Closed
Bug 1336823
Opened 7 years ago
Closed 7 years ago
[harfbuzz] Assertion `i <= out_len + (len - idx)' failed [@hb_buffer_t::move_to]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
DUPLICATE
of bug 1295299
Tracking | Status | |
---|---|---|
firefox54 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase)
Attachments
(1 file)
1.33 KB,
application/x-font-ttf
|
Details |
Found while fuzzing harfbuzz revision 4ec19319ab195d852708661e12da2a6485fce544 Looks like another variation of bug 1295299 hb-fuzzer: hb-buffer.cc:419: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed. #0 0x00007ffff65be428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff65c002a in __GI_abort () at abort.c:89 #2 0x00007ffff65b6bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x641860 <.str> "i <= out_len + (len - idx)", file=file@entry=0x641430 "hb-buffer.cc", line=line@entry=419, function=function@entry=0x641800 <__PRETTY_FUNCTION__._ZN11hb_buffer_t7move_toEj> "bool hb_buffer_t::move_to(unsigned int)") at assert.c:92 #3 0x00007ffff65b6c82 in __GI___assert_fail ( assertion=0x641860 <.str> "i <= out_len + (len - idx)", file=0x641430 "hb-buffer.cc", line=419, function=0x641800 <__PRETTY_FUNCTION__._ZN11hb_buffer_t7move_toEj> "bool hb_buffer_t::move_to(unsigned int)") at assert.c:101 #4 0x00000000004f6710 in hb_buffer_t::move_to (this=0x61200000bd40, i=4294967293) at hb-buffer.cc:419 #5 0x00000000005bfd8b in OT::apply_lookup (c=<optimized out>, count=<optimized out>, match_positions=<optimized out>, lookupCount=<optimized out>, lookupRecord=<optimized out>, match_length=<optimized out>) at ./hb-ot-layout-gsubgpos-private.hh:1042 #6 0x00000000006108b6 in OT::chain_context_apply_lookup (c=0x7fffffffd300, backtrackCount=<optimized out>, backtrack=<optimized out>, inputCount=1, lookaheadCount=<optimized out>, lookupCount=4133217320, input=<optimized out>, lookahead=<optimized out>, lookupRecord=<optimized out>, lookup_context=...) at ./hb-ot-layout-gsubgpos-private.hh:1655 #7 OT::ChainContextFormat3::apply (this=<optimized out>, c=<optimized out>) at ./hb-ot-layout-gsubgpos-private.hh:2095 #8 0x00000000005c098e in hb_get_subtables_context_t::hb_applicable_t::apply ( c=0x7fffffffd300, this=<optimized out>) at hb-ot-layout.cc:1052 #9 apply_forward (c=<optimized out>, accel=..., subtables=...) at hb-ot-layout.cc:1097 #10 0x00000000005ba4b3 in apply_string<GSUBProxy> (c=<optimized out>, lookup=..., accel=...) at hb-ot-layout.cc:1165 #11 0x00000000005c551c in hb_ot_map_t::apply<GSUBProxy> (this=0x6190000047f0, proxy=..., plan=0x619000004680, font=<optimized out>, buffer=<optimized out>) at hb-ot-layout.cc:1205 #12 0x00000000005b9a0f in hb_ot_map_t::substitute (this=0x6190000046a8, plan=0x619000004680, font=0x611000009c80, buffer=0x61200000bd40) at hb-ot-layout.cc:1222 #13 0x00000000005427e8 in hb_ot_shape_plan_t::substitute (this=<optimized out>, font=0x611000009c80, buffer=0x61200000bd40) at ./hb-ot-shape-private.hh:59 #14 hb_ot_substitute_complex (c=<optimized out>) at hb-ot-shape.cc:606 #15 hb_ot_substitute (c=<optimized out>) at hb-ot-shape.cc:618 #16 hb_ot_shape_internal (c=<optimized out>) at hb-ot-shape.cc:817 #17 _hb_ot_shape (shape_plan=<optimized out>, font=0x611000009c80, buffer=<optimized out>, features=0x0, num_features=0) at hb-ot-shape.cc:842 #18 0x000000000052082d in hb_shape_plan_execute (shape_plan=<optimized out>, font=<optimized out>, buffer=<optimized out>, features=<optimized out>, num_features=<optimized out>) at ./hb-shaper-list.hh:43 #19 0x000000000051e6b2 in hb_shape_full (font=0x611000009c80, buffer=<optimized out>, features=<optimized out>, num_features=<optimized out>, shaper_list=<optimized out>) at hb-shape.cc:132 #20 hb_shape (font=0x611000009c80, buffer=0x61200000bd40, features=0x0, num_features=0) at hb-shape.cc:160 #21 0x00000000004edda5 in LLVMFuzzerTestOneInput (data=<optimized out>, size=<optimized out>) at hb-fuzzer.cc:30 #22 0x00000000004eed75 in main (argc=<optimized out>, argv=0x7fffffffdf60) at main.cc:21
Comment 1•7 years ago
|
||
Dupe of https://bugzilla.mozilla.org/show_bug.cgi?id=1295299
Reporter | ||
Comment 2•7 years ago
|
||
I'll move this test case to bug 1295299 since the currently attached test no longer repros.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•