[Freeassociation-devel] Memory corruption in timezone handling

Robie Basak robie.basak at canonical.com
Sun Apr 1 02:13:00 PDT 2012


Hi freeassociation-devel,

I think I've tracked down a segfault in evolution to a bug in libical.

In icaltimezone.c:icaltimezone_get_builtin_timezone,
icalarray_append(builtin_timezones, ...) is called. This can cause
icalarray_expand() to be called, moving the entire builtin_timezones
array and thus invalidating any previous pointers into the array.

It seems that evolution is expecting icaltimezone pointers to be stable
over time. But the icaltimezone structure contains builtin_timezone
which is a pointer into the builtin_timezones array. When
icaltimezone_get_builtin_timezone is later called, it expands the array,
invalidating the builtin_timezone field of any icaltimezone pointer
previously issued by icaltimezone_new. This causes later memory
corruption through access to freed memory and an eventual segfault.

Additional notes here, including backtraces of the crash and a valgrind
log catching the access to freed memory red handed:
    https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/956843
    http://mail.gnome.org/archives/evolution-hackers/2012-March/msg00028.html

Is this a bug in libical? Or should evolution be doing something
different?

Thanks,

Robie




More information about the libical-devel mailing list