GNOME Bugzilla – Bug 656635
Use-after-free when setting summary for component with alarms
Last modified: 2017-04-12 10:23:14 UTC
Evolution 3.1.90 (evolution:23644): calendar-gui-WARNING **: No potential organizers! ==23644== Invalid read of size 1 ==23644== at 0x402A4FD: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==23644== by 0x582B4F7: g_hash_table_foreach (ghash.c:1420) ==23644== by 0x465A0A9: e_cal_component_set_summary (e-cal-component.c:4390) ==23644== by 0x76667BF: e_week_view_on_editing_stopped (e-week-view.c:3995) ==23644== by 0x76659AA: e_week_view_on_text_item_event (e-week-view.c:3658) ==23644== by 0x43EF7B8: gnome_canvas_marshal_BOOLEAN__BOXED (gnome-canvas-marshal.c:128) ==23644== by 0x57A6F71: g_closure_invoke (gclosure.c:773) ==23644== by 0x57C0EE2: signal_emit_unlocked_R (gsignal.c:3271) ==23644== by 0x57C02BD: g_signal_emit_valist (gsignal.c:3012) ==23644== by 0x57C0688: g_signal_emit_by_name (gsignal.c:3096) ==23644== by 0x43695B9: canvas_emit_event (e-canvas.c:153) ==23644== by 0x436A73F: e_canvas_item_grab_focus (e-canvas.c:660) ==23644== by 0x430AB71: e_text_event (e-text.c:1964) ==23644== by 0x76626DE: ewv_pass_gdkevent_to_etext (e-week-view.c:2363) ==23644== by 0x7662ABF: e_week_view_on_button_release (e-week-view.c:2467) ==23644== by 0x4FD2EB9: ??? (in /usr/lib/libgtk-3.so.0.110.0) ==23644== by 0x57A6F71: g_closure_invoke (gclosure.c:773) ==23644== by 0x57C0EE2: signal_emit_unlocked_R (gsignal.c:3271) ==23644== by 0x57C02BD: g_signal_emit_valist (gsignal.c:3012) ==23644== by 0x57C051D: g_signal_emit (gsignal.c:3059) ==23644== by 0x513A932: ??? (in /usr/lib/libgtk-3.so.0.110.0) ==23644== by 0x9DE5C37: ??? ==23644== Address 0xa798eb8 is 0 bytes inside a block of size 6 free'd ==23644== at 0x4028283: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==23644== by 0x76667BF: e_week_view_on_editing_stopped (e-week-view.c:3995) ==23644== by 0x76659AA: e_week_view_on_text_item_event (e-week-view.c:3658) ==23644== by 0x43EF7B8: gnome_canvas_marshal_BOOLEAN__BOXED (gnome-canvas-marshal.c:128) ==23644== by 0x57A6F71: g_closure_invoke (gclosure.c:773) ==23644== by 0x57C0EE2: signal_emit_unlocked_R (gsignal.c:3271) ==23644== by 0x57C02BD: g_signal_emit_valist (gsignal.c:3012) ==23644== by 0x57C0688: g_signal_emit_by_name (gsignal.c:3096) ==23644== by 0x43695B9: canvas_emit_event (e-canvas.c:153) ==23644== by 0x436A73F: e_canvas_item_grab_focus (e-canvas.c:660) ==23644== by 0x430AB71: e_text_event (e-text.c:1964) ==23644== by 0x76626DE: ewv_pass_gdkevent_to_etext (e-week-view.c:2363) ==23644== by 0x7662ABF: e_week_view_on_button_release (e-week-view.c:2467) ==23644== by 0x4FD2EB9: ??? (in /usr/lib/libgtk-3.so.0.110.0) ==23644== by 0x57A6F71: g_closure_invoke (gclosure.c:773) ==23644== by 0x57C0EE2: signal_emit_unlocked_R (gsignal.c:3271) ==23644== by 0x57C02BD: g_signal_emit_valist (gsignal.c:3012) ==23644== by 0x57C051D: g_signal_emit (gsignal.c:3059) ==23644== by 0x513A932: ??? (in /usr/lib/libgtk-3.so.0.110.0) ==23644== by 0x9DE5C37: ???
Might be just a variation of bug #651682 and such like bugs. Maybe.
(In reply to Milan Crha from comment #1) > Might be just a variation of bug #651682 and such like bugs. Maybe. Ehm, no, it's a use-after-free, the 'old_summary' text is gone by icalcomponent_set_summary(). I just received an ASAN report about it, when editing summary text inline in the Day View for a component which has set alarm(s). Created commit 9832098 in eds master (3.25.1+) Created commit 60b92a8 in eds gnome-3-24 (3.24.2+)