search

project-imas / encrypted-core-data

v2.0 - iOS Core Data encrypted SQLite store using SQLCipher
Other
785 stars 236 forks source link

BETWEEN operator results in a memory access error #276

Open holscherd opened 7 years ago

holscherd commented 7 years ago

Executing this query results in an access error when handling the BETWEEN

NSString *predicateFormat = @"messageID == %@" @"OR" @"(" @" body == %@ " @" AND jidStr == %@ " @" AND streamBareJidStr == %@ " @" AND " @" (" @" (remoteTimestamp == %@) " @" OR (remoteTimestamp == NIL && localTimestamp BETWEEN {%@, %@})" @" )" @")";

This is likely due to the "format" in this code, line 4193 in EncryptedStore.m, having two %@ references but only one argument is passed in:

*operand = [NSString stringWithFormat:[operator objectForKey:@"format"], [subOperands componentsJoinedByString:@","]]; 

* thread #20, queue = 'NSPersistentStoreCoordinator 0x6100002636c0', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
    frame #0: 0x0000000112015ac5 libobjc.A.dylib`objc_msgSend + 5
    frame #1: 0x00000001112fbbdd Foundation`_NSDescriptionWithStringProxyFunc + 49
    frame #2: 0x00000001124db388 CoreFoundation`__CFStringAppendFormatCore + 9592
    frame #3: 0x00000001124d8de3 CoreFoundation`_CFStringCreateWithFormatAndArgumentsAux2 + 243
    frame #4: 0x000000011130a75b Foundation`+[NSString stringWithFormat:] + 169
    frame #5: 0x000000010d95518b EncryptedCoreData`-[EncryptedStore parseExpression:inPredicate:inFetchRequest:operator:operand:bindings:](self=0x000061000012e600, _cmd="parseExpression:inPredicate:inFetchRequest:operator:operand:bindings:", expression=0x000061000002a000, predicate=0x0000610000249fc0, request=0x00006100000dc380, operator=2 key/value pairs, operand=0x00007000098a1088, bindings=0x00007000098a1080) at EncryptedStore.m:4193
    frame #6: 0x000000010d94ebd7 EncryptedCoreData`-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:](self=0x000061000012e600, _cmd="recursiveWhereClauseWithFetchRequest:predicate:", request=0x00006100000dc380, predicate=0x0000610000249fc0) at EncryptedStore.m:3651
    frame #7: 0x000000010d95011d EncryptedCoreData`__65-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:]_block_invoke_2((null)=0x00007000098a15b0, obj=0x0000610000249fc0, idx=1, stop=NO) at EncryptedStore.m:3601
    frame #8: 0x000000011252ce4d CoreFoundation`__53-[__NSArrayI enumerateObjectsWithOptions:usingBlock:]_block_invoke + 77
    frame #9: 0x000000011252cd2f CoreFoundation`-[__NSArrayI enumerateObjectsWithOptions:usingBlock:] + 207
    frame #10: 0x000000010d94e5aa EncryptedCoreData`-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:](self=0x000061000012e600, _cmd="recursiveWhereClauseWithFetchRequest:predicate:", request=0x00006100000dc380, predicate=0x0000610000247f80) at EncryptedStore.m:3600
    frame #11: 0x000000010d95011d EncryptedCoreData`__65-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:]_block_invoke_2((null)=0x00007000098a1a80, obj=0x0000610000247f80, idx=1, stop=NO) at EncryptedStore.m:3601
    frame #12: 0x000000011252ce4d CoreFoundation`__53-[__NSArrayI enumerateObjectsWithOptions:usingBlock:]_block_invoke + 77
    frame #13: 0x000000011252cd2f CoreFoundation`-[__NSArrayI enumerateObjectsWithOptions:usingBlock:] + 207
