After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 626966 - SIGFPE _hb_sanitize_array
SIGFPE _hb_sanitize_array
Status: RESOLVED FIXED
Product: pango
Classification: Platform
Component: general
1.28.x
Other Linux
: Normal normal
: ---
Assigned To: pango-maint
pango-maint
Depends on:
Blocks:
 
 
Reported: 2010-08-15 01:52 UTC by Mike A. Owens
Modified: 2011-02-17 07:10 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Fuzz-generated/patched TTF which exhibits SIGFPE (6.44 KB, application/octet-stream)
2010-08-15 01:52 UTC, Mike A. Owens 		Details

Description Mike A. Owens 2010-08-15 01:52:12 UTC 
Created attachment 167896 [details]
Fuzz-generated/patched TTF which exhibits SIGFPE

While fuzz-testing Firefox 3.6, I came across SIGFPE in pango 1.28.0 as shipped in Ubuntu 10.04.  

The attached TTF is corrupt, but has been patched to repair some checksums and magic numbers.  The method in which it was generated and patched make it difficult to find the minimal OTF input which exhibits this, but I narrowed the text input string down to "8(". (I wasn't trying to be cute with a frowning emoticon.)  I've seen this exact backtrace occur in alternate corrupt fonts, but with more complicated two-character pairs (Unicode symbols).

Sorry if this is a duplicate; I've searched, but Gnome Bugzilla has given me a half-dozen server timeouts during the process of signing up and submitting this bug.

To reproduce:
  pango-view --text='8(' --font='sigfpe'

Backtrace:

Program terminated with signal 8, Arithmetic exception.

+ Trace 223240

  • #0 _hb_sanitize_array
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-open-type-private.hh line 219
  • #1 PairPosFormat2::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout-gpos-private.hh line 628
  • #2 PairPos::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout-gpos-private.hh line 680
  • #3 PosLookupSubTable::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout-gpos-private.hh line 1342
  • #4 GenericOffsetTo<USHORT, PosLookupSubTable>::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-open-type-private.hh line 478
  • #6 PosLookup::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout-gpos-private.hh line 1453
  • #9 OffsetListOf<PosLookup>::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-open-type-private.hh line 601
  • #11 GPOS::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout-gpos-private.hh line 1484
  • #12 Sanitizer<GPOS>::sanitize
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-open-type-private.hh line 286
  • #13 _hb_ot_layout_init
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-ot-layout.cc line 55
  • #14 hb_face_create_for_data
    at /build/buildd/pango1.0-1.28.0/pango/opentype/hb-font.cc line 182
  • #15 pango_ot_info_get
    at /build/buildd/pango1.0-1.28.0/pango/pango-ot-info.c line 154
  • #16 basic_engine_shape
    at /build/buildd/pango1.0-1.28.0/modules/basic/basic-fc.c line 209
  • #17 _pango_engine_shape_shape
    at /build/buildd/pango1.0-1.28.0/pango/pango-engine.c line 71
  • #18 pango_shape
    at /build/buildd/pango1.0-1.28.0/pango/shape.c line 55
  • #19 shape_run
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 3120
  • #20 process_item
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 3231
  • #21 process_line
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 3529
  • #22 pango_layout_check_lines
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 3850
  • #23 pango_layout_get_extents_internal
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 2431
  • #24 pango_layout_get_pixel_extents
    at /build/buildd/pango1.0-1.28.0/pango/pango-layout.c line 2635
  • #25 output_body
    at /build/buildd/pango1.0-1.28.0/pango-view/viewer-render.c line 211
  • #26 do_output
    at /build/buildd/pango1.0-1.28.0/pango-view/viewer-render.c line 309
  • #27 pangocairo_view_render
    at /build/buildd/pango1.0-1.28.0/pango-view/viewer-pangocairo.c line 336
  • #28 main
    at /build/buildd/pango1.0-1.28.0/pango-view/viewer-main.c line 63 






Comment 1


Behdad Esfahbod





          2010-09-23 20:06:06 UTC
        



Fixed in master.  Thanks.






Comment 2


Paul Sladen





          2011-02-17 07:10:33 UTC
        



http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598166
"code.google.com/webfonts crashes Iceweasel inside libpangoft2-1.0.so.0"

http://code.google.com/p/googlefontdirectory/issues/detail?id=26
"Google Font Directory crashes Firefox 3.6.13"