1252421 - Graphite2 NULL pointer dereference in Slot::isDeleted

Status: RESOLVED FIXED

(Core :: Graphics: Text, defect)

Description

[Mateusz Jurczyk]

Attachment: Reproducers.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

The following crash due to a NULL pointer dereference can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:

$ ./gr2fonttest /path/to/file -auto

--- cut ---
==30232==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006c (pc 0x000000549075 bp 0x7ffc9616de50 sp 0x7ffc9616de30 T0)
    #0 0x549074 in graphite2::Slot::isDeleted() const graphite/src/./inc/Slot.h:101:38
    #1 0x5acb93 in graphite2::SlotMap::collectGarbage(graphite2::Slot*&) graphite/src/Pass.cpp:655:12
    #2 0x5a4fa0 in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const graphite/src/Pass.cpp:545:49
    #3 0x5a2bb9 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const graphite/src/Pass.cpp:412:13
    #4 0x5d86ca in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const graphite/src/Silf.cpp:423:21
    #5 0x54e14a in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const graphite/src/Face.cpp:180:16
    #6 0x57ca2f in graphite2::Segment::runGraphite() graphite/src/./inc/Segment.h:97:45
    #7 0x5796d3 in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) graphite/src/gr_segment.cpp:46:67
    #8 0x579156 in gr_make_seg graphite/src/gr_segment.cpp:105:24
    #9 0x4ee2ea in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ee2ea)
    #10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV graphite/src/./inc/Slot.h:101:38 in graphite2::Slot::isDeleted() const
==30232==ABORTING
--- cut ---

Attached is an archive with three font files which reproduce the crash.

Comment 1

[Tyson Smith [:tsmith]]

I believe this is a dup of bug 1249824. I cannot reproduce it on the latest graphite revision (bc5409c573aa9ecccacd18cf713021272998cd35)

Comment 2

[Mateusz Jurczyk]

Strange - I can still reproduce the crash with all three provided samples, both with ASAN and regular builds of gr2fonttest with latest graphite revision (bc5409c573aa9ecccacd18cf713021272998cd35) -- which is not a surprise since I tested it with the same code before filing the bug yesterday.

Is there any additional information I could provide to help reproduce the problem?

Comment 3

[Tyson Smith [:tsmith]]

My apologies, you are correct. I must have mixed up my builds. Thank you for double checking.

Comment 4

[martin_hosken]

fixed? 84cfaa583547dbf16bfef0e192e6591be915d916

Comment 5

[Tyson Smith [:tsmith]]

Verified with graphite revision 520d76818052772d614e581dacea69499b912be6.

Mateusz can you please confirm? This will be marked fixed once the patches land in our branches.

Comment 6

[Mateusz Jurczyk]

I confirm that the crashes reported in this bug no longer reproduce with the latest revision.

Comment 7

[Daniel Veditz [:dveditz]]

Graphite2 has been updated on all affected branches including ESRs.