Matthew, Thanks for looking into this.
On Thu, Mar 29, 2012 at 06:16:14AM -0400, Matthew Barnes wrote: > On Thu, 2012-03-29 at 10:33 +0100, Robie Basak wrote: > > icaltimezone.c:icaltimezone_get_builtin_timezone calls icalarray_append, > > which moves the entire array to grow it. But an ECalShellView is > > maintaining a pointer inside that array (via a very long chain of > > indirection) which becomes invalid as the array is moved. This causes > > later corruption, invalid reads from freed memory, and eventually > > segfaults from both the corruption (which appear quite random). > > I thought this was solved already by: > http://git.gnome.org/browse/evolution/tree/modules/calendar/e-cal-shell-backend.c#n863 I spotted this, and this workaround is in my source tree too. But it doesn't seem to work. The array is still being moved as a result of icaltimezone.c:icaltimezone_get_builtin_timezone by the following code, which seems to be an edge case that the workaround does not cover: /* Check whether file exists, but is not mentioned in zone.tab. It means it's a deprecated timezone, but still available. */ comp = icaltzutil_fetch_timezone (location); if (comp) { icaltimezone tz; icaltimezone_init (&tz); if (icaltimezone_set_component (&tz, comp)) { icalarray_append (builtin_timezones, &tz); return icalarray_element_at (builtin_timezones, builtin_timezones->num_elements - 1); } else { icalcomponent_free (comp); } } Robie _______________________________________________ evolution-hackers mailing list evolution-hackers@gnome.org To change your list options or unsubscribe, visit ... http://mail.gnome.org/mailman/listinfo/evolution-hackers