After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 621814 - Crash in Lookup_MarkMarkPos()
Crash in Lookup_MarkMarkPos()
Status: RESOLVED OBSOLETE
Product: pango
Classification: Platform
Component: general
1.24.x
Other Linux
: Normal normal
: ---
Assigned To: pango-maint
pango-maint
Depends on:
Blocks:
 
 
Reported: 2010-06-16 18:50 UTC by Alberto Garcia
Modified: 2010-06-17 15:36 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch (776 bytes, patch)
2010-06-17 09:37 UTC, Alberto Garcia 		none Details | Review

Description Alberto Garcia 2010-06-16 18:50:56 UTC 
First of all, this bug has been reproduced in Pango 1.24.2

The affected OpenType code has already been removed from master, so if
no one is maintaining this branch anymore please close this bug and
excuse me for the annoyance.

However if this is trivial to fix for anyone familiar with the code
any help would be appreciated since systems shipping that Pango
version would benefit for it.

Now, to the point:

We've made Pango crash in the N900. There's a test case here to
reproduce the crash trivially:

https://bugs.maemo.org/attachment.cgi?id=2890&action=view

However it depends on the font you're using so I have only been able
to make it crash in the N900.

Here's the backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xb7258ee1 in Lookup_MarkMarkPos (gpi=0xbfc4e92c, st=0x9d73358,
    buffer=0x9d14620, flags=1024, context_length=65535, nesting_level=1)
    at harfbuzz-gpos.c:2993
2993      error = _HB_OPEN_Coverage_Index( &mmp->Mark2Coverage, IN_GLYPH( j ),
(gdb) bt

+ Trace 222451

  • #0 Lookup_MarkMarkPos
    at harfbuzz-gpos.c line 2993
  • #1 GPOS_Do_Glyph_Lookup
    at harfbuzz-gpos.c line 5787
  • #2 GPOS_Do_String_Lookup
    at harfbuzz-gpos.c line 5877
  • #3 HB_GPOS_Apply_String
    at harfbuzz-gpos.c line 6061
  • #4 pango_ot_ruleset_position
    at pango-ot-ruleset.c line 565
  • #5 ??
    from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so 

And here's the code:

http://git.gnome.org/browse/pango/tree/pango/opentype/harfbuzz-gpos.c?id=f76a1696f903b90a192a626968dd0731e94b9c91#n2963

The thing here is that 'buffer->in_pos' is 1, so 'j' starts with 0,
exits the while loop with 65535 (-1), and then IN_GLYPH(j) produces a
segmentation fault.

I'm not familiar with that code and I don't know if those values makes
sense, but it appears to me that either the initial condition should
be if ( buffer->in_pos <= 1 ) or there should be code
checking/preventing the overflow of 'j' after the while loop.

Changing the aforementioned condition seems to solve the problem, but
then again I don't know this code so I'd appreciate any advice.
Comment 1 Behdad Esfahbod 2010-06-16 19:56:55 UTC 
Something like:

  if (i > buffer->in_pos)
    return HB_Err_Not_Covered

Should be added *after* the loop.

There may be a couple similar loops elsewhere in that file, please check those.

When you have a complete patch, may want to send it to distribution-list for others to use.
Comment 2 Alberto Garcia 2010-06-17 09:37:41 UTC 
Created attachment 163902 [details] [review]
Patch

(In reply to comment #1)
> Something like:
>
>   if (i > buffer->in_pos)
>     return HB_Err_Not_Covered
>
> Should be added *after* the loop.

Great, that solves the problem. All other loops seem correct.

Thanks for your quick reply !
Comment 3 Alberto Garcia 2010-06-17 15:33:55 UTC 
The reporter has also confirmed that the patch works fine:

https://bugs.maemo.org/show_bug.cgi?id=10685#c10

I'll send it to distributor-list.

If you think it's worth having in the 1.24 branch, please commit it.

Thanks again!
Comment 4 Behdad Esfahbod 2010-06-17 15:36:59 UTC 
I don't want to give people the idea false impression that 1.24 is actually maintained...