Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Sanitizer complaining about heap-buffer-overflow in [PKMultipartElement read:maxLength:] #18

Open
pixelmatrix opened this issue Jun 14, 2017 · 5 comments
Open

Address Sanitizer complaining about heap-buffer-overflow in [PKMultipartElement read:maxLength:] #18

pixelmatrix opened this issue Jun 14, 2017 · 5 comments

Comments

@pixelmatrix
Copy link

pixelmatrix commented Jun 14, 2017
edited

I enabled Address Sanitizer after seeing complaints from malloc about memory checksums, and it pointed me to [PKMultipartElement read:maxLength:]. Specifically line 176, where it says:

*(buffer + sent) = '\n';

Backtrace:

* thread #14, name = 'com.apple.NSURLConnectionLoader', stop reason = Heap buffer overflow
    frame #0: 0x0000000101c48cac libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x0000000101c5c41c libclang_rt.asan_ios_dynamic.dylib`__sanitizer::Die() + 92
    frame #2: 0x0000000101c4632c libclang_rt.asan_ios_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 348
    frame #3: 0x0000000101c45cfc libclang_rt.asan_ios_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 292
    frame #4: 0x0000000101c46d6c libclang_rt.asan_ios_dynamic.dylib`__asan_report_store1 + 52
  * frame #5: 0x000000010352f10c PKMultipartInputStream`-[PKMultipartElement read:maxLength:](self=0x0000000169e9c6e0, _cmd="read:maxLength:", buffer="--DFEA4E6D-A2C2-4F6F-9419-3F868BBC3F7A-4107-00001EAC563BC99D\r\nContent-Disposition: form-data; name=\"post\"\r\nContent-Type: application/json\r\n\r\n{\"post\":{\"id\":\"04C5DD1D-5958-41F2-B444-2B883BCC2594\",\"media\":{\"hasAudio\":false,\"id\":\"F3D312DC-4D9A-4B25-A63E-B7D869263E1A\",\"mentions\":[{\"id\":\"044A89CC-FB99-4656-A470-95369706E3ED\",\"profileId\":\"c29b2b6e-e464-4903-8973-e3fb877c2f8e\",\"labelPolygon\":[[-0.8420772932210209,-0.3268365817091454],[0.1084654856086575,-0.3268365817091454],[0.1084654856086575,-0.2056403501259422],[-0.8420772932210209,-0.2056403501259422]]},{\"id\":\"82EA5F66-CE52-43C2-AFF9-D2E38E6A67F8\",\"profileId\":\"5a9c4e1c-461a-465e-89c0-15be263236dc\",\"labelPolygon\":[[0.150386160329364,-0.3268365817091454],[0.8420772932210209,-0.3268365817091454],[0.8420772932210209,-0.2056403501259422],[0.150386160329364,-0.2056403501259422]]}],\"notificationType\":\"DEFAULT\"},\"storyId\":\"336b6b34-f633-4842-a677-bd930337c1b0\"}}\r", len=914) at PKMultipartInputStream.m:176
    frame #6: 0x0000000103532bd4 PKMultipartInputStream`-[PKMultipartInputStream read:maxLength:](self=0x000000016991e680, _cmd="read:maxLength:", buffer="r\x03\366\3113�l\x1cye\xb7c==\xaao\355M";y\x92\x02A\x9a\333\312\nc%\303c\370\xa4$\344z�\300\256R\x8a\357Y\305k\336I7k~\x7f\x8b\xbe\xa7+\313iZɵ\xadα\xaf^\x0f\x0eFd\\O(kx߿\x92\x0eO\370V.\x8fy\x16\x9f\xa8\305u0;\x17p;y \x10GJ\316%\x8e\x01$\x81\300\311'\x1fOJJƮa9T\xa7R?a+|\xbf\314\322\x9e\x0e*\x13\x83\373W\374N\x82+\x9d)\354\333L\x9eic\x8e9\x8c\xb1ʨN\361\216\340r\x0f\xa5Q\325o\x93P\324�\3565*\x87h\\\365!F2}\315S\x82\tnfX \x1b\x9d\316�t\317\347Q\xb2\xb21F\340\251 \375E\x15\xb1\xb5jRQq\xb2\xbe\372\364\331|\257\376aK\v\bTrO_\363\335\374\354t\xb7\x1aŤ\x97\xba\x84\350ϲ\346��|\x11\363, len=4096) at PKMultipartInputStream.m:264
    frame #7: 0x000000018c435874 CFNetwork`RequestBodyStreamProvider::readBodyStream(bool) + 272
    frame #8: 0x0000000105e89a10 libdispatch.dylib`_dispatch_client_callout + 16
    frame #9: 0x0000000105e943d8 libdispatch.dylib`_dispatch_block_invoke_direct + 356
    frame #10: 0x000000018c50bb30 CFNetwork`RunloopBlockContext::_invoke_block(void const*, void*) + 36
    frame #11: 0x000000018bba2710 CoreFoundation`CFArrayApplyFunction + 68
    frame #12: 0x000000018c50b9f0 CFNetwork`RunloopBlockContext::perform() + 128
    frame #13: 0x000000018c50cd34 CFNetwork`MultiplexerSource::perform() + 312
    frame #14: 0x000000018c50caa0 CFNetwork`MultiplexerSource::_perform(void*) + 64
    frame #15: 0x000000018bc7542c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
    frame #16: 0x000000018bc74d9c CoreFoundation`__CFRunLoopDoSources0 + 540
    frame #17: 0x000000018bc729a8 CoreFoundation`__CFRunLoopRun + 744
    frame #18: 0x000000018bba2da4 CoreFoundation`CFRunLoopRunSpecific + 424
    frame #19: 0x000000018c3aedf4 CFNetwork`+[NSURLConnection(Loader) _resourceLoadLoop:] + 404
    frame #20: 0x000000018c7ba2d8 Foundation`__NSThread__start__ + 996
    frame #21: 0x000000018ad8968c libsystem_pthread.dylib`_pthread_body + 240
    frame #22: 0x000000018ad8959c libsystem_pthread.dylib`_pthread_start + 284
    frame #23: 0x000000018ad86cb4 libsystem_pthread.dylib`thread_start + 4```

