GNOME Bugzilla – Bug 781430
(Year view) heap-buffer-overflow under calculate_day_month_for_coord views/gcal-year-view.c:647
Last modified: 2017-04-22 10:39:28 UTC
This is git master at commit 3be142a. Moving mouse above the Year view aborts with address sanitizer report: ==15731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0006ab67c at pc 0x00000046535c bp 0x7ffed0d71cb0 sp 0x7ffed0d71ca0 READ of size 4 at 0x60b0006ab67c thread T0 #0 0x46535b in calculate_day_month_for_coord views/gcal-year-view.c:647 #1 0x46b6a0 in navigator_motion_notify_cb views/gcal-year-view.c:1213 #2 0x7fa2c6fc5ddb (/lib64/libgtk-3.so.0+0x22bddb) #3 0x7fa2c42feb48 in g_closure_invoke /data/develop/test-any/_other/glib-2.50.2/gobject/gclosure.c:804 #4 0x7fa2c434b658 in signal_emit_unlocked_R /data/develop/test-any/_other/glib-2.50.2/gobject/gsignal.c:3635 #5 0x7fa2c43494b4 in g_signal_emit_valist /data/develop/test-any/_other/glib-2.50.2/gobject/gsignal.c:3401 #6 0x7fa2c434a217 in g_signal_emit /data/develop/test-any/_other/glib-2.50.2/gobject/gsignal.c:3447 #7 0x7fa2c711326b (/lib64/libgtk-3.so.0+0x37926b) #8 0x7fa2c6fc2ead (/lib64/libgtk-3.so.0+0x228ead) #9 0x7fa2c6fc4f1d in gtk_main_do_event (/lib64/libgtk-3.so.0+0x22af1d) #10 0x7fa2c6ada5c4 (/lib64/libgdk-3.so.0+0x355c4) #11 0x7fa2c6b0b581 (/lib64/libgdk-3.so.0+0x66581) #12 0x7fa2c3c4fabc in g_main_dispatch /data/develop/test-any/_other/glib-2.50.2/glib/gmain.c:3203 #13 0x7fa2c3c53f4c in g_main_context_dispatch /data/develop/test-any/_other/glib-2.50.2/glib/gmain.c:3856 #14 0x7fa2c3c54522 in g_main_context_iterate /data/develop/test-any/_other/glib-2.50.2/glib/gmain.c:3929 #15 0x7fa2c3c5465a in g_main_context_iteration /data/develop/test-any/_other/glib-2.50.2/glib/gmain.c:3990 #16 0x7fa2c4babd61 in g_application_run /data/develop/test-any/_other/glib-2.50.2/gio/gapplication.c:2381 #17 0x433d7d in main /data/develop/test-any/_other/gnome-calendar/src/main.c:44 #18 0x7fa2c2341400 in __libc_start_main (/lib64/libc.so.6+0x20400) #19 0x419849 in _start (/build/test-any/bin/gnome-calendar+0x419849) 0x60b0006ab67c is located 4 bytes to the right of 104-byte region [0x60b0006ab610,0x60b0006ab678) allocated by thread T0 here: #0 0x7fa2c838b020 in calloc (/usr/lib64/libasan.so.3+0xc7020) #1 0x7fa2c3c6a386 in g_malloc0 /data/develop/test-any/_other/glib-2.50.2/glib/gmem.c:124 #2 0x7fa2c3c6a6c6 in g_malloc0_n /data/develop/test-any/_other/glib-2.50.2/glib/gmem.c:355 #3 0x471ee9 in gcal_year_view_init views/gcal-year-view.c:1991 #4 0x7fa2c435a8ad in g_type_create_instance /data/develop/test-any/_other/glib-2.50.2/gobject/gtype.c:1866 #5 0x7fa2c4316dc3 in g_object_new_internal /data/develop/test-any/_other/glib-2.50.2/gobject/gobject.c:1783 #6 0x7fa2c4317888 in g_object_newv /data/develop/test-any/_other/glib-2.50.2/gobject/gobject.c:1930 #7 0x7fa2c6ebc2a9 (/lib64/libgtk-3.so.0+0x1222a9)
Hi, can you please add more information about how to reproduce the error? I was not able to reproduce it using master branch. Thanks.
