的值也极其有可能会被强制flush.导致报错处寻址计算失败。
所以推断是发生了overflow导致的崩溃。
根据老外发的error log 内容
Thread 2 Crashed:
0 WebCore 0x382fe95a WebCore::ComplexTextController::adjustGlyphsAndAdvances() + 522
1 WebCore 0x382fb94e WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 318
2 WebCore 0x382fb806 WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 18
3 WebCore 0x382ff990 WebCore::Font::getGlyphsAndAdvancesForComplexText(WebCore::TextRun const&, int, int, WebCore::GlyphBuffer&, WebCore::Font::ForTextEmphasisOrNot) const + 56
4 WebCore 0x382ff862 WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 150
5 WebCore 0x38081684 WebCore::Font::drawText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 200
(名字仅供参考 没apple对应bin符号一切都只能作为参考)
结合我的推断,姑且定位在 这个所谓 adjustGlyphsAndAdvances() 函数里,假定存在问题的系统全部是ios 6.x 系列
从这个函数名来看 是用来 调整字形以及高级设定,具体神马是字形,我也不知道,从名字理解就是字体的形状吧。
查找WebCore 中关于 DrawText的定义
void drawText(GraphicsContext*, const TextRun&, const FloatPoint&, int from = 0, int to = -1) const;
根据调用堆栈中的内容找源码对应
return drawComplexText(context, run, point, from, to);
调用了这一行
void Font::drawComplexText(GraphicsContext*, const TextRun&, const FloatPoint&, int from, int to) const
39 {
40 notImplemented();
41 }
搜了份源码 不过居然没实现。。算了 继续看
float Font::getGlyphsAndAdvancesForComplexText(const TextRun& run, int from, int to, GlyphBuffer& glyphBuffer, ForTextEmphasisOrNot forTextEmphasis) const
继续从字面理解 获取复杂文字的字形? 似乎是这么理解的,注意到这个函数第四个参数为一个缓冲区 咳咳 一个类对象的引用 看实现(也不知道哪儿找的)
ComplexTextController controller(this, run, false, 0, forTextEmphasis);
进去看下定义
ComplexTextController::ComplexTextController(const Font* font, const TextRun& run, bool mayUseNaturalWritingDirection, HashSet<const SimpleFontData*>* fallbackFonts)
060 : m_font(*font)
061 , m_run(run)
062 , m_mayUseNaturalWritingDirection(mayUseNaturalWritingDirection)
063 , m_currentCharacter(0)
064 , m_end(run.length())
065 , m_totalWidth(0)
066 , m_runWidthSoFar(0)
067 , m_numGlyphsSoFar(0)
068 , m_currentRun(0)
069 , m_glyphInCurrentRun(0)
070 , m_characterInCurrentGlyph(0)
071 , m_finalRoundingWidth(0)
072 , m_padding(run.padding())
073 , m_fallbackFonts(fallbackFonts)
074 , m_minGlyphBoundingBoxX(numeric_limits<float>::max())
075 , m_maxGlyphBoundingBoxX(numeric_limits<float>::min())
076 , m_minGlyphBoundingBoxY(numeric_limits<float>::max())
077 , m_maxGlyphBoundingBoxY(numeric_limits<float>::min())
078 , m_lastRoundingGlyph(0)
079 {
080 if (!m_padding)
081 m_padPerSpace = 0;
082 else {
083 int numSpaces = 0;
084 for (int s = 0; s < m_run.length(); s++) {
085 if (Font::treatAsSpace(m_run[s]))
086 numSpaces++;
087 }
088
089 if (!numSpaces)
090 m_padPerSpace = 0;
091 else
092 m_padPerSpace = m_padding / numSpaces;
093 }
094
095 collectComplexTextRuns();
096 adjustGlyphsAndAdvances(); // error
097 }
找到了 adjustGlyphsAndAdvances 这家伙,
也就跟之前的逻辑对上号了。
---------------------------------------------------------
在DrawText函数中
if (codePath(run) != Complex)
154 return drawSimpleText(context, run, point, from, to);
155
156 return drawComplexText(context, run, point, from, to);
这一段 调用codePath判断阿拉伯字符的时候返回了复杂类型,导致后面的出错。
ios的patch补丁处理了这里
(GlyphPatch/Tweak.mm at master 路 FilippoBiga/GlyphPatch 路 GitHub)
增加了判断
if ((c >= 0x300 && c <= 0x36F) || // Combining diacritics
(c >= 0x0600 && c <= 0x109F)) // Arabic (and other) characters
来使其返回自动类型,以跳过复杂类型的处理逻辑,规避BUG。但是跳过的范围有待增加。
----------------------------------------------------------
ComplexTextController.cpp
追溯 adjustGlyphsAndAdvances 崩溃的位置。<20130902>
// 这里是根据dump 索引到的 adjustGlyphsAndAdvances 函数的开始位置。
0x39ed4750: f0 b5 push {r4, r5, r6, r7, lr}
0x39ed4752: 03 af add r7, sp, #12
0x39ed4754: 2d e9 00 0d stmdb sp!, {r8, r10, r11}
0x39ed4758: ad f1 40 04 sub.w r4, sp, #64 ; 0x40
0x39ed475c: 24 f0 0f 04 bic.w r4, r4, #15 ; 0xf
0x39ed4760: a5 46 mov sp, r4
0x39ed4762: 04 f9 ed 82 vst1.64 {d8-d11}, [r4, :128]!
