[syncopate]

I've been looking at the stack trace in gdb a bit. And it seems that inside CoreText TStorageRange::SetStorageSubRange calls

    void vDSP_sveD(double *__vDSP_A, vDSP_Stride __vDSP_I, double *__vDSP_C, vDSP_Length __vDSP_N)

with a negative length argument.

[yuhong]

Wonder if it is exploitable.

[syncopate]

AFAIU, the length is negative but it is then treated as an unsigned integer by vDSP_sveD. So the function iterates over the given vector until there is a memory exception (As the length is very close to to UINT_MAX). It doesn't look very exploitable to me but it is surely annoying. I've found it a bit odd that neither TStorageRange::SetStorageSubRange nor vDSP_sveD do any kind of sanity checks for the values they calculate or which are passed to them.