[Freeassociation-devel] [PATCH] Fix for invalid read in icaltzutil_fetch_timezone

[sean finney]

note that the calloc calls are still done when num_trans is 0, but this
is legal to do and the returned pointers should be safe to pass to
free() in such a case.  the dereferencing/reading/writing, however,
is not, and that is what is fixed here.
--- ./src/libical/icaltz-util.c	2009-01-08 16:50:21.000000000 +0000
+++ ./src/libical/icaltz-util.c.new	2011-02-16 13:36:03.231178557 +0000
@@ -297,10 +297,10 @@ icaltzutil_fetch_timezone (const char *l
 
 	transitions = calloc (num_trans, sizeof (time_t));
 	r_trans = calloc (num_trans, 4);
-	EFREAD(r_trans, 4, num_trans, f);
 	temp = r_trans;	
 
 	if (num_trans) {
+		EFREAD(r_trans, 4, num_trans, f);
 		trans_idx = calloc (num_trans, sizeof (int));
 		for (i = 0; i < num_trans; i++) {
 			trans_idx [i] = fgetc (f);
@@ -389,7 +389,10 @@ icaltzutil_fetch_timezone (const char *l
 		icalprop = icalproperty_new_tzname (types [zidx].zname);
 		icalcomponent_add_property (std_comp, icalprop);
 
-		trans = transitions [stdidx] + types [zidx].gmtoff;
+		if (num_trans)
+			trans = transitions [stdidx] + types [zidx].gmtoff;
+		else
+			trans = 0;
 		icaltime = icaltime_from_timet (trans, 0);
 		dtstart = icaltime;
 		dtstart.year = 1970;