Here's the full text from Address Sanitizer:

=================================================================

==4107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00015a27f500 at pc 0x00010352f10c bp 0x00016e5ad310 sp 0x00016e5ad308
WRITE of size 1 at 0x00015a27f500 thread T13
    #0 0x10352f10b in -[PKMultipartElement read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b)
    #1 0x103532bd3 in -[PKMultipartInputStream read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xebd3)
    #2 0x18c435873 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168873)
    #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #4 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
    #5 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
    #6 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
    #7 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
    #8 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
    #9 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
    #10 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
    #11 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
    #12 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
    #13 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
    #14 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
    #15 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
    #16 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
    #17 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
    #18 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)

0x00015a27f500 is located 0 bytes to the right of 4096-byte region [0x00015a27e500,0x00015a27f500)
allocated by thread T13 here:
    #0 0x101c4b5e7 in wrap__Znam (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x575e7)
    #1 0x18c435847 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168847)
    #2 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #3 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
    #4 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
    #5 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
    #6 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
    #7 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
    #8 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
    #9 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
    #10 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
    #11 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
    #12 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
    #13 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
    #14 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
    #15 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
    #16 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
    #17 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)

Thread T13 created by T4 here:
    #0 0x101c3928f in wrap_pthread_create (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4528f)
    #1 0x18c6f1f27 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x41f27)
    #2 0x18c3aec07 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1c07)
    #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #4 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
    #5 0x18c3aeb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1b3b)
    #6 0x18c50c133 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23f133)
    #7 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #8 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
    #9 0x18c50a717 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23d717)
    #10 0x18c50ad2b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23dd2b)
    #11 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #12 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
    #13 0x18c509663 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23c663)
    #14 0x18c45a217 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18d217)
    #15 0x18c459be3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18cbe3)
    #16 0x18c4595cb in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18c5cb)
    #17 0x18c39f53b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd253b)
    #18 0x18c39fb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd2b3b)
    #19 0x18c39f0ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd20ef)
    #20 0x101c4044b in __wrap_dispatch_async_block_invoke (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4c44b)
    #21 0x105e89a4f in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a4f)
    #22 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
    #23 0x105e972e7 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf2e7)
    #24 0x105e8d633 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5633)
    #25 0x105e9780f in _dispatch_queue_override_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf80f)
    #26 0x105e9962f in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1162f)
    #27 0x105e9939b in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1139b)
    #28 0x18ad870ff in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0x10ff)
    #29 0x18ad86cab in start_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcab)

