PKMultipartInputStream
PKMultipartInputStream copied to clipboard
pyke369
Address Sanitizer complaining about heap-buffer-overflow in [PKMultipartElement read:maxLength:]
I enabled Address Sanitizer after seeing complaints from malloc about memory checksums, and it pointed me to [PKMultipartElement read:maxLength:]. Specifically line 176, where it says:
*(buffer + sent) = '\n';
Backtrace:
* thread #14, name = 'com.apple.NSURLConnectionLoader', stop reason = Heap buffer overflow
frame #0: 0x0000000101c48cac libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie()
frame #1: 0x0000000101c5c41c libclang_rt.asan_ios_dynamic.dylib`__sanitizer::Die() + 92
frame #2: 0x0000000101c4632c libclang_rt.asan_ios_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 348
frame #3: 0x0000000101c45cfc libclang_rt.asan_ios_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 292
frame #4: 0x0000000101c46d6c libclang_rt.asan_ios_dynamic.dylib`__asan_report_store1 + 52
* frame #5: 0x000000010352f10c PKMultipartInputStream`-[PKMultipartElement read:maxLength:](self=0x0000000169e9c6e0, _cmd="read:maxLength:", buffer="--DFEA4E6D-A2C2-4F6F-9419-3F868BBC3F7A-4107-00001EAC563BC99D\r\nContent-Disposition: form-data; name=\"post\"\r\nContent-Type: application/json\r\n\r\n{\"post\":{\"id\":\"04C5DD1D-5958-41F2-B444-2B883BCC2594\",\"media\":{\"hasAudio\":false,\"id\":\"F3D312DC-4D9A-4B25-A63E-B7D869263E1A\",\"mentions\":[{\"id\":\"044A89CC-FB99-4656-A470-95369706E3ED\",\"profileId\":\"c29b2b6e-e464-4903-8973-e3fb877c2f8e\",\"labelPolygon\":[[-0.8420772932210209,-0.3268365817091454],[0.1084654856086575,-0.3268365817091454],[0.1084654856086575,-0.2056403501259422],[-0.8420772932210209,-0.2056403501259422]]},{\"id\":\"82EA5F66-CE52-43C2-AFF9-D2E38E6A67F8\",\"profileId\":\"5a9c4e1c-461a-465e-89c0-15be263236dc\",\"labelPolygon\":[[0.150386160329364,-0.3268365817091454],[0.8420772932210209,-0.3268365817091454],[0.8420772932210209,-0.2056403501259422],[0.150386160329364,-0.2056403501259422]]}],\"notificationType\":\"DEFAULT\"},\"storyId\":\"336b6b34-f633-4842-a677-bd930337c1b0\"}}\r", len=914) at PKMultipartInputStream.m:176
frame #6: 0x0000000103532bd4 PKMultipartInputStream`-[PKMultipartInputStream read:maxLength:](self=0x000000016991e680, _cmd="read:maxLength:", buffer="r\x03\366\3113l\x1cye\xb7c==\xaao\355M";y\x92\x02A\x9a\333\312\nc%\303c\370\xa4$\344z\300\256R\x8a\357Y\305k\336I7k~\x7f\x8b\xbe\xa7+\313iZɵ\xadα\xaf^\x0f\x0eFd\\O(kx߿\x92\x0eO\370V.\x8fy\x16\x9f\xa8\305u0;\x17p;y \x10GJ\316%\x8e\x01$\x81\300\311'\x1fOJJƮa9T\xa7R?a+|\xbf\314\322\x9e\x0e*\x13\x83\373W\374N\x82+\x9d)\354\333L\x9eic\x8e9\x8c\xb1ʨN\361\216\340r\x0f\xa5Q\325o\x93P\324\3565*\x87h\\\365!F2}\315S\x82\tnfX \x1b\x9d\316t\317\347Q\xb2\xb21F\340\251 \375E\x15\xb1\xb5jRQq\xb2\xbe\372\364\331|\257\376aK\v\bTrO_\363\335\374\354t\xb7\x1aŤ\x97\xba\x84\350ϲ\346|\x11\363, len=4096) at PKMultipartInputStream.m:264
frame #7: 0x000000018c435874 CFNetwork`RequestBodyStreamProvider::readBodyStream(bool) + 272
frame #8: 0x0000000105e89a10 libdispatch.dylib`_dispatch_client_callout + 16
frame #9: 0x0000000105e943d8 libdispatch.dylib`_dispatch_block_invoke_direct + 356
frame #10: 0x000000018c50bb30 CFNetwork`RunloopBlockContext::_invoke_block(void const*, void*) + 36
frame #11: 0x000000018bba2710 CoreFoundation`CFArrayApplyFunction + 68
frame #12: 0x000000018c50b9f0 CFNetwork`RunloopBlockContext::perform() + 128
frame #13: 0x000000018c50cd34 CFNetwork`MultiplexerSource::perform() + 312
frame #14: 0x000000018c50caa0 CFNetwork`MultiplexerSource::_perform(void*) + 64
frame #15: 0x000000018bc7542c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
frame #16: 0x000000018bc74d9c CoreFoundation`__CFRunLoopDoSources0 + 540
frame #17: 0x000000018bc729a8 CoreFoundation`__CFRunLoopRun + 744
frame #18: 0x000000018bba2da4 CoreFoundation`CFRunLoopRunSpecific + 424
frame #19: 0x000000018c3aedf4 CFNetwork`+[NSURLConnection(Loader) _resourceLoadLoop:] + 404
frame #20: 0x000000018c7ba2d8 Foundation`__NSThread__start__ + 996
frame #21: 0x000000018ad8968c libsystem_pthread.dylib`_pthread_body + 240
frame #22: 0x000000018ad8959c libsystem_pthread.dylib`_pthread_start + 284
frame #23: 0x000000018ad86cb4 libsystem_pthread.dylib`thread_start + 4```
Here's the full text from Address Sanitizer:
=================================================================
==4107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00015a27f500 at pc 0x00010352f10c bp 0x00016e5ad310 sp 0x00016e5ad308
