Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Get back to sel_getUid()'s original behaviour

Tags:

objective-c

selector

objective-c-runtime

TL;DR: How does one check that selector with given name was registered, without actually registering it?

Thanks!

Hi, I have an Objective-C application and bunch of NSObjects that are exported into Lua state via simple proxy library written in objc. All Lua-side calls like these:

exported_objc_object:myMethodName(...)

-- same as --
exported_objc_object.myMethodName(exported_objc_object, ...)

-- same as --
key = 'myMethodName'
exported_objc_object[key](exported_objc_object, ...)

are forwarded as if someone called:

[objc_object lua_myMethodName:L];

// declared as
- (int)lua_myMethodName:(lua_State *)L { ... }

Actually, any 'get' opcode on Lua-exported object returns a cached Lua-closure that on invocation will call corresponding Objective-C method via selector constructed with sprintf(s, "lua_%s:", key)) && sel_getUid(s) (all checks included). If produced selector is not implemented in terms of -[respondsToSelector:], then exported_objc_object.myMethodName simply returns nil.

Obviously, proxy library has to make dynamic lookups via sel_getUid() or sel_registerName() (I believe both @selector and NSSelectorFromString() also end up there). The manual states that sel_getUid() was intended to lookup selector names (as opposed to immediately registering them into SEL registry), but it's modern implementation now does the same as sel_registerName() due to bugs in someone's teh codez back then.

I can just stick with sel_registerName() behavior, but that leaves memory-eating attack vector, as some malicious script may start looking up long random/invalid selectors via sml object[makeRandomKey()] in a loop, thus overflowing SEL registry forever. If sel_getUid() worked as planned, proxy lib would be able to test selector presence and only then actually check if object responds to it, without excessive registering. But it doesn't.

like image 449
user3125367 Avatar asked Sep 29 '22 07:09

user3125367

1 Answers

Here is a hack that might work, that uses the implementation-dependent fact that a selector is a C string.

sel_isMapped((SEL)(void *)"lua_myMethodName:")
like image 112
newacct Avatar answered Oct 17 '22 20:10

newacct
Sign in to Comment

Related questions

UIButton label text autoshrink with insets
accessNotConfigured : Google URL Shorten API on iOS Simulator
IB_DESIGNABLE build failed when using class from within a framework
How to make scrollView 'bounce' on tap
Significance of Category name in iOS
Swift dynamic cast failed - Error when trying to run unit tests
NSURLErrorDomain Code=-1012 The operation couldn’t be completed
CAShapeLayer Shadow with UIBezierPath
Swift - Call segue inside of a closure
iOS 64bit @try {... } @catch {...} not working
stringWithUTF8String returning nil since iOS 8.2 update
IPConfiguration apple80211Open() crashes on iOS8
How to use HDR with custom AVFoundation based Camera app?
UIViewController did not deallocate itself
Changing UIScrollVIew Content Inset triggers scrollViewDidScroll
Save a video in Cache
Supporting Universal App with Portrait Orientation on iPhone and Landscape+Portrait on iPad
FBAppCall removed from Facebook update 4.x - return to app after Facebook login
Use Bezier Path as Clipping Mask
Convert file path to file url[NSUrl]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!