0x39ed4766: 04 f9 ef c2 vst1.64 {d12-d15}, [r4, :128]
0x39ed476a: b4 b0 sub sp, #208
0x39ed476c: 02 46 mov r2, r0
0x39ed476e: 10 68 ldr r0, [r2, #0]
0x39ed4770: d2 f8 24 12 ldr.w r1, [r2, #548]
0x39ed4774: 2a 92 str r2, [sp, #168]
0x39ed4776: 90 ed 09 0a flds s0, [r0, #36]
0x39ed477a: 16 91 str r1, [sp, #88]
0x39ed477c: b5 ee c0 0a fcmpezs s0
0x39ed4780: f1 ee 10 fa fmstat
0x39ed4784: 11 d1 bne.n 0x39ed47aa
0x39ed4786: 90 ed 0a 0a flds s0, [r0, #40]
0x39ed478a: b5 ee c0 0a fcmpezs s0
0x39ed478e: f1 ee 10 fa fmstat
0x39ed4792: 0a d1 bne.n 0x39ed47aa
0x39ed4794: 02 f6 ac 40 addw r0, r2, #3244 ; 0xcac
窃喜,因为终于找到了完整的前半部代码,这样对比"相对"有效的代码,可以寻找导致问题的细节逻辑部分了。
下面是完整代码
--------------
0x39ed4750: f0 b5 push {r4, r5, r6, r7, lr}
0x39ed4752: 03 af add r7, sp, #12
0x39ed4754: 2d e9 00 0d stmdb sp!, {r8, r10, r11}
0x39ed4758: ad f1 40 04 sub.w r4, sp, #64 ; 0x40
0x39ed475c: 24 f0 0f 04 bic.w r4, r4, #15 ; 0xf
0x39ed4760: a5 46 mov sp, r4
0x39ed4762: 04 f9 ed 82 vst1.64 {d8-d11}, [r4, :128]!
0x39ed4766: 04 f9 ef c2 vst1.64 {d12-d15}, [r4, :128]
0x39ed476a: b4 b0 sub sp, #208
0x39ed476c: 02 46 mov r2, r0
0x39ed476e: 10 68 ldr r0, [r2, #0]
0x39ed4770: d2 f8 24 12 ldr.w r1, [r2, #548]
0x39ed4774: 2a 92 str r2, [sp, #168]
0x39ed4776: 90 ed 09 0a flds s0, [r0, #36]
0x39ed477a: 16 91 str r1, [sp, #88]
0x39ed477c: b5 ee c0 0a fcmpezs s0
0x39ed4780: f1 ee 10 fa fmstat
// f
0x39ed4784: 11 d1 bne.n 0x39ed47aa
0x39ed4786: 90 ed 0a 0a flds s0, [r0, #40]
0x39ed478a: b5 ee c0 0a fcmpezs s0
0x39ed478e: f1 ee 10 fa fmstat
0x39ed4792: 0a d1 bne.n 0x39ed47aa
0x39ed4794: 02 f6 ac 40 addw r0, r2, #3244 ; 0xcac
0x39ed4798: 90 ed 00 0a flds s0, [r0]
0x39ed479c: 00 20 movs r0, #0
0x39ed479e: 09 90 str r0, [sp, #36]
0x39ed47a0: b5 ee c0 0a fcmpezs s0
0x39ed47a4: f1 ee 10 fa fmstat
0x39ed47a8: 08 d0 beq.n 0x39ed47bc
0x39ed47aa: 50 68 ldr r0, [r2, #4]
0x39ed47ac: 00 21 movs r1, #0
0x39ed47ae: 90 f8 28 00 ldrb.w r0, [r0, #40]
0x39ed47b2: 10 f0 01 0f tst.w r0, #1 ; 0x1
0x39ed47b6: 08 bf it eq
0x39ed47b8: 01 21 moveq r1, #1
0x39ed47ba: 09 91 str r1, [sp, #36]
0x39ed47bc: 16 98 ldr r0, [sp, #88]
0x39ed47be: 00 28 cmp r0, #0
0x39ed47c0: 05 d1 bne.n 0x39ed47ce if (m_run.ltr()) {
0x39ed47c2: 80 ef 10 c0 vmov.i32 d12, #0 ; 0x00000000
0x39ed47c6: 02 f5 49 60 add.w r0, r2, #3216 ; 0xc90
0x39ed47ca: 00 f0 72 bc b.w 0x39ed50b2
