GNOME Bugzilla – Bug 500509
invalid memory access due to incorrect call of g_utf8_offset_to_pointer()
Last modified: 2008-05-28 16:30:37 UTC
Please describe the problem: When exporting a vcard which requires folding (= any card which has more than 74 characters per property, like a long comment), g_utf8_offset_to_pointer() is asked to step through the string in steps of 74 characters and will happily moved past the end of the string to reach that position. This could crash when the string happens to be at the end of a valid page. valgrind reports this as: ==22370== Invalid read of size 1 ==22370== at 0x6FCE267: g_utf8_offset_to_pointer (in /usr/lib/libglib-2.0.so.0.1400.1) ==22370== by 0x4E5B6B6: e_vcard_to_string_vcard_30 (e-vcard.c:905) ==22370== by 0x4E5B80E: e_vcard_to_string (e-vcard.c:941) ==22370== by 0x41D4F1: EvolutionContactSource::exportData(std::ostream&) (EvolutionContactSource.cpp:305) ==22370== by 0x413D92: SourceList::dumpDatabases(std::string const&) (EvolutionSyncClient.cpp:351) ==22370== by 0x414903: SourceList::syncPrepare() (EvolutionSyncClient.cpp:440) ==22370== by 0x40E0C7: EvolutionSyncClient::sync() (EvolutionSyncClient.cpp:790) ==22370== by 0x408E01: main (syncevolution.cpp:232) ==22370== Address 0xd3857c9 is 1 bytes after a block of size 128 alloc'd ==22370== at 0x4C22082: realloc (in /usr/local/lib/valgrind/amd64-linux/vgpreload_memcheck.so) ==22370== by 0x6FAE310: g_realloc (in /usr/lib/libglib-2.0.so.0.1400.1) ==22370== by 0x6FC60F3: (within /usr/lib/libglib-2.0.so.0.1400.1) ==22370== by 0x6FC6C4E: g_string_insert_len (in /usr/lib/libglib-2.0.so.0.1400.1) ==22370== by 0x4E5B545: e_vcard_to_string_vcard_30 (e-vcard.c:876) ==22370== by 0x4E5B80E: e_vcard_to_string (e-vcard.c:941) ==22370== by 0x41D4F1: EvolutionContactSource::exportData(std::ostream&) (EvolutionContactSource.cpp:305) ==22370== by 0x413D92: SourceList::dumpDatabases(std::string const&) (EvolutionSyncClient.cpp:351) ==22370== by 0x414903: SourceList::syncPrepare() (EvolutionSyncClient.cpp:440) ==22370== by 0x40E0C7: EvolutionSyncClient::sync() (EvolutionSyncClient.cpp:790) ==22370== by 0x408E01: main (syncevolution.cpp:232) Steps to reproduce: 1. create a contact with a comment longer than 74 characters 2. set a break point in g_utf8_offset_to_pointer() 3. save as vcard 4. watch how g_utf8_offset_to_pointer() reads past the end of the string: 295 g_utf8_offset_to_pointer (const gchar *str, 296 glong offset) 297 { 298 const gchar *s = str; 299 300 if (offset > 0) 301 while (offset--) 302 s = g_utf8_next_char (s); Actual results: g_utf8_offset_to_pointer() does not stop at the terminating nul-byte. Expected results: As g_utf8_offset_to_pointer() is not specified to stop at the nul-byte it should have been called differently. Does this happen every time? Yes. Other information: The change which introduced the faulty call from evolution-data-server/addressbook/libebook/e-vcard.c was introduced in the step from svn r7728 to r7743. Reverting that change would be one fix, counting the number of valid characters and using MIN(left, 74) in the call would be another.
More info on bug 510949
Invalid traces of evolution in 2.22.1.1 ==29708== ==29708== Invalid read of size 1 ==29708== at 0x5762E20: g_utf8_offset_to_pointer (gutf8.c:302) ==29708== by 0x43EE106: e_vcard_to_string (e-vcard.c:914) ==29708== by 0x43E5598: e_contact_duplicate (e-contact.c:1287) ==29708== by 0x635CF2D: modify_contact (e-addressbook-model.c:231) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== by 0x56DD1C6: signal_emit_unlocked_R (gsignal.c:2440) ==29708== by 0x56DE67D: g_signal_emit_valist (gsignal.c:2199) ==29708== by 0x56DEAE5: g_signal_emit (gsignal.c:2243) ==29708== by 0x43D9600: e_book_view_handle_response (e-book-view.c:53) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== Address 0xc2424c0 is 0 bytes after a block of size 128 alloc'd ==29708== at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==29708== by 0x573B469: g_realloc (gmem.c:170) ==29708== by 0x575637E: g_string_maybe_expand (gstring.c:359) ==29708== by 0x5756F78: g_string_insert_len (gstring.c:694) ==29708== by 0x57573C0: g_string_append (gstring.c:815) ==29708== by 0x43EDE50: e_vcard_to_string (e-vcard.c:885) ==29708== by 0x43E5598: e_contact_duplicate (e-contact.c:1287) ==29708== by 0x635CF2D: modify_contact (e-addressbook-model.c:231) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== by 0x56DD1C6: signal_emit_unlocked_R (gsignal.c:2440) ==29708== by 0x56DE67D: g_signal_emit_valist (gsignal.c:2199) ==29708== ==29708== Invalid read of size 1 ==29708== at 