The root of the problem seems to be that builtin_timezone entries kept as pointers into an "icalarray". But the icalarray is "expanded" by being moved to a new location and the old location freed, making the previous builtin_timezone pointers invalid.
==4519== Invalid read of size 8 ==4519== at 0xE6FEB46: icaltimezone_get_utc_offset_of_utc_time (icaltimezone.c:981) ==4519== by 0xE6FE652: icaltimezone_convert_time (icaltimezone.c:794) ==4519== by 0xE6F9EE0: icaltime_from_timet_with_zone (icaltime.c:224) ==4519== by 0x18810169: tag_calendar_cb (tag-calendar.c:120) ==4519== by 0x932B1E7: process_instances (e-cal-client.c:1961) ==4519== by 0x932B314: generate_instances_for_object_got_objects_cb (e-cal-client.c:1992) ==4519== by 0x932A799: got_objects_for_uid_cb (e-cal-client.c:1711) ==4519== by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0) ==4519== by 0x5536C5B: finish_async_op (e-client.c:2281) ==4519== by 0x5536F55: async_result_ready_cb (e-client.c:2318) ==4519== by 0x626CC16: g_simple_async_result_complete (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0) ==4519== by 0x626CD28: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3000.0) ==4519== Address 0x1c11c8d8 is 29,928 bytes inside a block of size 29,952 free'd ==4519== at 0x4C282E0: free (vg_replace_malloc.c:366) ==4519== by 0xE6E8E5E: icalarray_expand (icalarray.c:159) ==4519== by 0xE6E8BE8: icalarray_append (icalarray.c:89) ==4519== by 0xE6FF54A: icaltimezone_get_builtin_timezone (icaltimezone.c:1414) ==4519== by 0xE6FF8A6: icaltimezone_get_builtin_timezone_from_tzid (icaltimezone.c:1525) ==4519== by 0xE6EC18F: icalcomponent_get_datetime (icalcomponent.c:1566) ==4519== by 0xE6EC28A: icalcomponent_get_dtstart (icalcomponent.c:1594) ==4519== by 0x187FB7EA: ensure_dates_are_in_default_zone (gnome-cal.c:744) ==4519== by 0x187FBA21: dn_client_view_objects_added_cb (gnome-cal.c:773) ==4519== by 0x65560A3: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0) ==4519== by 0x6568029: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0) ==4519== by 0x65716B0: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3000.0) ** Summary changed: - Race condition in timezone handling causes crash + Access to freed memory in timezone handling causes crash -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956843 Title: Access to freed memory in timezone handling causes crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/956843/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
