Changes

Jump to navigation Jump to search
1,370 bytes added ,  00:40, 13 August 2011
no edit summary
Line 5: Line 5:     
I think it is not so easy because this browser using Apple Webkit.
 
I think it is not so easy because this browser using Apple Webkit.
 +
 +
 +
I don't think this is exploitable in any way. To me, seems more like NULL pointer dereferencing. Here's my full theory, may be wrong tho:
 +
* the Javascript engine doesn't allocate memory for strings that are too long, but still keeps track of their length. (try generating a 2^31 characters long string, alert()'ing it shows an empty alert, however its length returns the expected value)
 +
* such strings point to NULL instead of pointing to a memory buffer with characters. Their size is checked before trying to read them.
 +
* now, if you generate a 2^32 string, the length of the string is 0x100000000 characters. This value gets cut off to zero because it doesn't fit in a 32bit integer. Therefore the length property of the string is zero.
 +
* when trying to alert() this string, the security check described above does infact "0 < maxlength", so the string is considered short enough to be displayed. However, since it was made from strings being already too large, its pointer is NULL.
 +
* the browser tries to read from NULL, causing an exception. Probably said exception would trigger special stuff on dev/debug units, but was set to just enter an endless loop on retail units.
 +
 +
Long story short, nothing gets overwritten. Just an attempt at using a NULL pointer. This is only a theory though, I may be wrong. --[[User:Luigi2us|Luigi2us]] 01:40, 13 August 2011 (CEST)
136

edits

Navigation menu