Tweak.xm

#include <stdlib.h>
#import <substrate.h>

#define DECL_FUNC(name, ret, ...) \
    static ret (*original_ ## name)(__VA_ARGS__); \
    ret custom_ ## name(__VA_ARGS__)
#define HOOK_FUNC(image_to_hook, name) do { \
    void *_ ## name = MSFindSymbol(image_to_hook, "_" #name); \
    if (_ ## name == NULL) { \
		NSLog(@"Failed to find function: " #name "."); \
        return; \
    } \
    MSHookFunction(_ ## name, (void *) custom_ ## name, (void **) &original_ ## name); \
} while(0)

MSImageRef CG_image;

DECL_FUNC(x_calloc, void*, size_t times, size_t size)
{
	unsigned int total;
	unsigned long long check;


    //NSLog(@"[CVE-2014-4377] Hooked x_calloc. 1st check %lu | %lu )", times, size);
    if ((size | times) >= 0x10000) {
		return NULL;
    }

	total = (size * times + 31) & 0xFFFFFFF0;
	check = size * (unsigned long long)times;
	//NSLog(@"[CVE-2014-4377] Hooked x_calloc. 2nd check (%u, %llu)", total, check);

	if  (total < check) {
		return NULL;
	} 

    return original_x_calloc(times, size);
}

void* original_cg_build_colorspace;
int (*original_CGPDFArrayGetCount)(CGPDFArrayRef);
bool (*original_CGPDFArrayGetInteger)(CGPDFArrayRef array, size_t index, CGPDFInteger *);
bool (*original_CGPDFArrayGetName)(CGPDFArrayRef array, size_t index, const char ** );

DECL_FUNC(CGPDFArrayGetStream, bool, CGPDFArrayRef array, size_t index, CGPDFStreamRef * stream)
{
    const char *name;
	unsigned long N;

    if (index == 3 && 
        ((unsigned long)__builtin_return_address(0) - (unsigned long)original_cg_build_colorspace) < 0x1000  &&
        original_CGPDFArrayGetCount(array) == 4 &&
		original_CGPDFArrayGetName(array, 0, &name) != 0 &&
		strcmp(name, "Indexed") == 0 &&
        original_CGPDFArrayGetInteger(array,2,(CGPDFInteger *) &N) != 0 &&
        N > 0xff){
        //NSLog(@"[CVE-2014-4377] Hooked CGPDFArrayGetStream(%p, %lu, %p);", array, index, stream);
        //NSLog(@"[CVE-2014-4377] CGPDFArrayGetStream return address: %p\n", __builtin_return_address(0));
        //NSLog(@"[CVE-2014-4377] _cg_build_colorspace %p\n", original_cg_build_colorspace);
		NSLog(@"[CVE-2014-4377] You are under attack! Attemp to exploit CVE-2014-4377 was stopped!\n");
        return 0;
    }
    return original_CGPDFArrayGetStream(array, index, stream);
}

%ctor {
	CG_image = MSGetImageByName("/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics");
    if (CG_image == NULL) {
        return;
    }
	
	NSLog(@"[CVE-2014-4377] Initializing hooks (stage 1) ...\n");
    HOOK_FUNC(CG_image, x_calloc);

	NSLog(@"[CVE-2014-4377] Initializing hooks (stage 2) ...\n");
	original_cg_build_colorspace = MSFindSymbol(CG_image, "_cg_build_colorspace");
    original_CGPDFArrayGetCount = (int (*)(CGPDFArrayRef))MSFindSymbol(CG_image, "_CGPDFArrayGetCount");
    original_CGPDFArrayGetInteger = (bool (*)(CGPDFArrayRef, size_t, CGPDFInteger *))MSFindSymbol(CG_image, "_CGPDFArrayGetInteger");
	original_CGPDFArrayGetName = (bool (*)(CGPDFArrayRef, size_t, const char **))MSFindSymbol(CG_image, "_CGPDFArrayGetName");
	HOOK_FUNC(CG_image, CGPDFArrayGetStream);

	NSLog(@"[CVE-2014-4377] DONE!\n");
}