GNOME Bugzilla – Bug 751759
crash when trying to view certain fonts (SIGSEGV in strlen)
Last modified: 2015-11-21 22:25:21 UTC
I'm unable to open certain fonts in gnome-font-viewer. The application just crashes immediately. The problem is 100% reproducible. Back traces and other logs can be found in distro bug trackers: - https://bugzilla.redhat.com/show_bug.cgi?id=1187679 - https://bugs.launchpad.net/ubuntu/+source/gnome-font-viewer/+bug/1337368 $ rpm -q gnome-font-viewer gnome-font-viewer-3.16.2-1.fc22.x86_64 How to reproduce: - Download "Schriften [SenBJS] (zip | 85,03 KB)" from http://www.gew-berlin.de/291.php - Try to open BLN_LOGO.TTF Other users mentioned that "symbol.ttf" from webcore-fonts (Fedora) will also demonstrate the issue. The problem seems to be related to "unusual" fonts which don't contain many (any?) "normal" characters. I was surprised that I couldn't find a bug about this issue on b.g.o as the problem was recorded about 850x by Fedora's automated crash reporter (https://retrace.fedoraproject.org/faf/problems/1025588/) and Ubuntu is affected as well (https://bugs.launchpad.net/ubuntu/+source/gnome-font-viewer/+bug/1337368).
Please paste a stacktrace here.
Created attachment 306561 [details] stacktrace as requested As the trace was quite long I added it as attachment
So I've hit this as well just recently when I tried to view the 'webdings' or 'wingdings' fonts in gnome-font-viewer. Here's the relevent part of the stack trace: =>[1] text_to_glyphs(cr = <value unavailable>, text = (nil), glyphs = 0xffff80e9fad95ba8, num_glyphs = 0xffff80e9fad95b94) (optimized), at 0x411050 (line ~108) in "sushi-font-widget.c" [2] draw_string(self = <value unavailable>, cr = <value unavailable>, padding = RECORD, text = <value unavailable>, pos_y = <value unavailable>) (inlined), line 198 in "sushi-font-widget.c" [3] sushi_font_widget_draw(drawing_area = <value unavailable>, cr = 0xffff80e9fad95b94) (optimized), line 639 in "sushi-font-widget.c" [4] _gtk_marshal_BOOLEAN__BOXEDv(), at 0x7ff329e1d18b [5] gtk_widget_draw_marshallerv(), at 0x7ff329f954d8 [6] _g_closure_invoke_va(), at 0x7ff32b1aed20 ... As we can see, text_to_glyphs() received a NULL; digging through the program execution this is because the call to draw_string() in sushi_font_widget_draw() is passing a NULL. And that is because self->priv->sample_string is NULL. self->priv->sample_string is NULL because build_strings_for_face() assigned NULL to self->priv->sample_string. Notably: 353 if (!set_pango_sample_string (self)) 354 self->priv->sample_string = random_string_from_available_chars (self->priv->face, 36); The call to set_pango_sample_string() fails, so it then relies on random_string_from_available_chars(). Unfortunately, it never checks to see if the call to random_string_from_available_chars() succeeds. With the 'wingdings' font, in my case, random_string_from_available_chars() returns NULL, and this is because build_charlist_for_face() returns 0 characters: t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 256 in file "sushi-font-widget.c" 256 { (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 262 in file "sushi-font-widget.c" 262 string = g_string_new (NULL); (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 264 in file "sushi-font-widget.c" 264 c = FT_Get_First_Char (face, &glyph); (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 266 in file "sushi-font-widget.c" 266 while (glyph != 0) { (dbx) print c c = 0 (dbx) print glyph glyph = 0 (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 272 in file "sushi-font-widget.c" 272 if (length) (dbx) print length length = 0xffff80df46b1bc7c (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 273 in file "sushi-font-widget.c" 273 *length = total_chars; (dbx) print total_chars total_chars = 0 (dbx) next t@1 (l@1) stopped in build_charlist_for_face (optimized) at line 275 in file "sushi-font-widget.c" 275 return g_string_free (string, FALSE);
Thanks for taking the time to report this. This particular bug has already been reported into our bug tracking system, but we are happy to tell you that the problem has already been fixed in the code repository. *** This bug has been marked as a duplicate of bug 757680 ***