After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 607651 - Crashed with SIGSEGV in get_SPropValue
Crashed with SIGSEGV in get_SPropValue
Status: RESOLVED FIXED
Product: evolution-mapi
Classification: Applications
Component: Contacts (Addressbook)
0.28.x
Other Linux
: Normal critical
: ---
Assigned To: Milan Crha
evolution-mapi-maint
: 564825 570354 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2010-01-21 11:38 UTC by Pedro Villavicencio
Modified: 2010-06-15 17:53 UTC
See Also:
GNOME target: ---
GNOME version: 2.27/2.28

Attachments
ema patch (15.67 KB, patch)
2010-02-15 20:04 UTC, Milan Crha 		committed Details | Review

Description Pedro Villavicencio 2010-01-21 11:38:02 UTC 
this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/evolution-mapi/+bug/510527

"When i activated the Calendar "checkmark" for my Exchange 2007 account, Evolution crashed."

".

+ Trace 220176

Thread 1 (process 1931)

  • #0 get_SPropValue
    at libmapi/property.c line 94
  • #1 exchange_mapi_util_find_SPropVal_array_propval
    at exchange-mapi-utils.c line 124
  • #2 exchange_mapi_cal_util_mapi_props_to_comp
    at exchange-mapi-cal-utils.c line 507
  • #3 mapi_cal_cache_create_cb
    at e-cal-backend-mapi.c line 1005
  • #4 exchange_mapi_connection_fetch_items
    at exchange-mapi-connection.c line 1308
  • #5 cache_init
    at e-cal-backend-mapi.c line 1066
  • #6 ??
    from /lib/libglib-2.0.so.0
  • #7 start_thread
    from /lib/tls/i686/cmov/libpthread.so.0
  • #8 clone
    at ../sysdeps/unix/sysv/linux/i386/clone.S line 130 






Comment 1


Akhil Laddha





          2010-01-21 12:30:43 UTC
        



*** Bug 570354 has been marked as a duplicate of this bug. ***






Comment 2


Milan Crha





          2010-02-15 20:04:50 UTC
        



Created attachment 153861 [details] [review]
ema patch

for evolution-mapi;

get_SPropValue has as the first parameter array of struct SPropValue. There is no information about the array size, thus it's using the element with zero lpProps[i].ulPropTag as a sentinel. The problematic point was with recipient->out.all_cValues, where was turned struct SRow (which has an information about array size and no sentinel property in the array) into an array only, thus when called get_SPropValue it could exceed array boundary. It didn't crash for me, but valgrind was reporting issue with that. Changing recipient->out to struct SRow fixes the issue. The above patch also adds sentinel items to arrays of struct SPropValue which are created within ema.






Comment 3


Milan Crha





          2010-02-15 20:41:24 UTC
        



Created commit fccc58b in ema master (0.29.91+)
Created commit 3fdaf4c in ema gnome-2-28 (0.28.3+)






Comment 4


Milan Crha





          2010-06-15 17:53:04 UTC
        



*** Bug 564825 has been marked as a duplicate of this bug. ***