[Evolution-hackers] Memory corruption in timezone handling

From: Robie Basak <robie basak canonical com>
To: freeassociation-devel lists sourceforge net
Cc: evolution-hackers gnome org
Subject: [Evolution-hackers] Memory corruption in timezone handling
Date: Sun, 1 Apr 2012 10:13:00 +0100

Hi freeassociation-devel,

I think I've tracked down a segfault in evolution to a bug in libical.

In icaltimezone.c:icaltimezone_get_builtin_timezone,
icalarray_append(builtin_timezones, ...) is called. This can cause
icalarray_expand() to be called, moving the entire builtin_timezones
array and thus invalidating any previous pointers into the array.

It seems that evolution is expecting icaltimezone pointers to be stable
over time. But the icaltimezone structure contains builtin_timezone
which is a pointer into the builtin_timezones array. When
icaltimezone_get_builtin_timezone is later called, it expands the array,
invalidating the builtin_timezone field of any icaltimezone pointer
previously issued by icaltimezone_new. This causes later memory
corruption through access to freed memory and an eventual segfault.

Additional notes here, including backtraces of the crash and a valgrind
log catching the access to freed memory red handed:
    https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/956843
    http://mail.gnome.org/archives/evolution-hackers/2012-March/msg00028.html

Is this a bug in libical? Or should evolution be doing something
different?

Thanks,

Robie

Follow-Ups:
- Re: [Evolution-hackers] Memory corruption in timezone handling
  - From: Christian Hilberg
- Re: [Evolution-hackers] Memory corruption in timezone handling
  - From: Christian Hilberg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]