From 9db0b9c20056ddeb1459bbdc66e111d5a665cb45 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Tue, 29 Jul 2025 08:23:50 +0000 Subject: [PATCH 1/3] Fix memory leaks and improve safety in installd patching code Co-authored-by: issam.haimour1 --- .../grant_full_disk_access.m | 19 +++++++++++++++---- WDBRemoveThreeAppLimit/helpers.m | 5 ++++- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/WDBRemoveThreeAppLimit/grant_full_disk_access.m b/WDBRemoveThreeAppLimit/grant_full_disk_access.m index 8ce6898..f8f5212 100644 --- a/WDBRemoveThreeAppLimit/grant_full_disk_access.m +++ b/WDBRemoveThreeAppLimit/grant_full_disk_access.m @@ -85,11 +85,18 @@ static uint64_t patchfind_pointer_to_string(void* executable_map, size_t executa if (!str_offset) { return 0; } - uint64_t str_file_offset = str_offset - executable_map; - for (int i = 0; i < executable_length; i += 8) { - uint64_t val = *(uint64_t*)(executable_map + i); + uint64_t str_file_offset = (uint64_t)((uintptr_t)str_offset - (uintptr_t)executable_map); + + /* + * Use size_t for the loop variable to prevent potential integer overflow + * when scanning very large executables ( >2 GB ). Using a signed 32-bit + * integer could cause the loop to terminate early or exhibit undefined + * behaviour on such inputs. + */ + for (size_t i = 0; i < executable_length; i += 8) { + uint64_t val = *(uint64_t*)((char*)executable_map + i); if ((val & 0xfffffffful) == str_file_offset) { - return i; + return (uint64_t)i; } } return 0; @@ -590,12 +597,15 @@ bool patch_installd() { NSData* sourceData = make_patch_installd(targetMap, targetLength); if (!sourceData) { NSLog(@"can't patchfind"); + munmap(targetMap, targetLength); + close(fd); return false; } if (!overwrite_file(fd, sourceData)) { overwrite_file(fd, originalData); munmap(targetMap, targetLength); + close(fd); NSLog(@"can't overwrite"); return false; } @@ -606,5 +616,6 @@ bool patch_installd() { // TODO(zhuowei): for now we revert it once installd starts // so the change will only last until when this installd exits overwrite_file(fd, originalData); + close(fd); return true; } diff --git a/WDBRemoveThreeAppLimit/helpers.m b/WDBRemoveThreeAppLimit/helpers.m index 6231ec6..005401f 100644 --- a/WDBRemoveThreeAppLimit/helpers.m +++ b/WDBRemoveThreeAppLimit/helpers.m @@ -20,7 +20,10 @@ char* buf = malloc(PAGE_SIZE*10); memset(buf, 'A', PAGE_SIZE*10); fwrite(buf, PAGE_SIZE*10, 1, f); - //fclose(f); + // Clean up resources before returning the file path + fflush(f); + fclose(f); + free(buf); return path; } From 1d0654d641c2e4d7c023a78dfd18a6dd5a222af9 Mon Sep 17 00:00:00 2001 From: issamHaimour5 Date: Sun, 17 Aug 2025 04:54:33 +0000 Subject: [PATCH 2/3] Co-authored-by: issamHaimour5 From 537f3932c41e8a71810ee480fa1bbc2445be608e Mon Sep 17 00:00:00 2001 From: issamHaimour5 Date: Mon, 25 Aug 2025 05:25:44 +0300 Subject: [PATCH 3/3] Update launch.json --- .vscode/launch.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .vscode/launch.json diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..2392e8c --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,17 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + + + + { + "type": "chrome", + "request": "launch", + "name": "Open settings.json", + "file": "c:\\Users\\issam.DESKTOP-9DRRJHF\\AppData\\Roaming\\Code - Insiders\\User\\settings.json" + } + ] +} \ No newline at end of file