public
Last active

Explaining the File:/// bug. See also http://openradar.appspot.com/13128709

  • Download Gist
disassembly.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
In DDResultCopyExtractedURL in the DataDetectorsCore.framework, file:// URLs are sanity-checked with an assert:
 
0xCB86 loc_CB86:
0xCB86 lea rsi, cfstr_File ; "file://"
0xCB8D mov rdi, rbx
0xCB90 call _CFStringHasPrefix ; Check if the string starts with 'file://'
; Yes, this is case sensitive, which is why the test fails
0xCB95 test al, al
0xCB97 jne short loc_CBD4 ; If CFStringHasPrefix returns true, jump past the assert
; Otherwise, the following code triggers an assert:
0xCB99 lea rdi, aCfstringhaspre ; "CFStringHasPrefix(urlVal, CFSTR(\"file:/"...
0xCBA0 lea rsi, aSourcecache_51 ; "/SourceCache/DataDetectorsCore/DataDete"...
0xCBA7 lea rdx, aDdresultcopy_1 ; "DDResultCopyExtractedURL"
0xCBAE lea r14, cfstr_WrongExtractio ; "wrong extraction: %@"
0xCBB5 mov ecx, 628h
0xCBBA mov r8, r14
0xCBBD mov r9, rbx
0xCBC0 xor al, al
0xCBC2 call _DDLogAssertionFailure
0xCBC7 mov rdi, r14
0xCBCA mov rsi, rbx
0xCBCD xor al, al
0xCBCF call _DDCrash
evil-fix.txt
1 2 3 4 5 6 7 8 9 10 11 12 13
Evil fix for x86_64 / 10.8.2. ____Don't actually use this____. This is just for entertainment.
 
We just change the 'jne' to non-conditional 'jmp':
 
printf '\xeb' | dd bs=1 seek=646039 count=1 conv=notrunc of=/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/Current/DataDetectorsCore
 
eg,
 
0xCB97 jne short loc_CBD4 ; If CFStringHasPrefix returns true, jump past the assert
.... becomes:
0xCB97 jmp short loc_CBD4 ; Always jump past the assert
 
And now you no longer crash.

It works on 10.8.1 as well.

I think you meant:

0xEB97 jmp short loc_DBD4

Won't this fail Code Signing checks on the binary? Also, won't not restarting after patching cause problems with unified buffer cache (probably that binary is already loaded and cached)?

@pvaibhav: Actually, the DataDetectorsCore bundle fails Code Signing verification out of the box, so applying this patch will have no additional adverse effects on the validity of the bundle (the error message will change but ultimately it was invalid in the first place). I've been running with this binary patch for at least 12 hours and I've noticed no problems. I'd back up the original version anyway, though, there's no telling what Software Update might do when 10.8.3 comes out.

@landonf: patch for the 32-bit version: printf '\xeb' | dd bs=1 seek=58303 count=1 conv=notrunc of=/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/Current/DataDetectorsCore

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.