- 復(fù)現(xiàn)步驟:
在UIImagePickController拍照頁面開啟閃光模式推姻,在拍照的瞬間點(diǎn)擊鎖屏按鈕,App重回前臺后拍出來的照片一片漆黑,這時點(diǎn)擊”使用照片”會crash。
美團(tuán).gif
微信.gif
系統(tǒng) < iOS 10
-
原因:NSMutableDictionary setObject是參數(shù)傳nil導(dǎo)致的空免。
注意:當(dāng)UIImagePickController的allowEditing屬性為YES的時候不會crash。
解決方案:hook底層拍照處理API盆耽,當(dāng)發(fā)現(xiàn)拍出來的照片為空時手動生成一張空白圖片蹋砚。
通過Hopper查看產(chǎn)生這個問題有兩處可能返回nil的調(diào)用扼菠,
-
-[PLPhotoTileViewController _newOriginalImageForPickerFromCachedData];OC方法
-
void * -[PLPhotoTileViewController _newOriginalImageForPickerFromCachedData](void * self, void * _cmd) {
rbx = self;
rax = [self unscaledImage];
if (rax == 0x0) {
rax = [rbx image];
}
rax = _NewUIImageFromCachedImage(rax);
return rax;
}
-
int _CreateImageDataFromJPEGDataAndOrientation(int arg0, int arg1);C函數(shù)
-
int _CreateImageDataFromJPEGDataAndOrientation(int arg0, int arg1) {
rbx = PLExifOrientationFromImageOrientation(arg1, arg1);
r15 = [NSDictionary alloc];
rdx = [NSNumber numberWithInt:rbx];
rbx = [r15 initWithObjectsAndKeys:rdx];
r14 = CGImageCreateEXIFJPEGData(0x0, arg0, 0x0, rbx);
[rbx release];
rax = r14;
return rax;
}
我們利用fishhook來對C函數(shù)進(jìn)行hook。
- Code:
#import <fishhook/fishhook.h>
#import <objc/runtime.h>
#if __has_feature(objc_arc)
#error This file must be compiled with MRC. Use -fno-objc-arc flag (or convert project to MRC).
#endif
typedef id (*ImageDataIMP)(id, SEL, ...);
static CGImageRef (*orig_createImageData)(NSData *data, UIImageOrientation orientation);
UIImage *createBlankImage();
CGImageRef new_createImageData(NSData *arg0, UIImageOrientation arg1)
{
CGImageRef imageRef = orig_createImageData(arg0, arg1);
if (imageRef == NULL) {
UIImage *image = createBlankImage();
imageRef = CGImageRetain(image.CGImage);
[image release];
}
return imageRef;
}
NSString *originCreateImageDataFromJPEGDataAndOrientationFuncKey()
{
//CreateImageDataFromJPEGDataAndOrientation
static NSString *key;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
key = [[NSString alloc] initWithData:[NSData dataWithBytes:(unsigned char [])
{0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x44, 0x61, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x4a, 0x50, 0x45, 0x47, 0x44, 0x61, 0x74, 0x61, 0x41, 0x6e, 0x64, 0x4f, 0x72, 0x69, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e} length:41]
encoding:NSASCIIStringEncoding];
});
return key;
}
NSString *originalImageForPickerFromCachedDataSELKey()
{
//_newOriginalImageForPickerFromCachedData
static NSString *key;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
key = [[NSString alloc] initWithData:[NSData dataWithBytes:(unsigned char [])
{0x5f, 0x6e, 0x65, 0x77, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x49, 0x6d, 0x61,
0x67, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x69, 0x63, 0x6b, 0x65, 0x72, 0x46, 0x72, 0x6f,
0x6d, 0x43, 0x61, 0x63, 0x68, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61} length:40]
encoding:NSASCIIStringEncoding];
});
return key;
}
@implementation UIImagePickerController (DEFImagePickerControllerCrashFix)
+ (void)load
{
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
//先手動加載私有framework都弹,否則取不到私有類
NSBundle *photoLibraryBundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/PhotoLibrary.framework"];
if (![photoLibraryBundle load]) {
return;
}
//PLPhotoTileViewController
NSString *photoTileControllerKey = [[NSString alloc] initWithData:[NSData dataWithBytes:(unsigned char [])
{0x50, 0x4c, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x54, 0x69,
0x6c, 0x65, 0x56, 0x69, 0x65, 0x77, 0x43, 0x6f, 0x6e, 0x74,
0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72} length:25] encoding:NSASCIIStringEncoding];
Class originCls = NSClassFromString(photoTileControllerKey);
[photoTileControllerKey release];
Class overridedCls = self;
SEL originalSelector = NSSelectorFromString(originalImageForPickerFromCachedDataSELKey());
SEL overrideSelector = @selector(p_newOriginalImageForPickerFromCachedData);
Method originalMethod = class_getInstanceMethod(originCls, originalSelector);
Method overrideMethod = class_getInstanceMethod(overridedCls, overrideSelector);
BOOL success = class_addMethod(originCls, originalSelector, method_getImplementation(overrideMethod), method_getTypeEncoding(overrideMethod));
if (success) {
class_replaceMethod(overridedCls, overrideSelector, method_getImplementation(originalMethod), method_getTypeEncoding(originalMethod));
} else {
method_exchangeImplementations(originalMethod, overrideMethod);
}
rebind_symbols((struct rebinding[1]){originCreateImageDataFromJPEGDataAndOrientationFuncKey().UTF8String, new_createImageData, (void *)&orig_createImageData}, 1);
});
}
- (id)p_newOriginalImageForPickerFromCachedData
{
SEL originalSelector = @selector(p_newOriginalImageForPickerFromCachedData);
Method method = class_getInstanceMethod([UIImagePickerController class], originalSelector);
ImageDataIMP imp = (ImageDataIMP)method_getImplementation(method);
UIImage *image = imp(self, _cmd);
if (!image) {
//如果沒有生成照片娇豫,返回一張空白圖片,防止crash
image = createBlankImage();
}
return image;
}
@end
//生成一張黑色圖片
UIImage *createBlankImage()
{
UIBezierPath *bezierPath = [UIBezierPath bezierPathWithRect:[[UIScreen mainScreen] bounds]];
UIImage *blackImage = [UIImage p_imageWithColor:[UIColor blackColor] path:bezierPath];
CGImageRef imageRef = blackImage.CGImage;
UIImage *drawImage = [[UIImage alloc] initWithCGImage:imageRef
scale:[UIScreen mainScreen].scale
orientation:UIImageOrientationUp];
return drawImage;
}
@interface UIImage (PickerBlankImage)
+ (UIImage *)p_imageWithColor:(UIColor *)color path:(UIBezierPath *)path;
@end
@implementation UIImage (PickerBlankImage)
+ (UIImage *)p_imageWithColor:(UIColor *)color path:(UIBezierPath *)path
{
CGRect rect = CGRectMake(0, 0, 3, 3);
if (path) {
rect = path.bounds;
}
UIGraphicsBeginImageContextWithOptions(rect.size, NO, 0);
CGContextRef context = UIGraphicsGetCurrentContext();
CGContextSetFillColorWithColor(context, [color CGColor]);
if (path) {
[path fill];
} else {
CGContextFillRect(context, rect);
}
UIImage *image = UIGraphicsGetImageFromCurrentImageContext();
UIGraphicsEndImageContext();
return image;
}
@end