    frame #14: 0x000000010d94e5aa EncryptedCoreData`-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:](self=0x000061000012e600, _cmd="recursiveWhereClauseWithFetchRequest:predicate:", request=0x00006100000dc380, predicate=0x0000610000245850) at EncryptedStore.m:3600
    frame #15: 0x000000010d95011d EncryptedCoreData`__65-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:]_block_invoke_2((null)=0x00007000098a1f50, obj=0x0000610000245850, idx=3, stop=NO) at EncryptedStore.m:3601
    frame #16: 0x000000011252ce4d CoreFoundation`__53-[__NSArrayI enumerateObjectsWithOptions:usingBlock:]_block_invoke + 77
    frame #17: 0x000000011252cd2f CoreFoundation`-[__NSArrayI enumerateObjectsWithOptions:usingBlock:] + 207
    frame #18: 0x000000010d94e5aa EncryptedCoreData`-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:](self=0x000061000012e600, _cmd="recursiveWhereClauseWithFetchRequest:predicate:", request=0x00006100000dc380, predicate=0x0000610000246d20) at EncryptedStore.m:3600
    frame #19: 0x000000010d95011d EncryptedCoreData`__65-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:]_block_invoke_2((null)=0x00007000098a2420, obj=0x0000610000246d20, idx=1, stop=NO) at EncryptedStore.m:3601
    frame #20: 0x000000011252ce4d CoreFoundation`__53-[__NSArrayI enumerateObjectsWithOptions:usingBlock:]_block_invoke + 77
    frame #21: 0x000000011252cd2f CoreFoundation`-[__NSArrayI enumerateObjectsWithOptions:usingBlock:] + 207
    frame #22: 0x000000010d94e5aa EncryptedCoreData`-[EncryptedStore recursiveWhereClauseWithFetchRequest:predicate:](self=0x000061000012e600, _cmd="recursiveWhereClauseWithFetchRequest:predicate:", request=0x00006100000dc380, predicate=0x000061000024a6b0) at EncryptedStore.m:3600
    frame #23: 0x000000010d94dcc1 EncryptedCoreData`-[EncryptedStore whereClauseWithFetchRequest:](self=0x000061000012e600, _cmd="whereClauseWithFetchRequest:", request=0x00006100000dc380) at EncryptedStore.m:3534
    frame #24: 0x000000010d92e1e4 EncryptedCoreData`-[EncryptedStore executeRequest:withContext:error:](self=0x000061000012e600, _cmd="executeRequest:withContext:error:", request=0x00006100000dc380, context=0x00006080001d68f0, error=0x00007000098a2c78) at EncryptedStore.m:449
    frame #25: 0x000000010f503315 CoreData`__65-[NSPersistentStoreCoordinator executeRequest:withContext:error:]_block_invoke + 2453
    frame #26: 0x000000010f4fbe09 CoreData`__55-[NSPersistentStoreCoordinator _routeHeavyweightBlock:]_block_invoke + 89
    frame #27: 0x000000010f50e2f4 CoreData`gutsOfBlockToNSPersistentStoreCoordinatorPerform + 196
    frame #28: 0x000000011390405c libdispatch.dylib`_dispatch_client_callout + 8
    frame #29: 0x00000001138e1de6 libdispatch.dylib`_dispatch_barrier_sync_f_invoke + 346
    frame #30: 0x000000010f4fb785 CoreData`_perform + 213
    frame #31: 0x000000010f4fbb0b CoreData`-[NSPersistentStoreCoordinator _routeHeavyweightBlock:] + 283
    frame #32: 0x000000010f413f98 CoreData`-[NSPersistentStoreCoordinator executeRequest:withContext:error:] + 632
    frame #33: 0x000000010f4125e4 CoreData`-[NSManagedObjectContext executeFetchRequest:error:] + 564
  * frame #34: 0x000000010b9db96d Extension Chat`-[XMPPRoomHybridStorage existsMessage:forRoom:stream:](self=0x0000608000168340, _cmd="existsMessage:forRoom:stream:", message=0x0000600000036c40, room=0x00006180000b4700, xmppStream=0x00007fadeea08510) at XMPPRoomHybridStorage.m:492
lolgear commented 7 years ago

It seems that you try inject into the most dangerous part of kvc-coding - formats and predicates.