Thread T4 created by T0 here:
    <empty stack>

SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b) in -[PKMultipartElement read:maxLength:]
Shadow bytes around the buggy address:
  0x0001319afe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001319afe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001319afe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001319afe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0001319afe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0001319afea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001319afeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001319afec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001319afed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001319afee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001319afef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
2017-06-14 16:02:30.130170-0700 Riff[4107:3005149] =================================================================
2017-06-14 16:02:30.130548-0700 Riff[4107:3005149] ==4107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00015a27f500 at pc 0x00010352f10c bp 0x00016e5ad310 sp 0x00016e5ad308
2017-06-14 16:02:30.130806-0700 Riff[4107:3005149] WRITE of size 1 at 0x00015a27f500 thread T13
2017-06-14 16:02:30.130827-0700 Riff[4107:3005149]     #0 0x10352f10b in -[PKMultipartElement read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b)
2017-06-14 16:02:30.130901-0700 Riff[4107:3005149]     #1 0x103532bd3 in -[PKMultipartInputStream read:maxLength:] (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xebd3)
2017-06-14 16:02:30.130915-0700 Riff[4107:3005149]     #2 0x18c435873 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168873)
2017-06-14 16:02:30.130939-0700 Riff[4107:3005149]     #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.130953-0700 Riff[4107:3005149]     #4 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
2017-06-14 16:02:30.130967-0700 Riff[4107:3005149]     #5 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
2017-06-14 16:02:30.130980-0700 Riff[4107:3005149]     #6 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
2017-06-14 16:02:30.131037-0700 Riff[4107:3005149]     #7 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
2017-06-14 16:02:30.131052-0700 Riff[4107:3005149]     #8 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
2017-06-14 16:02:30.131666-0700 Riff[4107:3005149]     #9 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
2017-06-14 16:02:30.131683-0700 Riff[4107:3005149]     #10 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
2017-06-14 16:02:30.131696-0700 Riff[4107:3005149]     #11 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
2017-06-14 16:02:30.131709-0700 Riff[4107:3005149]     #12 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
2017-06-14 16:02:30.131743-0700 Riff[4107:3005149]     #13 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
2017-06-14 16:02:30.131757-0700 Riff[4107:3005149]     #14 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
2017-06-14 16:02:30.132396-0700 Riff[4107:3005149]     #15 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
2017-06-14 16:02:30.132412-0700 Riff[4107:3005149]     #16 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
2017-06-14 16:02:30.132426-0700 Riff[4107:3005149]     #17 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
2017-06-14 16:02:30.132439-0700 Riff[4107:3005149]     #18 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
2017-06-14 16:02:30.132452-0700 Riff[4107:3005149] 
2017-06-14 16:02:30.132463-0700 Riff[4107:3005149] 0x00015a27f500 is located 0 bytes to the right of 4096-byte region [0x00015a27e500,0x00015a27f500)
2017-06-14 16:02:30.132538-0700 Riff[4107:3005149] allocated by thread T13 here:
2017-06-14 16:02:30.132572-0700 Riff[4107:3005149]     #0 0x101c4b5e7 in wrap__Znam (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x575e7)
2017-06-14 16:02:30.133212-0700 Riff[4107:3005149]     #1 0x18c435847 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x168847)
2017-06-14 16:02:30.133229-0700 Riff[4107:3005149]     #2 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.133242-0700 Riff[4107:3005149]     #3 0x105e943d7 in _dispatch_block_invoke_direct (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xc3d7)
2017-06-14 16:02:30.133256-0700 Riff[4107:3005149]     #4 0x18c50bb2f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23eb2f)
2017-06-14 16:02:30.133269-0700 Riff[4107:3005149]     #5 0x18bba270f in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x870f)
