Bogus style data in pasteboard can lead to crash

Originator:tempelmann
Number:rdar://30516088 Date Originated:14-Feb-2017
Status:open Resolved:
Product:OS X Product Version:10.12.3
Classification:Crash Reproducible:Always
 
Summary:
If certain corrupted style data is put into the Pasteboard, trying to paste it may lead to a crash.

The problem is not just academic because I ran into this crash several times while having copied styled text from a Carbon-based text field, so the bad style data may also have been caused by the OSX framework code, though I have no way to reproduce that part reliably. What I, as well as others, can reproduce, though, is that such bad data leads to a crash when processed by the Cocoa pasteboard conversion handler.

Steps to Reproduce:
Run this Applescript code to fill the pasteboard with the bogus data:

set the clipboard to ({string:"ListBoxTVPrivate"} & {uniform styles:«data ustl02000000D000000000000000140000002000000001000000240000000000000001000000AC0000000800000003000000000000000001000001000000000000000101000001000000000000000201000001000000000000000301000001000000000000000401000001000000000000000501000030000000646D616E2800000001000000040000000100000000000000000000000D0000004C7563696461204772616E6465000000060100000400000000000B000701000006000000000000000000000001000000010003001B000000»} )

Open Pages, create a new document and paste (cmd+V). This should lead to a crash.

Try the same with TextEdit (make sure to start a rich text, not plain text, document). While this may not crash TextEdit, nothing is pasted, and Console.app will show that there was an internal exception.

Or try Finder's menu: Edit -> Show Clipboard. Again, no crash but also no clipboard window - and the same exception report in the Console.

Other apps may actually crash because they have not wrapped the conversion code into a try block. One example is Chrome (whom I already reported the bug to, and they confirmed it), which crashes.

Thus, any app may crash (one of my own did, that's how I noticed this issue) - it all depends on whether they use a try block. 10.10's TextEdit and Finder did not use a try wrapper, and they actually do crash, but 10.11 and later do not crash here.

Curiously, pasting into Script Editor won't crash, and it will even paste the text. That's because it's using the older Carbon based pasteboard functions that are not affected by this bug. Only apps that use NSPasteboard crash (or run into the exception, at least).

So, it appears to me that there's a bug here in the Carbon-Cocoa pasteboard conversion code, not properly dealing with invalid data, it seems. There may also be a bug generating the bad style data from a Carbon based edit field, but I can't prove that, yet.

Expected Results:


Actual Results:


Version:
10.10.5, 10.11.6, 10.12.3

Notes:


Configuration:
I've had several people on different OSX versions try it, and everyone can confirm it. So you should not need specific config data from my computer, but instead should be able to reproduce it easily by yourself.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!