Global buffer overflow in e_contact_check_attr_type_value_used()
I compile Evolution, EDS and Webkit under clang/address-sanitizer. Then I start Evolution and go in the Contacts view. Evolution terminates with this output:
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
(evolution-alarm-notify:11869): GLib-GIO-WARNING **: 10:38:08.352: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
=================================================================
==11869==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1672 byte(s) in 209 object(s) allocated from:
#0 0x4c5e07 in calloc /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
#1 0x7f648d9bccd0 in g_malloc0 /git/gnome/glib/build_A/../glib/gmem.c:132:13
SUMMARY: AddressSanitizer: 1672 byte(s) leaked in 209 allocation(s).
=================================================================
==11860==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f9ee7944a43 at pc 0x7f9ee790ee90 bp 0x7fff85502620 sp 0x7fff85502618
READ of size 1 at 0x7f9ee7944a43 thread T0
#0 0x7f9ee790ee8f in e_contact_check_attr_type_value_used /git/gnome/evolution-data-server/build-asan/../src/addressbook/libebook-contacts/e-contact.c:389:15
#1 0x7f9ee7900ef3 in e_contact_find_attribute_with_types /git/gnome/evolution-data-server/build-asan/../src/addressbook/libebook-contacts/e-contact.c:1128:11
#2 0x7f9ee78ffc92 in e_contact_get /git/gnome/evolution-data-server/build-asan/../src/addressbook/libebook-contacts/e-contact.c:1863:27
#3 0x7f9ebe385678 in addressbook_height /git/gnome/evolution/build-asan/../src/addressbook/gui/widgets/e-addressbook-reflow-adapter.c:181:12
#4 0x7f9ed693e1b5 in e_reflow_model_height /git/gnome/evolution/build-asan/../src/e-util/e-reflow-model.c:107:9
#5 0x7f9ed694451e in items_inserted /git/gnome/evolution/build-asan/../src/e-util/e-reflow.c:474:24
#6 0x7f9ed68ea6e6 in e_marshal_VOID__INT_INT /git/gnome/evolution/build-asan/src/e-util/e-marshal.c:1041:3
#7 0x7f9ee5bd7ef1 in g_closure_invoke /git/gnome/glib/build_A/../gobject/gclosure.c:810:7
#8 0x7f9ee5beb02b in signal_emit_unlocked_R /git/gnome/glib/build_A/../gobject/gsignal.c:3742:8
#9 0x7f9ee5bf5eca in g_signal_emit_valist /git/gnome/glib/build_A/../gobject/gsignal.c:3498:5
#10 0x7f9ee5bf6811 in g_signal_emit /git/gnome/glib/build_A/../gobject/gsignal.c:3554:3
#11 0x7f9ed693e96f in e_reflow_model_items_inserted /git/gnome/evolution/build-asan/../src/e-util/e-reflow-model.c:361:2
#12 0x7f9ebe384490 in create_contact /git/gnome/evolution/build-asan/../src/addressbook/gui/widgets/e-addressbook-reflow-adapter.c:363:2
#13 0x7f9ed68ea6e6 in e_marshal_VOID__INT_INT /git/gnome/evolution/build-asan/src/e-util/e-marshal.c:1041:3
#14 0x7f9ee5bd7ef1 in g_closure_invoke /git/gnome/glib/build_A/../gobject/gclosure.c:810:7
#15 0x7f9ee5beb02b in signal_emit_unlocked_R /git/gnome/glib/build_A/../gobject/gsignal.c:3742:8
#16 0x7f9ee5bf5eca in g_signal_emit_valist /git/gnome/glib/build_A/../gobject/gsignal.c:3498:5
#17 0x7f9ee5bf6811 in g_signal_emit /git/gnome/glib/build_A/../gobject/gsignal.c:3554:3
#18 0x7f9ebe38b2b6 in view_create_contact_cb /git/gnome/evolution/build-asan/../src/addressbook/gui/widgets/e-addressbook-model.c:193:2
#19 0x7f9ee5bdaee9 in g_cclosure_marshal_VOID__POINTERv /git/gnome/glib/build_A/../gobject/gmarshal.c:1800:3
#20 0x7f9ee5bd8125 in _g_closure_invoke_va /git/gnome/glib/build_A/../gobject/gclosure.c:873:7
#21 0x7f9ee5bf623d in g_signal_emit_valist /git/gnome/glib/build_A/../gobject/gsignal.c:3407:8
#22 0x7f9ee5bf6811 in g_signal_emit /git/gnome/glib/build_A/../gobject/gsignal.c:3554:3
#23 0x7f9ee7b7bc5f in book_client_view_emit_objects_added_idle_cb /git/gnome/evolution-data-server/build-asan/../src/addressbook/libebook/e-book-client-view.c:173:3
#24 0x7f9ee5aed17d in g_main_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3309:28
#25 0x7f9ee5aed17d in g_main_context_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3974:7
#26 0x7f9ee5aed4ff in g_main_context_iterate.isra.0 /git/gnome/glib/build_A/../glib/gmain.c:4047:5
#27 0x7f9ee5aed7d2 in g_main_loop_run /git/gnome/glib/build_A/../glib/gmain.c:4241:5
#28 0x7f9ee6fcfe94 in gtk_main /git/gnome/gtk/build_A/../gtk/gtkmain.c:1328:7
#29 0x4f7710 in main /git/gnome/evolution/build-asan/../src/shell/main.c:694:2
#30 0x7f9ed559bb5a in __libc_start_main /src/glibc-2.29/csu/../csu/libc-start.c:308:16
#31 0x421cb9 in _start /src/glibc-2.29/csu/../sysdeps/x86_64/start.S:120
0x7f9ee7944a43 is located 61 bytes to the left of global variable '<string literal>' defined in '../src/addressbook/libebook-contacts/e-contact.c:70:15' (0x7f9ee7944a80) of size 10
'<string literal>' is ascii string 'WORK;HOME'
0x7f9ee7944a43 is located 0 bytes to the right of global variable '<string literal>' defined in '../src/addressbook/libebook-contacts/e-contact.c:69:13' (0x7f9ee79449a0) of size 163
'<string literal>' is ascii string 'WORK;HOME;CAR;CELL;FAX;ISDN;PAGER;PREF;VOICE;X-EVOLUTION-ASSISTANT;X-EVOLUTION-CALLBACK;X-EVOLUTION-COMPANY;X-EVOLUTION-RADIO;X-EVOLUTION-TELEX;X-EVOLUTION-TTYTDD'
SUMMARY: AddressSanitizer: global-buffer-overflow /git/gnome/evolution-data-server/build-asan/../src/addressbook/libebook-contacts/e-contact.c:389:15 in e_contact_check_attr_type_value_used
Shadow bytes around the buggy address:
0x0ff45cf208f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x0ff45cf20900: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 04 f9
0x0ff45cf20910: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 02 f9
0x0ff45cf20920: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0ff45cf20930: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff45cf20940: 00 00 00 00 00 00 00 00[03]f9 f9 f9 f9 f9 f9 f9
0x0ff45cf20950: 00 02 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ff45cf20960: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff45cf20970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff45cf20980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff45cf20990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11860==ABORTING
Edited by Milan Crha