2017-06-14 16:02:30.133346-0700 Riff[4107:3005149]     #6 0x18c50b9ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23e9ef)
2017-06-14 16:02:30.133555-0700 Riff[4107:3005149]     #7 0x18c50cd33 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fd33)
2017-06-14 16:02:30.133668-0700 Riff[4107:3005149]     #8 0x18c50ca9f in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23fa9f)
2017-06-14 16:02:30.133683-0700 Riff[4107:3005149]     #9 0x18bc7542b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdb42b)
2017-06-14 16:02:30.133697-0700 Riff[4107:3005149]     #10 0x18bc74d9b in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xdad9b)
2017-06-14 16:02:30.133743-0700 Riff[4107:3005149]     #11 0x18bc729a7 in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xd89a7)
2017-06-14 16:02:30.133986-0700 Riff[4107:3005149]     #12 0x18bba2da3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x8da3)
2017-06-14 16:02:30.135008-0700 Riff[4107:3005149]     #13 0x18c3aedf3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1df3)
2017-06-14 16:02:30.135026-0700 Riff[4107:3005149]     #14 0x18c7ba2d7 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x10a2d7)
2017-06-14 16:02:30.135040-0700 Riff[4107:3005149]     #15 0x18ad8968b in <redacted> (/usr/lib/system/libsystem_pthread.dylib:arm64+0x368b)
2017-06-14 16:02:30.135053-0700 Riff[4107:3005149]     #16 0x18ad8959b in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0x359b)
2017-06-14 16:02:30.135067-0700 Riff[4107:3005149]     #17 0x18ad86cb3 in thread_start (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcb3)
2017-06-14 16:02:30.135105-0700 Riff[4107:3005149] 
2017-06-14 16:02:30.135116-0700 Riff[4107:3005149] Thread T13 created by T4 here:
2017-06-14 16:02:30.135129-0700 Riff[4107:3005149]     #0 0x101c3928f in wrap_pthread_create (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4528f)
2017-06-14 16:02:30.135724-0700 Riff[4107:3005149]     #1 0x18c6f1f27 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation:arm64+0x41f27)
2017-06-14 16:02:30.135786-0700 Riff[4107:3005149]     #2 0x18c3aec07 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1c07)
2017-06-14 16:02:30.135801-0700 Riff[4107:3005149]     #3 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.135815-0700 Riff[4107:3005149]     #4 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.135968-0700 Riff[4107:3005149]     #5 0x18c3aeb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xe1b3b)
2017-06-14 16:02:30.135985-0700 Riff[4107:3005149]     #6 0x18c50c133 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23f133)
2017-06-14 16:02:30.136521-0700 Riff[4107:3005149]     #7 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.136537-0700 Riff[4107:3005149]     #8 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.136551-0700 Riff[4107:3005149]     #9 0x18c50a717 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23d717)
2017-06-14 16:02:30.136585-0700 Riff[4107:3005149]     #10 0x18c50ad2b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23dd2b)
2017-06-14 16:02:30.136601-0700 Riff[4107:3005149]     #11 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.136614-0700 Riff[4107:3005149]     #12 0x105e8a777 in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x2777)
2017-06-14 16:02:30.136826-0700 Riff[4107:3005149]     #13 0x18c509663 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x23c663)
2017-06-14 16:02:30.136842-0700 Riff[4107:3005149]     #14 0x18c45a217 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18d217)
2017-06-14 16:02:30.136856-0700 Riff[4107:3005149]     #15 0x18c459be3 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18cbe3)
2017-06-14 16:02:30.136869-0700 Riff[4107:3005149]     #16 0x18c4595cb in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0x18c5cb)
2017-06-14 16:02:30.136941-0700 Riff[4107:3005149]     #17 0x18c39f53b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd253b)
2017-06-14 16:02:30.136954-0700 Riff[4107:3005149]     #18 0x18c39fb3b in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd2b3b)
2017-06-14 16:02:30.136968-0700 Riff[4107:3005149]     #19 0x18c39f0ef in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork:arm64+0xd20ef)
2017-06-14 16:02:30.137581-0700 Riff[4107:3005149]     #20 0x101c4044b in __wrap_dispatch_async_block_invoke (/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4c44b)
2017-06-14 16:02:30.137598-0700 Riff[4107:3005149]     #21 0x105e89a4f in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a4f)
