Proof-of-concept app to overwrite fonts on iOS using [CVE-2022-46689](

Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.

IPA available in the [Releases]( section.

Fonts included:

- DejaVu Sans Condensed
- DejaVu Serif
- DejaVu Sans Mono
- Go Regular
- Go Mono
- Fira Sans
- Segoe UI
- Comic Sans MS
- Choco Cooky

You can also import custom fonts that were ported for iOS.

## Screenshots

DejaVu Sans Condensed | DejaVu Serif | DejaVu Sans Mono | Choco Cooky


Go Regular | Go Mono | Segoe UI | Comic Sans MS

![Another screenshot](

Hanna Soft + JoyPixels | Bronkoh | Noto Serif SC | Fira Sans

![Another screenshot](

Screenshot credit: [@ev_ynw]( for the ported [Hanna Soft]( and [Bronkoh]( fonts, [JoyPixels]( for the emoji font

## Where to find ported fonts

- [@ev_ynw](
- [@PoomSmart](

## Known issues

 - The built-in fonts are not properly ported (I don't know how to port fonts). For best results, use a custom font.
   - with the built-in fonts:
   - Only regular text uses the changed font: thin/medium/bold text falls back to Helvetica instead.
   - If the font doesn't show up at all, [disable "Bold Text"]( in accessibility settings.
 - File pickers in apps will fail to open with the error "Something went wrong while displaying documents." 
   - This happens if you replace the emoji font, or install fonts with [multiple weights](
   - Try the experimental .ttc fix by using "Import custom <font> with fix for .ttc"
 - iOS 14.x devices which are jailbroken / were jailbroken before will not be able to revert to the original font.
   - Workaround: do not use this app if you're on iOS 14.x and have previously jailbroken. Instead, just jailbreak and replace fonts normally.

## Font conversion

The CVE-2022-46689 issue - as far as I know - only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can't be written.

(I could be wrong)

To work around this, I package the font using the [WOFF2]( webfont format, which is [supported on iOS]( WOFF2 uses [Brotli]( for compression, which lets me insert padding to skip over the last byte.

See `repackfonts/` for details: this script:

- renames the font to .SFUI-Regular with [TTX]( following [this answer](
- rebuilds the font to .woff2
- runs `repackfonts/BrotliPadding.swift` to decompress the WOFF2 file and insert padding to skip past the 16384th byte

## Credits

- Ian Beer of [Project Zero]( for finding CVE-2022-46689.
- Apple for the [test case]( and [patch]( (I didn't change anything: I only wrapped the test case in a library.)
- Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially [@dedbeddedbed](, [@AppleDry05](, and [@haxi0sm]( for exploring what can be done with this issue..
- [WOFF2 compressor]( by Google
- [ttcpad]( by LIJI32
- [Fontforge stripttc](
- The [DejaVu fonts]( are distributed according to their [license](
- The [Go fonts]( are distributed according to their license.
- The [Fira Sans]( font is converted by [@jonpalmisc]( - thanks!
- Segoe UI and Comic Sans MS are the property of Microsoft.
- Choco Cooky is the property of Samsung.
- I don't have any rights to redistribute these, but I'm posting them anyways because #yolo.