Re: [Evolution-hackers] Memory corruption bug in timezone handling
- From: Robie Basak <robie basak canonical com>
- To: Matthew Barnes <mbarnes redhat com>
- Cc: evolution-hackers gnome org
- Subject: Re: [Evolution-hackers] Memory corruption bug in timezone handling
- Date: Thu, 29 Mar 2012 12:30:41 +0100
Matthew,
Thanks for looking into this.
On Thu, Mar 29, 2012 at 06:16:14AM -0400, Matthew Barnes wrote:
> On Thu, 2012-03-29 at 10:33 +0100, Robie Basak wrote:
> > icaltimezone.c:icaltimezone_get_builtin_timezone calls icalarray_append,
> > which moves the entire array to grow it. But an ECalShellView is
> > maintaining a pointer inside that array (via a very long chain of
> > indirection) which becomes invalid as the array is moved. This causes
> > later corruption, invalid reads from freed memory, and eventually
> > segfaults from both the corruption (which appear quite random).
>
> I thought this was solved already by:
> http://git.gnome.org/browse/evolution/tree/modules/calendar/e-cal-shell-backend.c#n863
I spotted this, and this workaround is in my source tree too. But it
doesn't seem to work. The array is still being moved as a result of
icaltimezone.c:icaltimezone_get_builtin_timezone by the following code,
which seems to be an edge case that the workaround does not cover:
/* Check whether file exists, but is not mentioned in zone.tab.
It means it's a deprecated timezone, but still available. */
comp = icaltzutil_fetch_timezone (location);
if (comp) {
icaltimezone tz;
icaltimezone_init (&tz);
if (icaltimezone_set_component (&tz, comp)) {
icalarray_append (builtin_timezones, &tz);
return icalarray_element_at (builtin_timezones, builtin_timezones->num_elements - 1);
} else {
icalcomponent_free (comp);
}
}
Robie
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