2017-06-14 16:02:30.137612-0700 Riff[4107:3005149]     #22 0x105e89a0f in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1a0f)
2017-06-14 16:02:30.137647-0700 Riff[4107:3005149]     #23 0x105e972e7 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf2e7)
2017-06-14 16:02:30.137666-0700 Riff[4107:3005149]     #24 0x105e8d633 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5633)
2017-06-14 16:02:30.138729-0700 Riff[4107:3005149]     #25 0x105e9780f in _dispatch_queue_override_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xf80f)
2017-06-14 16:02:30.138765-0700 Riff[4107:3005149]     #26 0x105e9962f in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1162f)
2017-06-14 16:02:30.138778-0700 Riff[4107:3005149]     #27 0x105e9939b in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x1139b)
2017-06-14 16:02:30.138791-0700 Riff[4107:3005149]     #28 0x18ad870ff in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0x10ff)
2017-06-14 16:02:30.138881-0700 Riff[4107:3005149]     #29 0x18ad86cab in start_wqthread (/usr/lib/system/libsystem_pthread.dylib:arm64+0xcab)
2017-06-14 16:02:30.138899-0700 Riff[4107:3005149] 
2017-06-14 16:02:30.138909-0700 Riff[4107:3005149] Thread T4 created by T0 here:
2017-06-14 16:02:30.138923-0700 Riff[4107:3005149]     <empty stack>
2017-06-14 16:02:30.138935-0700 Riff[4107:3005149] 
2017-06-14 16:02:30.139105-0700 Riff[4107:3005149] SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/EB0C84D1-B486-412E-A826-158CBFCBE748/Riff.app/Frameworks/PKMultipartInputStream.framework/PKMultipartInputStream:arm64+0xb10b) in -[PKMultipartElement read:maxLength:]
2017-06-14 16:02:30.139132-0700 Riff[4107:3005149] Shadow bytes around the buggy address:
2017-06-14 16:02:30.139145-0700 Riff[4107:3005149]   0x0001319afe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139159-0700 Riff[4107:3005149]   0x0001319afe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139189-0700 Riff[4107:3005149]   0x0001319afe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139250-0700 Riff[4107:3005149]   0x0001319afe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139264-0700 Riff[4107:3005149]   0x0001319afe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-06-14 16:02:30.139301-0700 Riff[4107:3005149] =>0x0001319afea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140799-0700 Riff[4107:3005149]   0x0001319afeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140829-0700 Riff[4107:3005149]   0x0001319afec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140870-0700 Riff[4107:3005149]   0x0001319afed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140884-0700 Riff[4107:3005149]   0x0001319afee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140897-0700 Riff[4107:3005149]   0x0001319afef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-06-14 16:02:30.140909-0700 Riff[4107:3005149] Shadow byte legend (one shadow byte represents 8 application bytes):
2017-06-14 16:02:30.140922-0700 Riff[4107:3005149]   Addressable:           00
2017-06-14 16:02:30.140935-0700 Riff[4107:3005149]   Partially addressable: 01 02 03 04 05 06 07
2017-06-14 16:02:30.140948-0700 Riff[4107:3005149]   Heap left redzone:       fa
2017-06-14 16:02:30.140972-0700 Riff[4107:3005149]   Freed heap region:       fd
2017-06-14 16:02:30.140985-0700 Riff[4107:3005149]   Stack left redzone:      f1
2017-06-14 16:02:30.140997-0700 Riff[4107:3005149]   Stack mid redzone:       f2
2017-06-14 16:02:30.141008-0700 Riff[4107:3005149]   Stack right redzone:     f3
2017-06-14 16:02:30.141020-0700 Riff[4107:3005149]   Stack after return:      f5
2017-06-14 16:02:30.141032-0700 Riff[4107:3005149]   Stack use after scope:   f8
2017-06-14 16:02:30.141043-0700 Riff[4107:3005149]   Global redzone:          f9
2017-06-14 16:02:30.141055-0700 Riff[4107:3005149]   Global init order:       f6
2017-06-14 16:02:30.141094-0700 Riff[4107:3005149]   Poisoned by user:        f7
2017-06-14 16:02:30.141106-0700 Riff[4107:3005149]   Container overflow:      fc
2017-06-14 16:02:30.141118-0700 Riff[4107:3005149]   Array cookie:            ac
2017-06-14 16:02:30.141130-0700 Riff[4107:3005149]   Intra object redzone:    bb
2017-06-14 16:02:30.141743-0700 Riff[4107:3005149]   ASan internal:           fe
2017-06-14 16:02:30.141758-0700 Riff[4107:3005149]   Left alloca redzone:     ca
2017-06-14 16:02:30.141770-0700 Riff[4107:3005149]   Right alloca redzone:    cb
2017-06-14 16:02:30.141782-0700 Riff[4107:3005149]

