Re: [Evolution-hackers] Memory corruption bug in timezone handling


Thanks for looking into this.

On Thu, Mar 29, 2012 at 06:16:14AM -0400, Matthew Barnes wrote:
> On Thu, 2012-03-29 at 10:33 +0100, Robie Basak wrote:
> > icaltimezone.c:icaltimezone_get_builtin_timezone calls icalarray_append,
> > which moves the entire array to grow it. But an ECalShellView is
> > maintaining a pointer inside that array (via a very long chain of
> > indirection) which becomes invalid as the array is moved. This causes
> > later corruption, invalid reads from freed memory, and eventually
> > segfaults from both the corruption (which appear quite random).
> I thought this was solved already by:

I spotted this, and this workaround is in my source tree too. But it
doesn't seem to work. The array is still being moved as a result of
icaltimezone.c:icaltimezone_get_builtin_timezone by the following code,
which seems to be an edge case that the workaround does not cover:

    /* Check whether file exists, but is not mentioned in
       It means it's a deprecated timezone, but still available. */
    comp = icaltzutil_fetch_timezone (location);
    if (comp) {
        icaltimezone tz;
        icaltimezone_init (&tz);
        if (icaltimezone_set_component (&tz, comp)) {
            icalarray_append (builtin_timezones, &tz);
            return icalarray_element_at (builtin_timezones, builtin_timezones->num_elements - 1);
        } else {
            icalcomponent_free (comp);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]