(Year view) heap-buffer-overflow in calculate_day_month_for_coord
Calendar segfaults in year-view when compiled with address sanitizer.
Segfault happens when the mouse hovers any free space in the view. Seems like array[12] is requested, while at most array[11] can be read.
Output from address sanitizer:
==4256==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000af70c at pc 0x56032dd11b08 bp 0x7ffe349b5cc0 sp 0x7ffe349b5cb8
READ of size 4 at 0x60b0000af70c thread T0
#0 0x56032dd11b07 in calculate_day_month_for_coord /home/sadiq/jhbuild/checkout/gnome-calendar/src/views/gcal-year-view.c:659
#1 0x56032dd12119 in navigator_motion_notify_cb /home/sadiq/jhbuild/checkout/gnome-calendar/src/views/gcal-year-view.c:1226
#2 0x7f89429c1afd in _gtk_marshal_BOOLEAN__BOXED /media/sadiq/Temp/jhbuild/.cache/jhbuild/build/gtk+-3/gtk/gtkmarshalers.c:85
#3 0x7f893fcc4b4f in g_closure_invoke /home/sadiq/jhbuild/checkout/glib/gobject/gclosure.c:804
#4 0x7f893fcd93c9 in signal_emit_unlocked_R /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3635
#5 0x7f893fce2167 in g_signal_emit_valist /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3401
#6 0x7f893fce2406 in g_signal_emit /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3447
#7 0x7f8942b2a93b in gtk_widget_event_internal /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkwidget.c:7723
#8 0x7f8942b2d8c9 in gtk_widget_event /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkwidget.c:7293
#9 0x7f89429be9ad in propagate_event_up /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkmain.c:2568
#10 0x7f89429bf2ec in propagate_event /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkmain.c:2670
#11 0x7f89429c04ac in gtk_propagate_event /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkmain.c:2705
#12 0x7f89429c092b in gtk_main_do_event /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkmain.c:1901
#13 0x7f894249c3c6 in _gdk_event_emit /home/sadiq/jhbuild/checkout/gtk+-3/gdk/gdkevents.c:73
#14 0x7f89424d039d in gdk_event_source_dispatch /home/sadiq/jhbuild/checkout/gtk+-3/gdk/x11/gdkeventsource.c:367
#15 0x7f893f9e88aa in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3234
#16 0x7f893f9eb1dc in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3899
#17 0x7f893f9eb336 in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3972
#18 0x7f893f9eb3b8 in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:4033
#19 0x7f893ffb776e in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2381
#20 0x56032dcf50d2 in main /home/sadiq/jhbuild/checkout/gnome-calendar/src/main.c:41
#21 0x7f893f3ad2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#22 0x56032dce6329 in _start (/media/sadiq/Temp/jhbuild/install/bin/gnome-calendar+0x3b329)
0x60b0000af70c is located 4 bytes to the right of 104-byte region [0x60b0000af6a0,0x60b0000af708)
allocated by thread T0 here:
#0 0x7f894438bed0 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0)
#1 0x7f893f9f0a5e in g_malloc0 /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:124
#2 0x56032dd10ad4 in gcal_year_view_init /home/sadiq/jhbuild/checkout/gnome-calendar/src/views/gcal-year-view.c:2003
#3 0x7f893fceba93 in g_type_create_instance /home/sadiq/jhbuild/checkout/glib/gobject/gtype.c:1866
#4 0x7f893fcca1b7 in g_object_new_internal /home/sadiq/jhbuild/checkout/glib/gobject/gobject.c:1781
#5 0x7f893fccc140 in g_object_newv /home/sadiq/jhbuild/checkout/glib/gobject/gobject.c:2018
#6 0x7f89428a15de in _gtk_builder_construct /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkbuilder.c:718
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sadiq/jhbuild/checkout/gnome-calendar/src/views/gcal-year-view.c:659 in calculate_day_month_for_coord
Shadow bytes around the buggy address:
0x0c168000de90: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c168000dea0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c168000deb0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c168000dec0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c168000ded0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c168000dee0: 00[fa]fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c168000def0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c168000df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c168000df10: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c168000df20: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c168000df30: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4256==ABORTING
Link to original bug (#783511)
Design Tasks
TODO
Development Tasks
TODO
QA Tasks
TODO
Edited by Thiago