Any ideas what could be happening here? Happy to provide whatever data is helpful.
@pixelmatrix
Copy link
Author

The other thing I can say is that this happens intermittently on a request basis, and not with every request. If I make a stream with different data in the same app build, it seems to be fine, but fails 100% of the time with this specific stream.

@jznadams
Copy link
Contributor

Oh, interesting. I've been getting intermittent crash reports about something very similar, but on a slightly different line and with less helpful information. Sounds like they might be related, I've been unsure on how to dig deeper. It does seem to be content related, I don't see this crash very often but it happens repeatedly for the same people.

Exception Type:  SIGSEGV
Exception Codes: SEGV_ACCERR at 0x27f0000
Crashed Thread:  8

Thread 0:
0   CoreFoundation                       0x1db555ce _CFRelease + 608
1   libobjc.A.dylib                      0x1ce397a1 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 610
2   CFNetwork                            0x1e2b298b -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 182
3   CFNetwork                            0x1e2b2a77 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 34
4   CFNetwork                            0x1e1fd10b ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke + 68
5   CFNetwork                            0x1e1fb8e3 ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 68
6   libdispatch.dylib                    0x1d265783 _dispatch_client_callout + 20
7   libdispatch.dylib                    0x1d26fe21 _dispatch_block_invoke_direct + 292
8   CFNetwork                            0x1e2939b7 RunloopBlockContext::_invoke_block(void const*, void*) + 16
9   CoreFoundation                       0x1daa4bd5 CFArrayApplyFunction + 34
10  CFNetwork                            0x1e293889 RunloopBlockContext::perform() + 170
11  CFNetwork                            0x1e294865 MultiplexerSource::perform() + 206
12  CFNetwork                            0x1e294677 MultiplexerSource::_perform(void*) + 44
13  CoreFoundation                       0x1db53fdd __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 10
14  CoreFoundation                       0x1db53b05 __CFRunLoopDoSources0 + 422
15  CoreFoundation                       0x1db51f51 __CFRunLoopRun + 1158
16  CoreFoundation                       0x1daa51af CFRunLoopRunSpecific + 468
17  CoreFoundation                       0x1daa4fd1 CFRunLoopRunInMode + 102
18  GraphicsServices                     0x1f24fb41 GSEventRunModal + 78
19  UIKit                                0x22e20e13 UIApplicationMain + 148
20  MyApp                                0x0002f565 main (main.m:14)
21  libdyld.dylib                        0x1d2924eb start + 0

...

Thread 8 Crashed:
0   MyApp                                0x00201938 -[PKMultipartElement read:maxLength:] (PKMultipartInputStream.m:180)
1   MyApp                                0x0020277d -[PKMultipartInputStream read:maxLength:] (PKMultipartInputStream.m:273)
2   CFNetwork                            0x1e280cf3 HTTPTransaction::RequestBodyStream::_bufferRequestBodyFromStream_offqueue() + 104
3   libdispatch.dylib                    0x1d265783 _dispatch_client_callout + 20
4   libdispatch.dylib                    0x1d26fe21 _dispatch_block_invoke_direct + 292
5   CFNetwork                            0x1e2939b7 RunloopBlockContext::_invoke_block(void const*, void*) + 16
6   CoreFoundation                       0x1daa4bd5 CFArrayApplyFunction + 34
7   CFNetwork                            0x1e293889 RunloopBlockContext::perform() + 170
8   CFNetwork                            0x1e294865 MultiplexerSource::perform() + 206
9   CFNetwork                            0x1e294677 MultiplexerSource::_perform(void*) + 44
10  CoreFoundation                       0x1db53fdd __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 10
11  CoreFoundation                       0x1db53b05 __CFRunLoopDoSources0 + 422
12  CoreFoundation                       0x1db51f51 __CFRunLoopRun + 1158
13  CoreFoundation                       0x1daa51af CFRunLoopRunSpecific + 468
14  CoreFoundation                       0x1daa4fd1 CFRunLoopRunInMode + 102
15  CFNetwork                            0x1e182393 +[NSURLConnection(Loader) _resourceLoadLoop:] + 400
16  Foundation                           0x1e4dd8ab __NSThread__start__ + 1120
17  libsystem_pthread.dylib              0x1d41c93b _pthread_body + 214
18  libsystem_pthread.dylib              0x1d41c85d _pthread_start + 232
19  libsystem_pthread.dylib              0x1d41a468 thread_start + 6

@pixelmatrix
Copy link
Author

Yeah, this is a tricky one to figure out. It works completely fine 99.99% of the time, but occasionally we get a crash or two. Best I can tell, the buffer is overflowing for some reason, which causes some strange memory issues in the app.

@pyke369
Copy link
Owner

pyke369 commented May 7, 2018

Hi, any chance you could reproduce and send a PR to fix? Thx.

@robertcopper
Copy link
Contributor

@pixelmatrix

I've got a demo app written in Swift at https://github.com/robertcopper/PKMultipartInputStreamDemo

Can you change the code in the setupStream() function and include an attachment to reproduce the problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pixelmatrix @pyke369 @jznadams @robertcopper