WRITE of size 1 at 0x00015a27f500 thread T13
#0 0x10352f10b in -[PKMultipartElement read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b)
#1 0x103532bd3 in -[PKMultipartInputStream read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xebd3)
#2 0x18c435873 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168873)
#3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#4 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
#5 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
#6 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
#7 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
#8 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
#9 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
#10 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
#11 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
#12 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
#13 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
#14 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
#15 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
#16 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
#17 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
#18 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
0x00015a27f500 is located 0 bytes to the right of 4096-byte region [0x00015a27e500,0x00015a27f500)
allocated by thread T13 here:
#0 0x101c4b5e7 in wrap__Znam (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x575e7)
#1 0x18c435847 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168847)
#2 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#3 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
#4 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
#5 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
#6 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
#7 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
#8 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
#9 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
#10 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
#11 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
#12 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
#13 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
#14 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
#15 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
#16 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
#17 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
Thread T13 created by T4 here:
#0 0x101c3928f in wrap_pthread_create (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4528f)
#1 0x18c6f1f27 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x41f27)
#2 0x18c3aec07 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1c07)
#3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#4 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
#5 0x18c3aeb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1b3b)
#6 0x18c50c133 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23f133)
#7 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#8 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
#9 0x18c50a717 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23d717)
#10 0x18c50ad2b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23dd2b)
#11 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#12 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
#13 0x18c509663 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23c663)
#14 0x18c45a217 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18d217)
#15 0x18c459be3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18cbe3)
#16 0x18c4595cb in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18c5cb)
#17 0x18c39f53b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd253b)
#18 0x18c39fb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd2b3b)
#19 0x18c39f0ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd20ef)
#20 0x101c4044b in __wrap_dispatch_async_block_invoke (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4c44b)
#21 0x105e89a4f in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a4f)
#22 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
#23 0x105e972e7 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf2e7)
#24 0x105e8d633 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5633)
#25 0x105e9780f in _dispatch_queue_override_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf80f)
#26 0x105e9962f in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1162f)
