From 00f8c629723461436e187c93c6736885a30729d6 Mon Sep 17 00:00:00 2001
From: alexia <me@alexia.lol>
Date: Thu, 27 Apr 2023 19:05:58 +0200
Subject: [PATCH] fix: UaF in boot-manifest-hash fallback

CFDataGetBytePtr doesn't return a copy. Somehow it happened to work fine
up until iOS 16.3.1, but on iOS 16.4+ the early CFRelease causes the
result to be all zeroes.

This isn't critical as it's just a fallback if it fails to get
root-snapshot-name and that still works fine, but it's worth fixing
anyway.
---
 snapUtil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/snapUtil.c b/snapUtil.c
index ccbdf4b..b852a60 100644
--- a/snapUtil.c
+++ b/snapUtil.c
@@ -187,11 +187,11 @@ do_origName(void) {
 
 		length = CFDataGetLength(manifestHash);
 		bytes = CFDataGetBytePtr(manifestHash);
-		CFRelease(manifestHash);
 
 		printf("com.apple.os.update-");
 		for (int i = 0; i < length; i++)
 			printf("%02X", bytes[i]);
+		CFRelease(manifestHash);
 		printf("\n");
 	}