[Freeassociation-devel] [PATCH] Fix for invalid read in icaltzutil_fetch_timezone

Sean Finney seanius at seanius.net
Tue Mar 8 13:59:25 PST 2011 

Hi,

Are we looking at the same code?

"./trunk/libical/src/libical/icaltz-util.c" line 339

looks like it still applies to me...


	Sean


On Tue, 2011-03-08 at 16:28 -0500, Allen Winter wrote:
> Very strange.
> I don't see the code you are patching in the svn repo version of icaltz-util.c
> Well.. I see the EREAD() code, but the other code you are fixing
> doesn't exist in the svn repo and the code that does exist looks ok.
> 
> Additionally, I ran Milan's test program through valgrind and don't see the invalid read.
> 
> So I need to reject this patch -- the code that exists already in trunk looks fine to me.
> 
> 
> On Wednesday, February 16, 2011 08:44:00 am sean finney wrote:
> > note that the calloc calls are still done when num_trans is 0, but this
> > is legal to do and the returned pointers should be safe to pass to
> > free() in such a case.  the dereferencing/reading/writing, however,
> > is not, and that is what is fixed here.
> > --- ./src/libical/icaltz-util.c	2009-01-08 16:50:21.000000000 +0000
> > +++ ./src/libical/icaltz-util.c.new	2011-02-16 13:36:03.231178557 +0000
> > @@ -297,10 +297,10 @@ icaltzutil_fetch_timezone (const char *l
> >  
> >  	transitions = calloc (num_trans, sizeof (time_t));
> >  	r_trans = calloc (num_trans, 4);
> > -	EFREAD(r_trans, 4, num_trans, f);
> >  	temp = r_trans;	
> >  
> >  	if (num_trans) {
> > +		EFREAD(r_trans, 4, num_trans, f);
> >  		trans_idx = calloc (num_trans, sizeof (int));
> >  		for (i = 0; i < num_trans; i++) {
> >  			trans_idx [i] = fgetc (f);
> > @@ -389,7 +389,10 @@ icaltzutil_fetch_timezone (const char *l
> >  		icalprop = icalproperty_new_tzname (types [zidx].zname);
> >  		icalcomponent_add_property (std_comp, icalprop);
> >  
> > -		trans = transitions [stdidx] + types [zidx].gmtoff;
> > +		if (num_trans)
> > +			trans = transitions [stdidx] + types [zidx].gmtoff;
> > +		else
> > +			trans = 0;
> >  		icaltime = icaltime_from_timet (trans, 0);
> >  		dtstart = icaltime;
> >  		dtstart.year = 1970;
> > 
> > 
> > ------------------------------------------------------------------------------
> > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> > Pinpoint memory and threading errors before they happen.
> > Find and fix more than 250 security defects in the development cycle.
> > Locate bottlenecks in serial and parallel code that limit performance.
> > http://p.sf.net/sfu/intel-dev2devfeb
> > _______________________________________________
> > Freeassociation-devel mailing list
> > Freeassociation-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/freeassociation-devel
> >
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/libical-devel/attachments/20110308/cc056c17/attachment.sig>

More information about the libical-devel mailing list