heap-use-after-free in Week View
This happens when adding an event in week-view
Output from asan:
==17655==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600059a740 at pc 0x7f077b037bf0 bp 0x7fffea929900 sp 0x7fffea9290b0 READ of size 1 at 0x60600059a740 thread T0 #0 0x7f077b037bef (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x44bef) #1 (closed) 0x7f07780b947c in g_str_equal /home/sadiq/jhbuild/checkout/glib/glib/ghash.c:1852 #2 0x7f07780b8d1e in g_hash_table_lookup_node /home/sadiq/jhbuild/checkout/glib/glib/ghash.c:400 #3 0x7f07780b8d1e in g_hash_table_contains /home/sadiq/jhbuild/checkout/glib/glib/ghash.c:1331 #4 (closed) 0x556305894dbc in gcal_event_new ../../../../../../Main/Software/src/gnome/gnome-calendar/src/gcal-event.c:837 #5 (closed) 0x55630585dd17 in gcal_month_view_component_added ../../../../../../Main/Software/src/gnome/gnome-calendar/src/views/gcal-month-view.c:1084 #6 (closed) 0x5563058c1564 in e_cal_data_model_subscriber_component_added ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model-subscriber.c:53 #7 (closed) 0x5563058b7f6e in cal_data_model_add_component_cb ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:676 #8 (closed) 0x5563058b67c6 in cal_data_model_foreach_subscriber_in_range ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:619 #9 (closed) 0x5563058b8a4c in cal_data_model_process_added_component ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:897 #10 0x5563058bae4d in cal_data_model_process_modified_or_added_objects ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:1242 #11 0x5563058bb0bc in cal_data_model_view_objects_added ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:1273 #12 (closed) 0x7f07783a7b50 in g_cclosure_marshal_VOID__POINTERv /home/sadiq/jhbuild/checkout/glib/gobject/gmarshal.c:2026 #13 (closed) 0x7f07783a4dc2 in _g_closure_invoke_va /home/sadiq/jhbuild/checkout/glib/gobject/gclosure.c:867 #14 (closed) 0x7f07783c1695 in g_signal_emit_valist /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3300 #15 (closed) 0x7f07783c2406 in g_signal_emit /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3447 #16 (closed) 0x7f0777e49685 in cal_client_view_emit_objects_added_idle_cb /home/sadiq/jhbuild/checkout/evolution-data-server/src/calendar/libecal/e-cal-client-view.c:215 #17 0x7f07780c6b28 in g_idle_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:5504 #18 (closed) 0x7f07780c7958 in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3148 #19 (closed) 0x7f07780ca290 in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3813 #20 0x7f07780ca3ea in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3886 #21 (closed) 0x7f07780ca46c in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3947 #22 (closed) 0x7f07786979f0 in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2401 #23 (closed) 0x5563058b5a89 in main ../../../../../../Main/Software/src/gnome/gnome-calendar/src/main.c:40 #24 (closed) 0x7f07770bc2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #25 (closed) 0x55630585af29 in _start (/media/sadiq/Temp/jhbuild/install/bin/gnome-calendar+0x3df29)
0x60600059a740 is located 0 bytes inside of 57-byte region [0x60600059a740,0x60600059a779) freed by thread T0 here: #0 0x7f077b0b4a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 (closed) 0x7f07780cfbd5 in g_free /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:189 #2 0x5563058912a9 in gcal_event_update_uid_internal ../../../../../../Main/Software/src/gnome/gnome-calendar/src/gcal-event.c:274 #3 0x556305894a9d in gcal_event_set_component_internal ../../../../../../Main/Software/src/gnome/gnome-calendar/src/gcal-event.c:404 #4 (closed) 0x556305894eb4 in gcal_event_new ../../../../../../Main/Software/src/gnome/gnome-calendar/src/gcal-event.c:842 #5 (closed) 0x556305876054 in gcal_week_view_component_added ../../../../../../Main/Software/src/gnome/gnome-calendar/src/views/gcal-week-view.c:325 #6 (closed) 0x5563058c1564 in e_cal_data_model_subscriber_component_added ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model-subscriber.c:53 #7 (closed) 0x5563058b7f6e in cal_data_model_add_component_cb ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:676 #8 (closed) 0x5563058b67c6 in cal_data_model_foreach_subscriber_in_range ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:619 #9 (closed) 0x5563058b8a4c in cal_data_model_process_added_component ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:897 #10 0x5563058bae4d in cal_data_model_process_modified_or_added_objects ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:1242 #11 0x5563058bb0bc in cal_data_model_view_objects_added ../../../../../../Main/Software/src/gnome/gnome-calendar/contrib/evolution/e-cal-data-model.c:1273 #12 (closed) 0x7f07783a7b50 in g_cclosure_marshal_VOID__POINTERv /home/sadiq/jhbuild/checkout/glib/gobject/gmarshal.c:2026 #13 (closed) 0x7f07783a4dc2 in _g_closure_invoke_va /home/sadiq/jhbuild/checkout/glib/gobject/gclosure.c:867 #14 (closed) 0x7f07783c1695 in g_signal_emit_valist /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3300 #15 (closed) 0x7f07783c2406 in g_signal_emit /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3447 #16 (closed) 0x7f0777e49685 in cal_client_view_emit_objects_added_idle_cb /home/sadiq/jhbuild/checkout/evolution-data-server/src/calendar/libecal/e-cal-client-view.c:215
previously allocated by thread T0 here: #0 0x7f077b0b5090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) #1 (closed) 0x7f077710bb8d in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x6fb8d)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x44bef) Shadow bytes around the buggy address: 0x0c0c800ab490: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa 0x0c0c800ab4a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c800ab4b0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c800ab4c0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c800ab4d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd =>0x0c0c800ab4e0: fd fd fd fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c0c800ab4f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c800ab500: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c800ab510: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c800ab520: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0c800ab530: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17655==ABORTING
Link to original bug (#787460)
Design Tasks
TODO
Development Tasks
TODO
QA Tasks
TODO