#27 0x105e9939b in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1139b)
#28 0x18ad870ff in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0x10ff)
#29 0x18ad86cab in start_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcab)
Thread T4 created by T0 here:
<empty stack>
SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b) in -[PKMultipartElement read:maxLength:]
Shadow bytes around the buggy address:
0x0001319afe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001319afe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001319afe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001319afe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001319afe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0001319afea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0001319afeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0001319afec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0001319afed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0001319afee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0001319afef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
2017-06-14 16:02:30.130170-0700 Riff[4107:3005149] =================================================================
2017-06-14 16:02:30.130548-0700 Riff[4107:3005149] ==4107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00015a27f500 at pc 0x00010352f10c bp 0x00016e5ad310 sp 0x00016e5ad308
2017-06-14 16:02:30.130806-0700 Riff[4107:3005149] WRITE of size 1 at 0x00015a27f500 thread T13
2017-06-14 16:02:30.130827-0700 Riff[4107:3005149] #0 0x10352f10b in -[PKMultipartElement read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b)
2017-06-14 16:02:30.130901-0700 Riff[4107:3005149] #1 0x103532bd3 in -[PKMultipartInputStream read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xebd3)
2017-06-14 16:02:30.130915-0700 Riff[4107:3005149] #2 0x18c435873 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168873)
2017-06-14 16:02:30.130939-0700 Riff[4107:3005149] #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.130953-0700 Riff[4107:3005149] #4 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
2017-06-14 16:02:30.130967-0700 Riff[4107:3005149] #5 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
2017-06-14 16:02:30.130980-0700 Riff[4107:3005149] #6 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
2017-06-14 16:02:30.131037-0700 Riff[4107:3005149] #7 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
2017-06-14 16:02:30.131052-0700 Riff[4107:3005149] #8 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
2017-06-14 16:02:30.131666-0700 Riff[4107:3005149] #9 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
2017-06-14 16:02:30.131683-0700 Riff[4107:3005149] #10 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
2017-06-14 16:02:30.131696-0700 Riff[4107:3005149] #11 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
2017-06-14 16:02:30.131709-0700 Riff[4107:3005149] #12 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
2017-06-14 16:02:30.131743-0700 Riff[4107:3005149] #13 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
2017-06-14 16:02:30.131757-0700 Riff[4107:3005149] #14 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
2017-06-14 16:02:30.132396-0700 Riff[4107:3005149] #15 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
2017-06-14 16:02:30.132412-0700 Riff[4107:3005149] #16 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
2017-06-14 16:02:30.132426-0700 Riff[4107:3005149] #17 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
2017-06-14 16:02:30.132439-0700 Riff[4107:3005149] #18 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
2017-06-14 16:02:30.132452-0700 Riff[4107:3005149]
2017-06-14 16:02:30.132463-0700 Riff[4107:3005149] 0x00015a27f500 is located 0 bytes to the right of 4096-byte region [0x00015a27e500,0x00015a27f500)
2017-06-14 16:02:30.132538-0700 Riff[4107:3005149] allocated by thread T13 here:
2017-06-14 16:02:30.132572-0700 Riff[4107:3005149] #0 0x101c4b5e7 in wrap__Znam (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x575e7)
2017-06-14 16:02:30.133212-0700 Riff[4107:3005149] #1 0x18c435847 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168847)
2017-06-14 16:02:30.133229-0700 Riff[4107:3005149] #2 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.133242-0700 Riff[4107:3005149] #3 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
2017-06-14 16:02:30.133256-0700 Riff[4107:3005149] #4 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
