In [SA_OAuthTwitterController webView:shouldStartLoadWithRequest:navigationType:], you get the bytes from an NSData using [data bytes], and then in the next line you proceed to use strstr() on it. However, strstr() requires that its arguments are null-terminated, and there is no guarantee that the bytes you get from [NSData bytes] are null-terminated. If the substring is not found, it will run off the end of the buffer.
In [SA_OAuthTwitterController webView:shouldStartLoadWithRequest:navigationType:], you get the bytes from an NSData using
[data bytes], and then in the next line you proceed to use strstr() on it. However, strstr() requires that its arguments are null-terminated, and there is no guarantee that the bytes you get from [NSData bytes] are null-terminated. If the substring is not found, it will run off the end of the buffer.