Bug 664412
| Summary: | [abrt] evolution-2.32.1-1.fc14: icaltzutil_fetch_timezone: Process /usr/bin/evolution was killed by signal 11 (SIGSEGV) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Yann Droneaud <yann> | ||||||
| Component: | libical | Assignee: | Robert Scheck <redhat-bugzilla> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 14 | CC: | lucilanga, mbarnes, mcrha, rdieter, redhat-bugzilla | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:cdca75ef4578108eefd89b78139067a3d785725a | ||||||||
| Fixed In Version: | libical-0.48-1.fc15 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-01-01 19:29:07 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Yann Droneaud
2010-12-20 11:06:08 UTC
Created attachment 469724 [details]
File: backtrace
*** Bug 662070 has been marked as a duplicate of this bug. *** Package: evolution-2.32.1-1.fc14 Architecture: x86_64 OS Release: Fedora release 14 (Laughlin) How to reproduce ----- 1. Run evolution with G_DEBUG=resident-modules,gc-friendly G_SLICE=always-malloc,debug-blocks under ElectricFence with EF_PROTECT_BELOW=1 EF_ALLOW_MALLOC_0=1 EF_ALIGNMENT=16 Created attachment 469779 [details]
valgrind log for evolution
Here's some valgrind log about the same problem.
And here the interesting lines of code in icaltz-util.c:
Note: num_trans is equal to 0
339 transitions = calloc (num_trans, sizeof (time_t));
340 r_trans = calloc (num_trans, 4);
341 EFREAD(r_trans, 4, num_trans, f);
411 stdidx = 0;
426 if (stdidx != -1) {
430 zidx = 0;
439 zp_idx = zidx;
441 trans = transitions [stdidx] + types [zp_idx].gmtoff;
A time_t is read at transitions[0], which is not allocated.
Note: there's also no check that zp_idx is not actually overflowing types[].
This piece of code must be improved to take extra care when parsing a timezone file.
Thanks for a bug report. I'm moving this to libical. If you would like a test application which will call only this, then I can write it for you. Well, what does "rpm -q libical" say? There is a newer libical version in updates-testing. (In reply to comment #6) > Well, what does "rpm -q libical" say? There is a newer libical version in > updates-testing. $ rpm -q libical libical-0.46-2.fc14.x86_64 I've installed it following comment 5 on bug 637150. To be honest, I'm not a programmer. All I can do for you is just forwarding the information you're providing me into an upstream bug report. Maybe Milan or the Red Hat libical maintainer is more experienced with that? Can this issue completely be solved with the patch from bug #694118? Milan? The 0.47 of libical has a fix included already, if I read this [1] thread correctly. [1] http://sourceforge.net/mailarchive/forum.php?thread_name=201103081755.02449.winter%40kde.org&forum_name=freeassociation-devel Milan, could you verify it in the 0.47 code? Then I'll update the branches accordingly. Thanks :) I tried with 0.47 libical, running evolution under valgrind, and I do not see a warnings from this function. If Yann could test under ElectricFence, then even better. Here's a scratch build for libical 0.47 package for Fedora 16: http://koji.fedoraproject.org/koji/taskinfo?taskID=3455112 libical-0.48-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/libical-0.48-1.fc15 libical-0.48-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/libical-0.48-1.el5 libical-0.48-1.el4 has been submitted as an update for Fedora EPEL 4. https://admin.fedoraproject.org/updates/libical-0.48-1.el4 libical-0.48-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libical-0.48-1.fc16 Package libical-0.48-1.el4: * should fix your issue, * was pushed to the Fedora EPEL 4 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing libical-0.48-1.el4' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-5265/libical-0.48-1.el4 then log in and leave karma (feedback). libical-0.48-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. libical-0.48-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. libical-0.48-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. libical-0.48-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |