After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 652620 - Can use uninitialized memory in alarm-notification-dialog
Can use uninitialized memory in alarm-notification-dialog
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Calendar
3.0.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: Milan Crha
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2011-06-15 06:35 UTC by Milan Crha
Modified: 2011-09-01 03:53 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
evo patch (898 bytes, patch)
2011-06-15 09:35 UTC, Milan Crha 		committed Details | Review

Description Milan Crha 2011-06-15 06:35:18 UTC 
Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=713273

abrt version: 2.0.1
architecture:   x86_64
cmdline:        /usr/libexec/evolution/3.0/evolution-alarm-notify
comment:        The reminder thing came up in the notification area at the
bottom right of gnome3. I clicked on it and dismissed 2 items but the third i
wanted to reschedule for tomorrow. I pressed edit and then changed the date for
the from and until time pickers to tomorrow. then saved the appointment . The
reminder box was still visable but there were no reminders in it. I pressed the
dismiss button and it closed and a crash notification popped up in ARBT
component:      evolution
crash_function: gtk_tree_model_get_valist
executable:     /usr/libexec/evolution/3.0/evolution-alarm-notify
kernel:         2.6.38.7-30.fc15.x86_64
os_release:     Fedora release 15 (Lovelock)
package:        evolution-3.0.2-2.fc15

Core was generated by `/usr/libexec/evolution/3.0/evolution-alarm-notify'.
Program terminated with signal 11, Segmentation fault.

+ Trace 227485

Thread 1 (Thread 0x7f417d90b9a0 (LWP 1992))

  • #0 gtk_tree_model_get_valist
    at gtktreemodel.c line 1722
  • #1 gtk_tree_model_get
    at gtktreemodel.c line 1684
  • #2 dialog_response_cb
    at alarm-notify-dialog.c line 145
  • #3 g_closure_invoke
    at gclosure.c line 767
  • #4 signal_emit_unlocked_R
    at gsignal.c line 3252
  • #5 g_signal_emit_valist
    at gsignal.c line 2983
  • #6 g_signal_emit
    at gsignal.c line 3040
  • #7 g_closure_invoke
    at gclosure.c line 767
  • #8 signal_emit_unlocked_R
    at gsignal.c line 3252
  • #9 g_signal_emit_valist
    at gsignal.c line 2983
  • #10 g_signal_emit
    at gsignal.c line 3040
  • #11 gtk_real_button_released
    at gtkbutton.c line 1827
  • #12 g_closure_invoke
    at gclosure.c line 767
  • #13 signal_emit_unlocked_R
    at gsignal.c line 3182
  • #14 g_signal_emit_valist
    at gsignal.c line 2983
  • #15 g_signal_emit
    at gsignal.c line 3040
  • #16 gtk_button_button_release
    at gtkbutton.c line 1719
  • #17 _gtk_marshal_BOOLEAN__BOXED
    at gtkmarshalers.c line 85
  • #18 g_closure_invoke
    at gclosure.c line 767
  • #19 signal_emit_unlocked_R
    at gsignal.c line 3290
  • #20 g_signal_emit_valist
    at gsignal.c line 2993
  • #21 g_signal_emit
    at gsignal.c line 3040
  • #22 gtk_widget_event_internal
    at gtkwidget.c line 6114
  • #23 gtk_propagate_event
    at gtkmain.c line 2597
  • #24 gtk_main_do_event
    at gtkmain.c line 1872
  • #25 gdk_event_source_dispatch
    at gdkeventsource.c line 318
  • #26 g_main_dispatch
    at gmain.c line 2441
  • #27 g_main_context_dispatch
    at gmain.c line 3014
  • #28 g_main_context_iterate
    at gmain.c line 3092
  • #29 g_main_loop_run
    at gmain.c line 3300
  • #30 gtk_main
    at gtkmain.c line 1358
  • #31 main
    at notify-main.c line 120 






Comment 1


Milan Crha





          2011-06-15 09:35:44 UTC
        



Created attachment 189967 [details] [review]
evo patch

for evolution;

The function didn't check whether 'iter' was set, and thus passed an uninitialized memory into the following function which crashed due to garbage stored in the 'iter' variable. This patch is checking whether it was set and if not, then it exits the function gracefully.






Comment 2


Milan Crha





          2011-06-15 09:39:05 UTC
        



Created commit e4b480c in evo master (3.1.3+)
Created commit 80a237c in evo gnome-3-0 (3.0.3+)






Comment 3


Nick Jenkins





          2011-09-01 03:53:46 UTC
        



Thank you! I suspect it's also the same as this downstream bug - https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/432284 - which has been annoying me for 2 years (was present in Evo ~ 2.26 to 3.0.2) - I'll try to log these types of crashers upstream from now on, only logged it downstream as the distro's bug-reporting tool captured a backtrace.