CoreText exploit analyzed
An analysis has been conducted on the recently-uncovered CoreText exploit, to determine exactly how it worked. The expolit crashed apps when malicious text messages and emails were opened on iOS devices and Macs. The exploit had to do with negative-length strings, according to The Register
Apple's CoreText rendering system uses signed integers to pass around array indexes and string lengths. A negative length, -1, is passed unchecked to a library function which uses it as an unsigned long integer to set the bounds of an array. This causes the library to attempt to read beyond the end of an array and into unallocated memory, triggering a fatal exception.
Any of you been bitten by this bug?
Source: The Register