Closed Bug 1250945 Opened 8 years ago Closed 8 years ago

[harfbuzz] Assertion: bool hb_buffer_t::move_to(unsigned int): Assertion 'i <= out_len + (len - idx)' failed.

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file call_stack.txt
hb-buffer.cc:411: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed.

This sounds unpleasant, possibly a sec issue.
Attached file test_case.ttf
Found fuzzing harfbuzz revision 3fe0cf10401875f1e9b8b5fbaf59826e64ea61d2
Could you please re-test with latest harfbuzz from upstream; in particular, I wonder whether b87e36f6f119fac80b8fd55f3abae563c2c5b798 may have already addressed this?
Flags: needinfo?(twsmith)
(In reply to Jonathan Kew (:jfkthame) from comment #3)
> Could you please re-test with latest harfbuzz from upstream; in particular,
> I wonder whether b87e36f6f119fac80b8fd55f3abae563c2c5b798 may have already
> addressed this?

Thanks Jonathan, looks like there was a flood of fixes and I should have updated before I logged this. Verified with revision 23335deaad9d4d9824ff41343264514d3f9f7e37.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
Is there a bug open to pick up the latest fixes from upsteam?
Flags: needinfo?(jfkthame)
Bug 1249861 will cover this.
Flags: needinfo?(jfkthame)
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.