Bug 628522 – invalid access off end of array in e_bit_array_delete()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 628522 - invalid access off end of array in e_bit_array_delete()


Summary:	invalid access off end of array in e_bit_array_delete()


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	general
Version:	2.32.x (obsolete)
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Evolution Shell Maintainers Team
QA Contact:	Evolution QA team

URL:
Whiteboard:	evolution[etable]

Duplicates:	629459 629909 631089 637542 639225 (view as bug list)
Depends on:
Blocks:	629918

Reported:	2010-09-01 15:30 UTC by David Woodhouse
Modified:	2013-09-13 01:05 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fix off-by-one (562 bytes, patch) 2010-09-17 11:13 UTC, David Woodhouse	none	Details \| Review
updated patch; check eba->bit_count > 0, not > row (560 bytes, patch) 2010-09-17 12:51 UTC, David Woodhouse	committed	Details \| Review

Description David Woodhouse 2010-09-01 15:30:56 UTC

==25576== 2 errors in context 2 of 18630:
==25576== Invalid read of size 4
==25576==    at 0x6B3EF8B: e_bit_array_delete_real (e-bit-array.c:94)
==25576==    by 0x6B3F12F: e_bit_array_delete (e-bit-array.c:119)
==25576==    by 0x5BD8CD2: e_selection_model_array_delete_rows (e-selection-model-array.c:81)
==25576==    by 0x570A877: model_rows_deleted (e-table-selection-model.c:163)
==25576==    by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766)
==25576==    by 0x3D3DE2000A: signal_emit_unlocked_R (gsignal.c:3252)
==25576==    by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983)
==25576==    by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040)
==25576==    by 0xEC221F6: process_added (e-cal-model.c:1757)
==25576==    by 0xEC1FAF7: process_event (e-cal-model.c:1959)
==25576==    by 0xEC1FCD5: e_cal_view_objects_added_cb (e-cal-model.c:1987)
==25576==    by 0xEC2016F: process_modified (e-cal-model.c:1867)
==25576==  Address 0x25019664 is 0 bytes after a block of size 4 alloc'd
==25576==    at 0x4A05255: realloc (vg_replace_malloc.c:476)
==25576==    by 0x3D3D645D4D: g_realloc (gmem.c:181)
==25576==    by 0x6B3F00D: e_bit_array_delete_real (e-bit-array.c:105)
==25576==    by 0x6B3F12F: e_bit_array_delete (e-bit-array.c:119)
==25576==    by 0x5BD8CD2: e_selection_model_array_delete_rows (e-selection-model-array.c:81)
==25576==    by 0x570A877: model_rows_deleted (e-table-selection-model.c:163)
==25576==    by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766)
==25576==    by 0x3D3DE2000A: signal_emit_unlocked_R (gsignal.c:3252)
==25576==    by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983)
==25576==    by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040)
==25576==    by 0xEC221F6: process_added (e-cal-model.c:1757)
==25576==    by 0xEC1FAF7: process_event (e-cal-model.c:1959)
==25576==

Comment 1 David Woodhouse 2010-09-17 10:03:08 UTC

*** Bug 629909 has been marked as a duplicate of this bug. ***

Comment 2 Milan Crha 2010-09-17 10:21:56 UTC

Because a patch is there for this.

*** This bug has been marked as a duplicate of bug 629459 ***

Comment 3 David Woodhouse 2010-09-17 11:13:09 UTC

Created attachment 170474 [details] [review]
fix off-by-one

From the third comment onwards in bug 629459, where we start talking about e-bit-array potentially causing memory corruption, seems to be a red herring. It would only ever *read* from outside its array. The originally-reported bug hasn't really been addressed.

So I'm filing this patch for the e-bit-array off-by-one error here. While we're at it, also check that the bit we're being asked to delete is actually within the bit array.

Comment 4 David Woodhouse 2010-09-17 12:51:10 UTC

Created attachment 170480 [details] [review]
updated patch; check eba->bit_count > 0, not > row

Checking the 'row' input for sanity is outside the scope of this patch and should be done elsewhere. Let's just change the check from >=0 to >0 to ensure that we don't underflow.

Comment 5 Milan Crha 2010-09-17 13:01:53 UTC

Reopening due to (my) bad approach from the other bug.

Comment 6 Milan Crha 2010-09-17 13:04:05 UTC

The change looks good. Please commit to master and keep commit to gnome-2-32 after the hard code freeze. Thanks.

Comment 7 Milan Crha 2010-09-20 06:38:00 UTC

*** Bug 629459 has been marked as a duplicate of this bug. ***

Comment 8 Milan Crha 2010-09-29 09:18:21 UTC

Created commit a86159e in evo gnome-2-32 (2.32.1+)

Comment 9 Fabio Durán Verdugo 2010-10-01 13:55:55 UTC

*** Bug 631089 has been marked as a duplicate of this bug. ***

Comment 10 Thomas 2010-10-20 00:41:34 UTC

(In reply to comment #8)
> Created commit a86159e in evo gnome-2-32 (2.32.1+)

Why did this fix not make it into 2.30.xx, since this is the version delivered
with the latest ubuntu maverick?

Comment 11 Matthew Barnes 2010-10-20 01:06:41 UTC

Ask Ubuntu.  We support 2.32 now.

Comment 12 Thomas 2010-10-20 01:24:04 UTC

(In reply to comment #11)
> Ask Ubuntu.  We support 2.32 now.

Just filed a bug report at https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/663618.

Comment 13 Fabio Durán Verdugo 2010-12-19 01:27:47 UTC

*** Bug 637542 has been marked as a duplicate of this bug. ***

Comment 14 Fabio Durán Verdugo 2011-01-11 21:13:01 UTC

*** Bug 639225 has been marked as a duplicate of this bug. ***