Sure. Usual build survives the error, but using address sanitizer or valgrind shows it. The above is with address sanitizer, but it's easier to use valgrind, which shows also other issues, thus let's use valgrind (they do not like each other, thus do not use them both): $ G_SLICE=always-malloc valgrind gnome-calendar It opens in the year view here, then move mouse above the days in the view (wait until the initial filling is over) and I see these claims from valgrind: Conditional jump or move depends on uninitialised value(s) at 0x458DF6: icaltime_to_datetime (gcal-utils.c:158) by 0x43636E: count_events_at_day (gcal-year-view.c:699) by 0x43781B: draw_month_grid (gcal-year-view.c:979) by 0x4382AD: draw_navigator (gcal-year-view.c:1122) by 0x5A36ED0: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5B81D1E: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x7515811: _g_closure_invoke_va (gclosure.c:867) by 0x75301E0: g_signal_emit_valist (gsignal.c:3300) by 0x7531364: g_signal_emit (gsignal.c:3447) by 0x5B8EB39: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5971791: gtk_container_propagate_draw () by 0x5971871: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) Conditional jump or move depends on uninitialised value(s) at 0x458E1E: icaltime_to_datetime (gcal-utils.c:158) by 0x43636E: count_events_at_day (gcal-year-view.c:699) by 0x43781B: draw_month_grid (gcal-year-view.c:979) by 0x4382AD: draw_navigator (gcal-year-view.c:1122) by 0x5A36ED0: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5B81D1E: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x7515811: _g_closure_invoke_va (gclosure.c:867) by 0x75301E0: g_signal_emit_valist (gsignal.c:3300) by 0x7531364: g_signal_emit (gsignal.c:3447) by 0x5B8EB39: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5971791: gtk_container_propagate_draw () by 0x5971871: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) Conditional jump or move depends on uninitialised value(s) at 0x458E39: icaltime_to_datetime (gcal-utils.c:158) by 0x43636E: count_events_at_day (gcal-year-view.c:699) by 0x43781B: draw_month_grid (gcal-year-view.c:979) by 0x4382AD: draw_navigator (gcal-year-view.c:1122) by 0x5A36ED0: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5B81D1E: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x7515811: _g_closure_invoke_va (gclosure.c:867) by 0x75301E0: g_signal_emit_valist (gsignal.c:3300) by 0x7531364: g_signal_emit (gsignal.c:3447) by 0x5B8EB39: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5971791: gtk_container_propagate_draw () by 0x5971871: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) Invalid read of size 4 at 0x435F0B: calculate_day_month_for_coord (gcal-year-view.c:649) by 0x438616: navigator_motion_notify_cb (gcal-year-view.c:1215) by 0x5A36DDB: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x7515579: g_closure_invoke (gclosure.c:804) by 0x7531AEB: signal_emit_unlocked_R (gsignal.c:3635) by 0x7530EB8: g_signal_emit_valist (gsignal.c:3401) by 0x7531364: g_signal_emit (gsignal.c:3447) by 0x5B8426B: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5A33EAD: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5A35F1D: gtk_main_do_event (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x614F5C4: ??? (in /usr/lib64/libgdk-3.so.0.2200.10) by 0x6180581: ??? (in /usr/lib64/libgdk-3.so.0.2200.10) Address 0x2ed9a93c is 4 bytes after a block of size 104 alloc'd at 0x4C2FA50: calloc (vg_replace_malloc.c:711) by 0x77B5311: g_malloc0 (gmem.c:124) by 0x77B55F4: g_malloc0_n (gmem.c:355) by 0x43A81C: gcal_year_view_init (gcal-year-view.c:1993) by 0x75368F8: g_type_create_instance (gtype.c:1866) by 0x751DB90: g_object_new_internal (gobject.c:1783) by 0x751E09F: g_object_newv (gobject.c:1930) by 0x592D2A9: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x592E8F4: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x59303A0: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x77B220D: emit_end_element (gmarkup.c:1077) by 0x77B3514: g_markup_parse_context_parse (gmarkup.c:1619) Invalid read of size 4 at 0x435F46: calculate_day_month_for_coord (gcal-year-view.c:650) by 0x438616: navigator_motion_notify_cb (gcal-year-view.c:1215) by 0x5A36DDB: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x7515579: g_closure_invoke (gclosure.c:804) by 0x7531AEB: signal_emit_unlocked_R (gsignal.c:3635) by 0x7530EB8: g_signal_emit_valist (gsignal.c:3401) by 0x7531364: g_signal_emit (gsignal.c:3447) by 0x5B8426B: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5A33EAD: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x5A35F1D: gtk_main_do_event (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x614F5C4: ??? (in /usr/lib64/libgdk-3.so.0.2200.10) by 0x6180581: ??? (in /usr/lib64/libgdk-3.so.0.2200.10) Address 0x2ed9a93c is 4 bytes after a block of size 104 alloc'd at 0x4C2FA50: calloc (vg_replace_malloc.c:711) by 0x77B5311: g_malloc0 (gmem.c:124) by 0x77B55F4: g_malloc0_n (gmem.c:355) by 0x43A81C: gcal_year_view_init (gcal-year-view.c:1993) by 0x75368F8: g_type_create_instance (gtype.c:1866) by 0x751DB90: g_object_new_internal (gobject.c:1783) by 0x751E09F: g_object_newv (gobject.c:1930) by 0x592D2A9: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x592E8F4: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x59303A0: ??? (in /usr/lib64/libgtk-3.so.0.2200.10) by 0x77B220D: emit_end_element (gmarkup.c:1077) by 0x77B3514: g_markup_parse_context_parse (gmarkup.c:1619) See also the leak summary, it says here: LEAK SUMMARY: definitely lost: 36,088 bytes in 310 blocks indirectly lost: 61,035 bytes in 2,527 blocks possibly lost: 10,955 bytes in 152 blocks still reachable: 17,546,967 bytes in 320,397 blocks of which reachable via heuristic: length64 : 230,816 bytes in 463 blocks newarray : 2,496 bytes in 76 blocks at least those definitely lost might be good to address, if they go from gnome-calendar (some can go from other libraries, on which you do not have any control).
Created attachment 350218 [details] [review] year-view: Uninitialised values Valgrind was reporting some "Conditional jump or move depends on uninitialised value(s)" and "Invalid read of size 4" when hovering year-view. It was found some uninitialised variables in the code and they were initialised before being used.
Review of attachment 350218 [details] [review]: LGTM
Thanks for the patch, Isaque!