0x39ed47ce: 02 f6 a8 40 addw r0, r2, #3240 ; 0xca8
0x39ed47d2: 80 ef 10 b0 vmov.i32 d11, #0 ; 0x00000000
0x39ed47d6: 08 90 str r0, [sp, #32]
0x39ed47d8: 02 f6 cc 40 addw r0, r2, #3276 ; 0xccc
0x39ed47dc: 87 ff 10 ef vmov.f32 d14, #-1 ; 0xbf800000
0x39ed47e0: 07 90 str r0, [sp, #28]
0x39ed47e2: 02 f6 c8 40 addw r0, r2, #3272 ; 0xcc8
0x39ed47e6: 2b ef 1b c1 vorr d12, d11, d11
0x39ed47ea: 06 90 str r0, [sp, #24]
0x39ed47ec: 02 f6 c4 40 addw r0, r2, #3268 ; 0xcc4
0x39ed47f0: 00 25 movs r5, #0
0x39ed47f2: 05 90 str r0, [sp, #20]
0x39ed47f4: 02 f5 4c 60 add.w r0, r2, #3264 ; 0xcc0
0x39ed47f8: 04 90 str r0, [sp, #16]
0x39ed47fa: 02 f6 7c 20 addw r0, r2, #2684 ; 0xa7c
0x39ed47fe: 03 90 str r0, [sp, #12]
0x39ed4800: 02 f5 1c 70 add.w r0, r2, #624 ; 0x270
0x39ed4804: 1d 90 str r0, [sp, #116]
0x39ed4806: 02 f6 b4 40 addw r0, r2, #3252 ; 0xcb4
0x39ed480a: 02 90 str r0, [sp, #8]
0x39ed480c: 02 f5 4b 60 add.w r0, r2, #3248 ; 0xcb0
0x39ed4810: 1c 90 str r0, [sp, #112]
0x39ed4812: 02 f6 ac 40 addw r0, r2, #3244 ; 0xcac
0x39ed4816: 1b 90 str r0, [sp, #108]
0x39ed4818: 02 f5 49 60 add.w r0, r2, #3216 ; 0xc90
0x39ed481c: 2b 90 str r0, [sp, #172]
0x39ed481e: 47 f6 52 10 movw r0, #31058 ; 0x7952
0x39ed4822: c0 f2 7e 30 movt r0, #894 ; 0x37e
0x39ed4826: 78 44 add r0, pc
0x39ed4828: 00 68 ldr r0, [r0, #0]
0x39ed482a: 01 90 str r0, [sp, #4]
0x39ed482c: 47 f6 88 20 movw r0, #31368 ; 0x7a88
0x39ed4830: c0 f2 7e 30 movt r0, #894 ; 0x37e
0x39ed4834: 78 44 add r0, pc
0x39ed4836: 00 68 ldr r0, [r0, #0]
0x39ed4838: 1a 90 str r0, [sp, #104]
0x39ed483a: d2 f8 28 02 ldr.w r0, [r2, #552]
0x39ed483e: 92 46 mov r10, r2
0x39ed4840: 50 f8 25 60 ldr.w r6, [r0, r5, lsl #2]
0x39ed4844: 15 96 str r6, [sp, #84]
0x39ed4846: 74 68 ldr r4, [r6, #4]
0x39ed4848: d6 f8 08 b0 ldr.w r11, [r6, #8]
0x39ed484c: 14 94 str r4, [sp, #80]
0x39ed484e: 0b f2 7c 40 addw r0, r11, #1148 ; 0x47c
0x39ed4852: 9b f8 30 80 ldrb.w r8, [r11, #48]
0x39ed4856: 13 90 str r0, [sp, #76]
0x39ed4858: 90 ed 00 0a flds s0, [r0]
0x39ed485c: 0b f2 64 40 addw r0, r11, #1124 ; 0x464
0x39ed4860: 90 ed 00 1a flds s2, [r0]
0x39ed4864: 12 90 str r0, [sp, #72]
0x39ed4866: d6 f8 d4 04 ldr.w r0, [r6, #1236]
0x39ed486a: 21 ef 00 0d vsub.f32 d0, d1, d0
0x39ed486e: 21 90 str r0, [sp, #132]
0x39ed4870: d6 f8 c4 02 ldr.w r0, [r6, #708]
0x39ed4874: 8d ed 0e 0b vstr d0, [sp, #56]
