Summary: This is a heap corruption bug in libical. This has been acknowledged in the libical upstream development mailing list. Fixing this is not trivial, as the problem is architectural and crosses an API boundary.
The problem occurs when an array grows, causing it to be moved, which the API does not consider possible. This invalidates previous pointers issued by the API and causes later heap corruption. A simple workaround is to make the array bigger to start with. It contains only timezone entries, of which there is expected to only be a limited number anyway. The attached patch increases the default size from 32 to 1024, which should be more than enough. The extra memory this would take is negligible. Impact: this bug causes evolution calendar to crash on my machine, and I suspect that the instability I've seen in evolution's calendar over the past year or so stems from this root cause. I think that the bug 900534, bug 951201, bug 952368 and bug 954220 are also caused by this same issue. Applying this workaround will provide a significant improvement to evolution's stability. ** Patch added: "libical.debdiff" https://bugs.launchpad.net/ubuntu/+source/libical/+bug/956843/+attachment/3002499/+files/libical.debdiff ** Bug watch added: SourceForge.net Tracker #3514871 http://sourceforge.net/support/tracker.php?aid=3514871 ** Also affects: libical via http://sourceforge.net/support/tracker.php?aid=3514871 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956843 Title: Access to freed memory in timezone handling causes crash To manage notifications about this bug go to: https://bugs.launchpad.net/libical/+bug/956843/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