2017-06-14 16:02:30.133269-0700 Riff[4107:3005149] #5 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
2017-06-14 16:02:30.133346-0700 Riff[4107:3005149] #6 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
2017-06-14 16:02:30.133555-0700 Riff[4107:3005149] #7 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
2017-06-14 16:02:30.133668-0700 Riff[4107:3005149] #8 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
2017-06-14 16:02:30.133683-0700 Riff[4107:3005149] #9 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
2017-06-14 16:02:30.133697-0700 Riff[4107:3005149] #10 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
2017-06-14 16:02:30.133743-0700 Riff[4107:3005149] #11 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
2017-06-14 16:02:30.133986-0700 Riff[4107:3005149] #12 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
2017-06-14 16:02:30.135008-0700 Riff[4107:3005149] #13 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
2017-06-14 16:02:30.135026-0700 Riff[4107:3005149] #14 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
2017-06-14 16:02:30.135040-0700 Riff[4107:3005149] #15 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
2017-06-14 16:02:30.135053-0700 Riff[4107:3005149] #16 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
2017-06-14 16:02:30.135067-0700 Riff[4107:3005149] #17 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
2017-06-14 16:02:30.135105-0700 Riff[4107:3005149]
2017-06-14 16:02:30.135116-0700 Riff[4107:3005149] Thread T13 created by T4 here:
2017-06-14 16:02:30.135129-0700 Riff[4107:3005149] #0 0x101c3928f in wrap_pthread_create (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4528f)
2017-06-14 16:02:30.135724-0700 Riff[4107:3005149] #1 0x18c6f1f27 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x41f27)
2017-06-14 16:02:30.135786-0700 Riff[4107:3005149] #2 0x18c3aec07 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1c07)
2017-06-14 16:02:30.135801-0700 Riff[4107:3005149] #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.135815-0700 Riff[4107:3005149] #4 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.135968-0700 Riff[4107:3005149] #5 0x18c3aeb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1b3b)
2017-06-14 16:02:30.135985-0700 Riff[4107:3005149] #6 0x18c50c133 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23f133)
2017-06-14 16:02:30.136521-0700 Riff[4107:3005149] #7 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.136537-0700 Riff[4107:3005149] #8 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.136551-0700 Riff[4107:3005149] #9 0x18c50a717 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23d717)
2017-06-14 16:02:30.136585-0700 Riff[4107:3005149] #10 0x18c50ad2b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23dd2b)
2017-06-14 16:02:30.136601-0700 Riff[4107:3005149] #11 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.136614-0700 Riff[4107:3005149] #12 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.136826-0700 Riff[4107:3005149] #13 0x18c509663 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23c663)
2017-06-14 16:02:30.136842-0700 Riff[4107:3005149] #14 0x18c45a217 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18d217)
2017-06-14 16:02:30.136856-0700 Riff[4107:3005149] #15 0x18c459be3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18cbe3)
2017-06-14 16:02:30.136869-0700 Riff[4107:3005149] #16 0x18c4595cb in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18c5cb)
2017-06-14 16:02:30.136941-0700 Riff[4107:3005149] #17 0x18c39f53b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd253b)
2017-06-14 16:02:30.136954-0700 Riff[4107:3005149] #18 0x18c39fb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd2b3b)
2017-06-14 16:02:30.136968-0700 Riff[4107:3005149] #19 0x18c39f0ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd20ef)
2017-06-14 16:02:30.137581-0700 Riff[4107:3005149] #20 0x101c4044b in __wrap_dispatch_async_block_invoke (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4c44b)
2017-06-14 16:02:30.137598-0700 Riff[4107:3005149] #21 0x105e89a4f in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a4f)
2017-06-14 16:02:30.137612-0700 Riff[4107:3005149] #22 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.137647-0700 Riff[4107:3005149] #23 0x105e972e7 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf2e7)