0x5762E33: g_utf8_offset_to_pointer (gutf8.c:301) ==29708== by 0x43EE106: e_vcard_to_string (e-vcard.c:914) ==29708== by 0x43E5598: e_contact_duplicate (e-contact.c:1287) ==29708== by 0x635CF2D: modify_contact (e-addressbook-model.c:231) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== by 0x56DD1C6: signal_emit_unlocked_R (gsignal.c:2440) ==29708== by 0x56DE67D: g_signal_emit_valist (gsignal.c:2199) ==29708== by 0x56DEAE5: g_signal_emit (gsignal.c:2243) ==29708== by 0x43D9600: e_book_view_handle_response (e-book-view.c:53) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== Address 0xc2424c1 is 1 bytes after a block of size 128 alloc'd ==29708== at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==29708== by 0x573B469: g_realloc (gmem.c:170) ==29708== by 0x575637E: g_string_maybe_expand (gstring.c:359) ==29708== by 0x5756F78: g_string_insert_len (gstring.c:694) ==29708== by 0x57573C0: g_string_append (gstring.c:815) ==29708== by 0x43EDE50: e_vcard_to_string (e-vcard.c:885) ==29708== by 0x43E5598: e_contact_duplicate (e-contact.c:1287) ==29708== by 0x635CF2D: modify_contact (e-addressbook-model.c:231) ==29708== by 0x56D585B: g_cclosure_marshal_VOID__POINTER (gmarshal.c:601) ==29708== by 0x56C8C3A: g_closure_invoke (gclosure.c:490) ==29708== by 0x56DD1C6: signal_emit_unlocked_R (gsignal.c:2440) ==29708== by 0x56DE67D: g_signal_emit_valist (gsignal.c:2199)
==27760== ==27760== Thread 6: ==27760== Use of uninitialised value of size 4 ==27760== at 0x4D4DE26: g_utf8_offset_to_pointer (gutf8.c:302) ==27760== by 0x413A106: e_vcard_to_string (e-vcard.c:914) ==27760== by 0x406DEC0: e_data_book_view_notify_update (e-data-book-view.c:261)==27760== by 0x571E111: book_view_thread (e-book-backend-groupwise.c:2337) ==27760== by 0x4D4839E: g_thread_create_proxy (gthread.c:635) ==27760== by 0x4E0E174: start_thread (pthread_create.c:297) ==27760== by 0x4EEDDDD: clone (in /lib/libc-2.8.so) ==27760== ==27760== Invalid read of size 1 ==27760== at 0x4D4DE20: g_utf8_offset_to_pointer (gutf8.c:302) ==27760== by 0x413A106: e_vcard_to_string (e-vcard.c:914) ==27760== by 0x406DEC0: e_data_book_view_notify_update (e-data-book-view.c:261)==27760== by 0x571E111: book_view_thread (e-book-backend-groupwise.c:2337) ==27760== by 0x4D4839E: g_thread_create_proxy (gthread.c:635) ==27760== by 0x4E0E174: start_thread (pthread_create.c:297) ==27760== by 0x4EEDDDD: clone (in /lib/libc-2.8.so) ==27760== Address 0xd182488 is 0 bytes after a block of size 128 alloc'd ==27760== at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)==27760== by 0x4D26469: g_realloc (gmem.c:170) ==27760== by 0x4D4137E: g_string_maybe_expand (gstring.c:359) ==27760== by 0x4D41F78: g_string_insert_len (gstring.c:694) ==27760== by 0x4D423C0: g_string_append (gstring.c:815) ==27760== by 0x4139E50: e_vcard_to_string (e-vcard.c:885) ==27760== by 0x406DEC0: e_data_book_view_notify_update (e-data-book-view.c:261)==27760== by 0x571E111: book_view_thread (e-book-backend-groupwise.c:2337) ==27760== by 0x4D4839E: g_thread_create_proxy (gthread.c:635) ==27760== by 0x4E0E174: start_thread (pthread_create.c:297) ==27760== by 0x4EEDDDD: clone (in /lib/libc-2.8.so) ==27760== ==27760== Invalid read of size 1 ==27760== at 0x4D4DE33: g_utf8_offset_to_pointer (gutf8.c:301) ==27760== by 0x413A106: e_vcard_to_string (e-vcard.c:914) ==27760== by 0x406DEC0: e_data_book_view_notify_update (e-data-book-view.c:261)==27760== by 0x571E111: book_view_thread (e-book-backend-groupwise.c:2337) ==27760== by 0x4D4839E: g_thread_create_proxy (gthread.c:635) ==27760== by 0x4E0E174: start_thread (pthread_create.c:297) ==27760== by 0x4EEDDDD: clone (in /lib/libc-2.8.so) ==27760== Address 0xd182489 is 1 bytes after a block of size 128 alloc'd ==27760== at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)==27760== by 0x4D26469: g_realloc (gmem.c:170) ==27760== by 0x4D4137E: g_string_maybe_expand (gstring.c:359) ==27760== by 0x4D41F78: g_string_insert_len (gstring.c:694) ==27760== by 0x4D423C0: g_string_append (gstring.c:815) ==27760== by 0x4139E50: e_vcard_to_string (e-vcard.c:885) ==27760== by 0x406DEC0: e_data_book_view_notify_update (e-data-book-view.c:261)==27760== by 0x571E111: book_view_thread (e-book-backend-groupwise.c:2337) ==27760== by 0x4D4839E: g_thread_create_proxy (gthread.c:635) ==27760== by 0x4E0E174: start_thread (pthread_create.c:297) ==27760== by 0x4EEDDDD: clone (in /lib/libc-2.8.so) in server_log_handler
Marking this as a duplicate because the other one contains a patch. Thanks for reporting this. *** This bug has been marked as a duplicate of 534111 ***