/self/proc/mem

Posted Jan 20, 2026 9:25 UTC (Tue) by evomassiny (subscriber, #161550)
In reply to: /self/proc/mem by cypherpunks2
Parent article: A 0-click exploit chain for the Pixel 9 (Project Zero)

Same for the pseudo-code,
i believe:
```
if ( total_size % 8 )
total_size += (8 - total_size) % total_size;
```

should be:
```
if (total_size % 8)
total_size += 8 - (total_size % 8);
```
otherwise i don't understand what would be the intention

to post comments

/self/proc/mem

Posted Jan 20, 2026 11:53 UTC (Tue) by excors (subscriber, #95769) [Link]

I can't find the ddp_udc_int_evo_malloc symbol in Pixel 9's libcodec2_soft_ddpdec.so (maybe it was inlined or something); but the original bug report says the vulnerable code is present on MacOS, and a GitHub search shows the symbol exists on iOS (which is probably similar to MacOS), so I guess they decompiled it from MacOS rather than Android.

The iOS decompilation is effectively:

total_size = (alloc_size + extra + 7) & ~7;
if (does_add_overflow(alloc_size, extra) || heap->remaining < total_size) { return 0; }

which makes more sense - it's simply rounding up to 8 bytes, and the bug is that it's only testing for overflow in the non-rounded-up addition. Perhaps the post author tried to paraphrase the decompiled code to avoid the slightly obscure bit-twiddling, or used a different decompiler that produced uglier code they needed to clean up, but they made a mistake. Their rest of their explanation of the overflow sounds fine.

(They say the overflow is present on iOS but not exploitable because the library is built with -fbounds-safety.)