Bug 723582 – invalid read/write at pango_glyph_item_get_logical_widths()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 723582 - invalid read/write at pango_glyph_item_get_logical_widths()


Summary:	invalid read/write at pango_glyph_item_get_logical_widths()


Status:	RESOLVED NOTGNOME

Product:	pango
Classification:	Platform
Component:	general
Version:	1.36.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	pango-maint
QA Contact:	pango-maint

URL:
Whiteboard:

Duplicates:	724565 726384 (view as bug list)
Depends on:
Blocks:

Reported:	2014-02-04 07:47 UTC by Akira TAGOH
Modified:	2014-07-14 16:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
test case to reproduce a crash (227 bytes, text/plain) 2014-02-04 07:47 UTC, Akira TAGOH	Details

Description Akira TAGOH 2014-02-04 07:47:11 UTC

Created attachment 268033 [details]
test case to reproduce a crash

opening the attached text on gedit causes a segfault and valgrind reports invalid read/write at pango_glyph_item_get_logical_widths().

I don't know what exactly is wrong but (PangoGlyphItemIter *)->end_char points to the value more than num_chars, then it crashes so that accessing out of the allocated memory at (ParaBreakState *)->log_widths at process_item() in pango-layout.c:3462.

and that end_chars are assigned by pango_glyph_item_iter_next_cluster() in pango_glyph_item_iter_init_start() because iter->end_index is less than iter->start_index and then pango_utf8_strlen calculate its length till the NULL-terminator.

Comment 1 Akira TAGOH 2014-02-13 07:05:30 UTC

just realized that (PangoGlyphString *)->log_clusters[] contains the negative values. is this an expected thing? that looks like that introduces messing up iter->end_index in pango_glyph_item_iter_next_cluster().

Comment 2 Akira TAGOH 2014-02-14 05:19:40 UTC

That looks like harfbuzz issue. this happened with harfbuzz 0.9.24 but works fine with git.

Comment 3 Akira TAGOH 2014-02-14 06:08:42 UTC

To correct, building harfbuzz with graphite2 enabled seems introducing this crash. it works without graphite2, even on 0.9.24. FYI

Comment 4 Behdad Esfahbod 2014-04-09 23:40:24 UTC

*** Bug 724565 has been marked as a duplicate of this bug. ***

Comment 5 Behdad Esfahbod 2014-04-10 00:00:32 UTC

Lets followup here:

  https://bugs.freedesktop.org/show_bug.cgi?id=75076

Comment 6 Behdad Esfahbod 2014-07-14 16:51:49 UTC

*** Bug 726384 has been marked as a duplicate of this bug. ***