GNOME Bugzilla – Bug 408423
Crash when replying to an appointment
Last modified: 2013-09-13 00:49:59 UTC
When an appointment has a long title (or any other string that goes into the email) there is a buffer overflow when constructing the email when replying. This is because fixed-sized buffers are allocated for things like the subject of the email. Attached is a patch that changes these to variable sized based on the data actually being written. Patch is against 2.9.91, but applies unchanged to 2.8.3 (which also has the problem). Backtrace from the crash is: (gdb) bt
+ Trace 111114
$1 = 0xf78700 "<tr><td><b>Subject</b></td><td>:</td><td>Updated: Multi-controller coordinated channel FS review</td></tr>" Note the string is 107 characters long, but the buffer is only 100.
Created attachment 82642 [details] [review] Proposed fix Proposed fix: use the length of the actual strings being written to calculate the size of the buffer to create. Each buffer is the size of the fix string + 1 + strlen of the string to write.
Harish/Chen: Ping.
Created attachment 85636 [details] [review] Alternate patch The above patch is correct but I think it's easier and less error-prone to just use a GString to build the HTML content. Also, this function is leaking memory like crazy. For starters, g_strconcat() returns a newly-allocated string. So each "body = g_strconcat (body, ...)" is leaking the former contents of 'body'. Here's an alternate patch that uses GString and cleans up several memory leaks.
Great ! Please commit.
Committed to Subversion trunk (revision 33397).