2017-06-14 16:02:30.137666-0700 Riff[4107:3005149] #24 0x105e8d633 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5633)
2017-06-14 16:02:30.138729-0700 Riff[4107:3005149] #25 0x105e9780f in _dispatch_queue_override_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf80f)
2017-06-14 16:02:30.138765-0700 Riff[4107:3005149] #26 0x105e9962f in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1162f)
2017-06-14 16:02:30.138778-0700 Riff[4107:3005149] #27 0x105e9939b in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1139b)
2017-06-14 16:02:30.138791-0700 Riff[4107:3005149] #28 0x18ad870ff in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0x10ff)
2017-06-14 16:02:30.138881-0700 Riff[4107:3005149] #29 0x18ad86cab in start_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcab)
2017-06-14 16:02:30.138899-0700 Riff[4107:3005149]
2017-06-14 16:02:30.138909-0700 Riff[4107:3005149] Thread T4 created by T0 here:
2017-06-14 16:02:30.138923-0700 Riff[4107:3005149] <empty stack>
2017-06-14 16:02:30.138935-0700 Riff[4107:3005149]
2017-06-14 16:02:30.139105-0700 Riff[4107:3005149] SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b) in -[PKMultipartElement read:maxLength:]
2017-06-14 16:02:30.139132-0700 Riff[4107:3005149] Shadow bytes around the buggy address:
2017-06-14 16:02:30.139145-0700 Riff[4107:3005149] 0x0001319afe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139159-0700 Riff[4107:3005149] 0x0001319afe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139189-0700 Riff[4107:3005149] 0x0001319afe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139250-0700 Riff[4107:3005149] 0x0001319afe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139264-0700 Riff[4107:3005149] 0x0001319afe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139301-0700 Riff[4107:3005149] =>0x0001319afea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140799-0700 Riff[4107:3005149] 0x0001319afeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140829-0700 Riff[4107:3005149] 0x0001319afec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140870-0700 Riff[4107:3005149] 0x0001319afed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140884-0700 Riff[4107:3005149] 0x0001319afee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140897-0700 Riff[4107:3005149] 0x0001319afef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140909-0700 Riff[4107:3005149] Shadow byte legend (one shadow byte represents 8 application bytes):
2017-06-14 16:02:30.140922-0700 Riff[4107:3005149] Addressable: 00
2017-06-14 16:02:30.140935-0700 Riff[4107:3005149] Partially addressable: 01 02 03 04 05 06 07
2017-06-14 16:02:30.140948-0700 Riff[4107:3005149] Heap left redzone: fa
2017-06-14 16:02:30.140972-0700 Riff[4107:3005149] Freed heap region: fd
2017-06-14 16:02:30.140985-0700 Riff[4107:3005149] Stack left redzone: f1
2017-06-14 16:02:30.140997-0700 Riff[4107:3005149] Stack mid redzone: f2
2017-06-14 16:02:30.141008-0700 Riff[4107:3005149] Stack right redzone: f3
2017-06-14 16:02:30.141020-0700 Riff[4107:3005149] Stack after return: f5
2017-06-14 16:02:30.141032-0700 Riff[4107:3005149] Stack use after scope: f8
2017-06-14 16:02:30.141043-0700 Riff[4107:3005149] Global redzone: f9
2017-06-14 16:02:30.141055-0700 Riff[4107:3005149] Global init order: f6
2017-06-14 16:02:30.141094-0700 Riff[4107:3005149] Poisoned by user: f7
2017-06-14 16:02:30.141106-0700 Riff[4107:3005149] Container overflow: fc
2017-06-14 16:02:30.141118-0700 Riff[4107:3005149] Array cookie: ac
2017-06-14 16:02:30.141130-0700 Riff[4107:3005149] Intra object redzone: bb
2017-06-14 16:02:30.141743-0700 Riff[4107:3005149] ASan internal: fe
2017-06-14 16:02:30.141758-0700 Riff[4107:3005149] Left alloca redzone: ca
2017-06-14 16:02:30.141770-0700 Riff[4107:3005149] Right alloca redzone: cb
2017-06-14 16:02:30.141782-0700 Riff[4107:3005149]
Any ideas what could be happening here? Happy to provide whatever data is helpful.
The other thing I can say is that this happens intermittently on a request basis, and not with every request. If I make a stream with different data in the same app build, it seems to be fine, but fails 100% of the time with this specific stream.
Oh, interesting. I've been getting intermittent crash reports about something very similar, but on a slightly different line and with less helpful information. Sounds like they might be related, I've been unsure on how to dig deeper. It does seem to be content related, I don't see this crash very often but it happens repeatedly for the same people.
Exception Type: SIGSEGV
Exception Codes: SEGV_ACCERR at 0x27f0000
Crashed Thread: 8
Thread 0:
0 CoreFoundation 0x1db555ce _CFRelease + 608
1 libobjc.A.dylib 0x1ce397a1 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 610
2 CFNetwork 0x1e2b298b -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 182
3 CFNetwork 0x1e2b2a77 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 34
4 CFNetwork 0x1e1fd10b ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke + 68
5 CFNetwork 0x1e1fb8e3 ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 68
6 libdispatch.dylib 0x1d265783 _dispatch_client_callout + 20
7 libdispatch.dylib 0x1d26fe21 _dispatch_block_invoke_direct + 292
8 CFNetwork 0x1e2939b7 RunloopBlockContext::_invoke_block(void const*, void*) + 16
9 CoreFoundation 0x1daa4bd5 CFArrayApplyFunction + 34
10 CFNetwork 0x1e293889 RunloopBlockContext::perform() + 170
11 CFNetwork 0x1e294865 MultiplexerSource::perform() + 206
12 CFNetwork 0x1e294677 MultiplexerSource::_perform(void*) + 44
13 CoreFoundation 0x1db53fdd __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 10
14 CoreFoundation 0x1db53b05 __CFRunLoopDoSources0 + 422
15 CoreFoundation 0x1db51f51 __CFRunLoopRun + 1158
16 CoreFoundation 0x1daa51af CFRunLoopRunSpecific + 468
17 CoreFoundation 0x1daa4fd1 CFRunLoopRunInMode + 102
18 GraphicsServices 0x1f24fb41 GSEventRunModal + 78
19 UIKit 0x22e20e13 UIApplicationMain + 148
20 MyApp 0x0002f565 main (main.m:14)
21 libdyld.dylib 0x1d2924eb start + 0
...
Thread 8 Crashed:
0 MyApp 0x00201938 -[PKMultipartElement read:maxLength:] (PKMultipartInputStream.m:180)
1 MyApp 0x0020277d -[PKMultipartInputStream read:maxLength:] (PKMultipartInputStream.m:273)
2 CFNetwork 0x1e280cf3 HTTPTransaction::RequestBodyStream::_bufferRequestBodyFromStream_offqueue() + 104
3 libdispatch.dylib 0x1d265783 _dispatch_client_callout + 20
4 libdispatch.dylib 0x1d26fe21 _dispatch_block_invoke_direct + 292
5 CFNetwork 0x1e2939b7 RunloopBlockContext::_invoke_block(void const*, void*) + 16
6 CoreFoundation 0x1daa4bd5 CFArrayApplyFunction + 34
7 CFNetwork 0x1e293889 RunloopBlockContext::perform() + 170
8 CFNetwork 0x1e294865 MultiplexerSource::perform() + 206
9 CFNetwork 0x1e294677 MultiplexerSource::_perform(void*) + 44
10 CoreFoundation 0x1db53fdd __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 10
11 CoreFoundation 0x1db53b05 __CFRunLoopDoSources0 + 422
12 CoreFoundation 0x1db51f51 __CFRunLoopRun + 1158
13 CoreFoundation 0x1daa51af CFRunLoopRunSpecific + 468
14 CoreFoundation 0x1daa4fd1 CFRunLoopRunInMode + 102
15 CFNetwork 0x1e182393 +[NSURLConnection(Loader) _resourceLoadLoop:] + 400
16 Foundation 0x1e4dd8ab __NSThread__start__ + 1120
17 libsystem_pthread.dylib 0x1d41c93b _pthread_body + 214
18 libsystem_pthread.dylib 0x1d41c85d _pthread_start + 232
19 libsystem_pthread.dylib 0x1d41a468 thread_start + 6
Yeah, this is a tricky one to figure out. It works completely fine 99.99% of the time, but occasionally we get a crash or two. Best I can tell, the buffer is overflowing for some reason, which causes some strange memory issues in the app.
@pixelmatrix
I've got a demo app written in Swift at https://github.com/robertcopper/PKMultipartInputStreamDemo
Can you change the code in the setupStream() function and include an attachment to reproduce the problem?