0x39ed4878: 11 90 str r0, [sp, #68]
0x39ed487a: 10 ee 10 0a fmrs r0, s0
0x39ed487e: 26 f2 04 e7 blx 0x3a4fb688
0x39ed4882: 01 35 adds r5, #1
0x39ed4884: 14 b9 cbnz r4, 0x39ed488c
0x39ed4886: 52 46 mov r2, r10
0x39ed4888: 00 f0 09 bc b.w 0x39ed509e
0x39ed488c: da f8 04 10 ldr.w r1, [r10, #4]
0x39ed4890: f2 68 ldr r2, [r6, #12]
0x39ed4892: 40 ec 30 0b vmov d16, r0, r0
0x39ed4896: 08 f0 01 00 and.w r0, r8, #1 ; 0x1
0x39ed489a: 09 6a ldr r1, [r1, #32]
0x39ed489c: 20 92 str r2, [sp, #128]
0x39ed489e: 01 9a ldr r2, [sp, #4]
0x39ed48a0: 0b 90 str r0, [sp, #44]
0x39ed48a2: 0b f1 50 00 add.w r0, r11, #80 ; 0x50
0x39ed48a6: 01 29 cmp r1, #1
0x39ed48a8: 1f 90 str r0, [sp, #124]
0x39ed48aa: 0b f1 58 00 add.w r0, r11, #88 ; 0x58
0x39ed48ae: 92 ed 00 2a flds s4, [r2]
0x39ed48b2: 92 ed 01 fa flds s30, [r2, #4]
0x39ed48b6: 6f f0 00 42 mvn.w r2, #2147483648 ; 0x80000000
0x39ed48ba: 25 95 str r5, [sp, #148]
0x39ed48bc: cd ed 0c 0b vstr d16, [sp, #48]
0x39ed48c0: 08 bf it eq
0x39ed48c2: 4f f0 00 42 moveq.w r2, #2147483648 ; 0x80000000
0x39ed48c6: 1e 90 str r0, [sp, #120]
0x39ed48c8: 0b f1 54 00 add.w r0, r11, #84 ; 0x54
0x39ed48cc: 26 90 str r0, [sp, #152]
0x39ed48ce: 0b f5 8d 60 add.w r0, r11, #1128 ; 0x468
0x39ed48d2: 0a 90 str r0, [sp, #40]
0x39ed48d4: 01 20 movs r0, #1
0x39ed48d6: 23 90 str r0, [sp, #140]
0x39ed48d8: 00 20 movs r0, #0
0x39ed48da: cd f8 88 b0 str.w r11, [sp, #136]
0x39ed48de: 0f e0 b.n 0x39ed4900
0x39ed48e0: b6 ee 00 1b fconstd d1, #96
0x39ed48e4: 2a 98 ldr r0, [sp, #168]
0x39ed48e6: ab 46 mov r11, r5
0x39ed48e8: 9d ed 2d 0a flds s0, [sp, #180]
0x39ed48ec: 9d ed 2c 1a flds s2, [sp, #176]
0x39ed48f0: 40 68 ldr r0, [r0, #4]
0x39ed48f2: 0f ef 00 fd vadd.f32 d15, d15, d0
0x39ed48f6: 01 6a ldr r1, [r0, #32]
0x39ed48f8: 10 46 mov r0, r2
0x39ed48fa: 02 ef 01 2d vadd.f32 d2, d2, d1
0x39ed48fe: 28 9a ldr r2, [sp, #160]
0x39ed4900: d6 f8 24 31 ldr.w r3, [r6, #292]
0x39ed4904: 4f f0 00 09 mov.w r9, #0 ; 0x0
0x39ed4908: 20 9e ldr r6, [sp, #128]
0x39ed490a: 8d ed 18 2b vstr d2, [sp, #96]
0x39ed490e: 53 f8 20 50 ldr.w r5, [r3, r0, lsl #2]
0x39ed4912: 36 f8 15 80 ldrh.w r8, [r6, r5, lsl #1]
0x39ed4916: 95 42 cmp r5, r2
0x39ed4918: 4f f0 00 02 mov.w r2, #0 ; 0x0
0x39ed491c: 4f f0 00 06 mov.w r6, #0 ; 0x0
0x39ed4920: 28 95 str r5, [sp, #160]
0x39ed4922: a8 bf it ge
0x39ed4924: 01 22 movge r2, #1
