#88 Heap corruption in timezone handling

closed-fixed
nobody
None
5
2014-08-19
2012-04-04
Anonymous
No

In icaltimezone.c:icaltimezone_get_builtin_timezone,
icalarray_append(builtin_timezones, ...) is called. This can cause
icalarray_expand() to be called, moving the entire builtin_timezones
array and thus invalidating any previous pointers into the array.

Additional notes here, including backtraces of the crash and a valgrind
log catching the access to freed memory red handed:
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/956843
http://mail.gnome.org/archives/evolution-hackers/2012-March/msg00028.html
http://sourceforge.net/mailarchive/message.php?msg_id=29069293

"Your valgrind log exactly points out that its fundamentaly broken and needs to be fixed." - from Wilfried Goesgens in https://sourceforge.net/mailarchive/message.php?msg_id=29079904

Discussion

  • Keith Packard
    Keith Packard
    2012-04-27

    I've fixed this in two different ways:

    1) Change the timezone array to be an array of pointers to timezone objects rather than and array of timezone objects

    2) Change the array code to allocate objects in chunks and not move them ever to keep pointers valid after append.

    Both of these are in git://keithp.com/git/libical -- 'master' has fix style 1), 'redoarray' has fix style 2). I prefer fix 2).

     
  • Allen Winter
    Allen Winter
    2012-10-07

    Fixed by Keith Packard's patch for heap corruption in r1134

     
  • Allen Winter
    Allen Winter
    2012-10-07

    • status: open --> closed-fixed