Use-after-free in 2.0.0 under icalrecur_iterator_new()

[Milan Crha]

	Hi,
I'm using libical 2.0.0 for testing and such and I realized that it's
easy to let the application (evolution-data-server calendar backend)
crash when there is an event with RSCALE parameter of an RRULE set.
What valgrind shows as the first hit of the issue is at the end of this
message.

I made it break by modifying the calendar content, which results in a
save, and to couple other icalcomponent parsing and saving to string,
which, based on the valgrind log, caused changes in the memory pool and
later the RSCALE property breakage.

 Invalid read of size 1
    at 0x11886906: initialize_iterator (icalrecur.c:1366)

1365        /* Lowercase the specified calendar */
1366        for (r = rule.rscale; *r; r++) {
1367            *r = tolower((int)*r);
1368        }

What about having some static array with all the values returned by
ucal_getKeywordValuesForLocale() and use indexes into that array for
rule.rscale value? This global array should be allocated out of the
ical memory pool, due to obvious reason.

I'm also surprised that the value got overwritten/freed that early,
because my calendar is not that large (the file is 235936 bytes long).
Eventually, could it be freed when the initial associated component got
freed, while the code works with a clone of the component afterwards?
(The evolution-data-server backend receives the component as a string,
then it creates a component out of it, then it works with it.)

I also tried with libical 1.0.1, where the crash doesn't happen.
Obviously due to no rscale in icalrecurtype structure, but I understand
it also as a prove that I do not have that many components, thus the
libical memory pool might not be an issue (unless there had been done
any changes in 2.0.0 with respect its initial size or anything like
that).

I'll be happy to test any patches, if you'd have any for this issue.
	Thanks and bye,
	Milan

 Thread 7:
 Invalid read of size 1
    at 0x11886906: initialize_iterator (icalrecur.c:1366)
    by 0x118871DC: icalrecur_iterator_new (icalrecur.c:1806)
    by 0x1161FA0B: e_cal_recur_generate_instances_sync (e-cal-recur.c:435)
    by 0x11620EA4: e_cal_recur_generate_instances (e-cal-recur.c:1331)
    by 0x52EA83D: func_occur_in_time_range (e-cal-backend-sexp.c:207)
    by 0x6D66102: e_sexp_term_eval (e-sexp.c:781)
    by 0x6D64D07: term_eval_and (e-sexp.c:285)
    by 0x6D66023: e_sexp_term_eval (e-sexp.c:769)
    by 0x6D67A4E: e_sexp_eval (e-sexp.c:1693)
    by 0x52EC5DF: e_cal_backend_sexp_match_comp (e-cal-backend-sexp.c:1266)
    by 0x3798E6DD: match_object_sexp_to_component (e-cal-backend-file.c:1623)
    by 0x681A3FC: g_list_foreach (glist.c:1005)
    by 0x3798F214: e_cal_backend_file_start_view (e-cal-backend-file.c:1930)
    by 0x52E5958: e_cal_backend_start_view (e-cal-backend.c:4249)
    by 0x52F9AF4: calview_start_thread (e-data-cal-view.c:185)
    by 0x6844BB4: g_thread_proxy (gthread.c:778)
    by 0x6B14609: start_thread (in /usr/lib64/libpthread-2.22.so)
    by 0x5610A4C: clone (in /usr/lib64/libc-2.22.so)
  Address 0x3cfc0980 is 0 bytes inside a block of size 1,024 free'd
    at 0x4C29D6A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x1187F003: icalmemory_free_buffer (icalmemory.c:276)
    by 0x118835A4: icalproperty_as_ical_string_r (icalproperty.c:458)
    by 0x11879EDD: icalcomponent_as_ical_string_r (icalcomponent.c:285)
    by 0x11879F4E: icalcomponent_as_ical_string_r (icalcomponent.c:294)
    by 0x11879F4E: icalcomponent_as_ical_string_r (icalcomponent.c:294)
    by 0x3798B66D: save_file_when_idle (e-cal-backend-file.c:207)
    by 0x681DF39: g_main_dispatch (gmain.c:3154)
    by 0x681DF39: g_main_context_dispatch (gmain.c:3769)
    by 0x681E2CF: g_main_context_iterate.isra.29 (gmain.c:3840)
    by 0x681E5F1: g_main_loop_run (gmain.c:4034)
    by 0x4019A0: main (evolution-calendar-factory-subprocess.c:213)
  Block was alloc'd at
    at 0x4C28C50: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x1187EF6F: icalmemory_new_buffer (icalmemory.c:250)
    by 0x118832B0: icalproperty_as_ical_string_r (icalproperty.c:379)
    by 0x11879EDD: icalcomponent_as_ical_string_r (icalcomponent.c:285)
    by 0x11879F4E: icalcomponent_as_ical_string_r (icalcomponent.c:294)
    by 0x11879F4E: icalcomponent_as_ical_string_r (icalcomponent.c:294)
    by 0x3798B66D: save_file_when_idle (e-cal-backend-file.c:207)
    by 0x681DF39: g_main_dispatch (gmain.c:3154)
    by 0x681DF39: g_main_context_dispatch (gmain.c:3769)
    by 0x681E2CF: g_main_context_iterate.isra.29 (gmain.c:3840)
    by 0x681E5F1: g_main_loop_run (gmain.c:4034)
    by 0x4019A0: main (evolution-calendar-factory-subprocess.c:213)