0x39ed4926: d8 bf it le
0x39ed4928: 01 26 movle r6, #1
0x39ed492a: 01 29 cmp r1, #1
0x39ed492c: 08 bf it eq
if (m_padding < m_padPerSpace) {
496
advance.width += m_padding;
497
m_padding = 0;
498
} else {
499
float previousPadding = m_padding;
500
m_padding -= m_padPerSpace;
501
advance.width += roundf(previousPadding) - roundf(m_padding);
502
}
0x39ed492e: 16 46 moveq r6, r2
0x39ed4930: 23 99 ldr r1, [sp, #140]
0x39ed4932: 45 1c adds r5, r0, #1
0x39ed4934: dd f8 94 c0 ldr.w r12, [sp, #148]
0x39ed4938: 01 ea 06 01 and.w r1, r1, r6
0x39ed493c: 23 91 str r1, [sp, #140]
0x39ed493c: 23 91 str r1, [sp, #140]
0x39ed493e: 16 99 ldr r1, [sp, #88]
0x39ed4940: 8c 45 cmp r12, r1
0x39ed4942: 08 bf it eq
0x39ed4944: a5 42 cmpeq r5, r4
0x39ed4946: 03 d1 bne.n 0x39ed4950
0x39ed4948: 01 21 movs r1, #1
0x39ed494a: 20 26 movs r6, #32
0x39ed494c: 27 91 str r1, [sp, #156]
0x39ed494e: 14 e0 b.n 0x39ed497a
0x39ed4950: a5 42 cmp r5, r4
0x39ed4952: 05 d2 bcs.n 0x39ed4960
0x39ed4954: 53 f8 25 10 ldr.w r1, [r3, r5, lsl #2]
0x39ed4958: 20 9a ldr r2, [sp, #128]
0x39ed495a: 32 f8 11 60 ldrh.w r6, [r2, r1, lsl #1]
--------------
行了,调戏神马的,已经过眼云烟了,现在开始发动人肉引擎..OTZ..
/ width so that the total run width will be on an integer boundary.
521 if (m_run.applyWordRounding() && !lastGlyph && Font::isRoundingHackCharacter(nextCh) || m_run.applyRunRounding() && lastGlyph) {
522 CGFloat totalWidth = widthSinceLastRounding + advance.width;
523 widthSinceLastRounding = ceilCGFloat(totalWidth);
524 CGFloat extraWidth = widthSinceLastRounding - totalWidth;
525 if (m_run.ltr())
526 advance.width += extraWidth;
527 else {
528 if (m_lastRoundingGlyph)
529 m_adjustedAdvances[m_lastRoundingGlyph - 1].width += extraWidth;
530 else
531 m_finalRoundingWidth = extraWidth;
532 m_lastRoundingGlyph = m_adjustedAdvances.size() + 1;
533 }
534 m_totalWidth += widthSinceLastRounding;
535 widthSinceLastRounding = 0;
536 } else
537 widthSinceLastRounding += advance.width;
问题似乎就发生在这里了 (首先并不能确定实现的代码是否靠谱,以及在手头只有一个iphone的前提下的任何调戏,都是主观的 · so so..)
but,溢出点依旧还没有找到,因为发生的层级关系不同,所以,在代码执行到这里的时候,其实已经溢出了内存。
但是后面判断溢出点也比较容易了,就剩下体力活,可以写个hook处理几个关键点,做参数trace。实在没时间写详细细
节. 这个溢出本来除了拒绝服务外还是有很大乐趣的,可是,苹果马上要出IOS7正式版了. 娱乐什么的,只能自娱自乐了
。 IOS7 的界面跟安卓似的,到底你俩有怎么样的一腿,能跟我说说么。。唉. Mark下日期,以后有时间再更新新的analyze log.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
看原图
赞赏
雪币:
留言: