Ubuntu
libical package

Bug #956843
Comment #3

Comment 3 for bug 956843

Revision history for this message

Robie Basak (racb) wrote on 2012-03-24: Re: Race condition in timezone handling causes crash

The root of the problem seems to be that builtin_timezone entries kept as pointers into an "icalarray". But the icalarray is "expanded" by being moved to a new location and the old location freed, making the previous builtin_timezone pointers invalid.

==4519== Invalid read of size 8
==4519== at 0xE6FEB46: icaltimezone_get_utc_offset_of_utc_time (icaltimezone.c:981)
==4519== by 0xE6FE652: icaltimezone_convert_time (icaltimezone.c:794)
==4519== by 0xE6F9EE0: icaltime_from_timet_with_zone (icaltime.c:224)
==4519== by 0x18810169: tag_calendar_cb (tag-calendar.c:120)
==4519== by 0x932B1E7: process_instances (e-cal-client.c:1961)
==4519== by 0x932B314: generate_instances_for_object_got_objects_cb (e-cal-client.c:1992)
==4519== by 0x932A799: got_objects_for_uid_cb (e-cal-client.c:1711)
==4519== by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519== by 0x5536C5B: finish_async_op (e-client.c:2281)
==4519== by 0x5536F55: async_result_ready_cb (e-client.c:2318)
==4519== by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519== by 0x626CD28: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519== Address 0x1c11c8d8 is 29,928 bytes inside a block of size 29,952 free'd
==4519== at 0x4C282E0: free (vg_replace_malloc.c:366)
==4519== by 0xE6E8E5E: icalarray_expand (icalarray.c:159)
==4519== by 0xE6E8BE8: icalarray_append (icalarray.c:89)
==4519== by 0xE6FF54A: icaltimezone_get_builtin_timezone (icaltimezone.c:1414)
==4519== by 0xE6FF8A6: icaltimezone_get_builtin_timezone_from_tzid (icaltimezone.c:1525)
==4519== by 0xE6EC18F: icalcomponent_get_datetime (icalcomponent.c:1566)
==4519== by 0xE6EC28A: icalcomponent_get_dtstart (icalcomponent.c:1594)
==4519== by 0x187FB7EA: ensure_dates_are_in_default_zone (gnome-cal.c:744)
==4519== by 0x187FBA21: dn_client_view_objects_added_cb (gnome-cal.c:773)
==4519== by 0x65560A3: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)
==4519== by 0x6568029: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)
==4519== by 0x65716B0: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)

==4519== Invalid read of size 8
==4519==    at 0xE6FEB46: icaltimezone_get_utc_offset_of_utc_time (icaltimezone.c:981)
==4519==    by 0xE6FE652: icaltimezone_convert_time (icaltimezone.c:794)
==4519==    by 0xE6F9EE0: icaltime_from_timet_with_zone (icaltime.c:224)
==4519==    by 0x18810169: tag_calendar_cb (tag-calendar.c:120)
==4519==    by 0x932B1E7: process_instances (e-cal-client.c:1961)
==4519==    by 0x932B314: generate_instances_for_object_got_objects_cb (e-cal-client.c:1992)
==4519==    by 0x932A799: got_objects_for_uid_cb (e-cal-client.c:1711)
==4519==    by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519==    by 0x5536C5B: finish_async_op (e-client.c:2281)
==4519==    by 0x5536F55: async_result_ready_cb (e-client.c:2318)
==4519==    by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519==    by 0x626CD28: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0)
==4519==  Address 0x1c11c8d8 is 29,928 bytes inside a block of size 29,952 free'd
==4519==    at 0x4C282E0: free (vg_replace_malloc.c:366)
==4519==    by 0xE6E8E5E: icalarray_expand (icalarray.c:159)
==4519==    by 0xE6E8BE8: icalarray_append (icalarray.c:89)
==4519==    by 0xE6FF54A: icaltimezone_get_builtin_timezone (icaltimezone.c:1414)
==4519==    by 0xE6FF8A6: icaltimezone_get_builtin_timezone_from_tzid (icaltimezone.c:1525)
==4519==    by 0xE6EC18F: icalcomponent_get_datetime (icalcomponent.c:1566)
==4519==    by 0xE6EC28A: icalcomponent_get_dtstart (icalcomponent.c:1594)
==4519==    by 0x187FB7EA: ensure_dates_are_in_default_zone (gnome-cal.c:744)
==4519==    by 0x187FBA21: dn_client_view_objects_added_cb (gnome-cal.c:773)
==4519==    by 0x65560A3: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)
==4519==    by 0x6568029: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)
==4519==    by 0x65716B0: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0)

Ubuntulibical package

Comment 3 for bug 956843

Ubuntu
libical package