1127935 - Crash in gfxHarfBuzzShaper::FindGlyf(unsigned int, bool*)

Status: RESOLVED FIXED

(Core :: Graphics: Text, defect)

Description

[blinky]

Steps to reproduce:

1. Disable hardware acceleration.
2. Go to https://dl.dropboxusercontent.com/u/95157096/85f61cf7/ay571o0lfh.html.

Crash report: bp-be6d248c-78ff-4f72-a980-12e532150130

Comment 1

[blinky]

This bug occurs since the version 38.0a1 (2015-01-29).

https://hg.mozilla.org/mozilla-central/rev/6bfc0e1c4b29

Comment 2

[Jonathan Kew [:jfkthame]]

Looks like we'd crash here if the page ends up using a non-TrueType/OpenType font (e.g. an old bitmap font, or a legacy .pfb Postscript font, etc), and fallback diacritic positioning kicks in. We need a null-check when the code tries to load the 'head' table from the font.

This can't happen with h/w acceleration in effect because such legacy fonts aren't supported at all under DirectWrite. But with GDI, they may still be used.

Comment 3

[Jonathan Kew [:jfkthame]]

Attachment: Check for null when trying to load 'head' table, to avoid crashing on non-sfnt fonts

Comment 4

[Jonathan Kew [:jfkthame]]

blinky: there's a try build with this patch at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jkew@mozilla.com-4b590bde550f/try-win32/, if you'd like to test and check that it no longer suffers from this crash.

Comment 5

[blinky]

(In reply to Jonathan Kew (:jfkthame) from comment #4)
> blinky: there's a try build with this patch at
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jkew@mozilla.com-
> 4b590bde550f/try-win32/, if you'd like to test and check that it no longer
> suffers from this crash.

I can not reproduce the bug with this build, thanks.

Comment 6

[Jonathan Kew [:jfkthame]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9af435afa2b6

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/9af435afa2b6