launchd heap corruption due to incorrect rounding in launch_data_unpack (see issue 12 for background on launchd and launch_data_unpack) liblaunch.c: launch_data_unpack: ... case LAUNCH_DATA_STRING: tmpcnt = big2wire(r->string_len); if ((data_size - *data_offset) < (tmpcnt + 1)) { errno = EAGAIN; return NULL; } r->string = data + *data_offset; r->string_len = tmpcnt; *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt + 1); break; case LAUNCH_DATA_OPAQUE: tmpcnt = big2wire(r->opaque_size); if ((data_size - *data_offset) < tmpcnt) { errno = EAGAIN; return NULL; } r->opaque = data + *data_offset; r->opaque_size = tmpcnt; *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt); break; ... Both these cases check that there is enough space remaining in the buffer for the given payload size. However, they both then round up the given size to the nearest 8 bytes. This rounding can cause data_offset to become larger than data_size if the data_size was not a multiple of 8 bytes. This causes (data_size - *data_offset) to underflow, meaning that the code will continue to read and deserialize _launch_data structures off the end of the data buffer. Related CVE Numbers: CVE-2014-1359. Found by: Ian Beer