1450057 - crash near null in libfreetype when loading axis-praxis.org

Status: VERIFIED FIXED

(Core :: Graphics: Text, defect, P3)

Description

[Tyson Smith [:tsmith]]

This happens on Ubuntu 16.04 on the latest nightly builds when opening axis-praxis.org

==4992==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f73d6751e0e bp 0x6070001e6120 sp 0x7fff61c403f0 T0)
==4992==The signal is caused by a READ memory access.
==4992==Hint: address points to the zero page.
    #0 0x7f73d6751e0d  (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x26e0d)
    #1 0x7f73d6752be1  (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x27be1)
    #2 0x7f73d6758643  (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x2d643)
    #3 0x7f73d674183a in FT_Load_Glyph (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x1683a)
    #4 0x7f73d6786d80  (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x5bd80)
    #5 0x7f73d6741a44 in FT_Load_Glyph (/usr/lib/x86_64-linux-gnu/libfreetype.so.6+0x16a44)
    #6 0x7f73c25bdfab in gfxFT2FontBase::GetFTGlyphAdvance(unsigned short, int*) src/gfx/thebes/gfxFT2FontBase.cpp:559:24
    #7 0x7f73c25bc520 in GetCharWidth src/gfx/thebes/gfxFT2FontBase.cpp:178:14
    #8 0x7f73c25bc520 in gfxFT2FontBase::InitMetrics() src/gfx/thebes/gfxFT2FontBase.cpp:421
    #9 0x7f73c25bb195 in gfxFT2FontBase::gfxFT2FontBase(RefPtr<mozilla::gfx::UnscaledFontFreeType> const&, _cairo_scaled_font*, gfxFontEntry*, gfxFontStyle const*, bool) src/gfx/thebes/gfxFT2FontBase.cpp:37:5
    #10 0x7f73c25c435f in gfxFontconfigFont src/gfx/thebes/gfxFcPlatformFontList.cpp:1435:7
    #11 0x7f73c25c435f in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*, bool) src/gfx/thebes/gfxFcPlatformFontList.cpp:1045
    #12 0x7f73c26cf478 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, bool, gfxCharacterMap*) src/gfx/thebes/gfxFontEntry.cpp:272:28
    #13 0x7f73c27440fa in gfxFontGroup::GetFontAt(int, unsigned int) src/gfx/thebes/gfxTextRun.cpp:1935:20
    #14 0x7f73c274695a in gfxFontGroup::GetFirstValidFont(unsigned int) src/gfx/thebes/gfxTextRun.cpp:2116:16
    #15 0x7f73c2777584 in void gfxFontGroup::InitScriptRun<unsigned char>(mozilla::gfx::DrawTarget*, gfxTextRun*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2552:25
    #16 0x7f73c274bfd4 in void gfxFontGroup::InitTextRun<unsigned char>(mozilla::gfx::DrawTarget*, gfxTextRun*, unsigned char const*, unsigned int, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2439:13
    #17 0x7f73c274a1cc in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2320:5
    #18 0x7f73c8300b42 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrame.cpp:2406:28
    #19 0x7f73c82fa1d8 in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1699:17
    #20 0x7f73c830b467 in BuildTextRuns src/layout/generic/nsTextFrame.cpp:1625:11
    #21 0x7f73c830b467 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2864
    #22 0x7f73c834ef40 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9426:5
    #23 0x7f73c827e451 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:927:7
    #24 0x7f73c80b851d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4158:15
    #25 0x7f73c80b6ec7 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3958:5
    #26 0x7f73c80adbe9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3832:9
    #27 0x7f73c80a5b20 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2816:5
    #28 0x7f73c809b3a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #29 0x7f73c80928c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #30 0x7f73c80b4447 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #31 0x7f73c80a8333 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #32 0x7f73c80a5c75 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #33 0x7f73c809b3a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #34 0x7f73c80928c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #35 0x7f73c80b4447 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #36 0x7f73c80c872a in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:6333:9
    #37 0x7f73c8027d2d in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) src/layout/generic/BlockReflowInput.cpp:916:13
    #38 0x7f73c8025e4f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) src/layout/generic/BlockReflowInput.cpp:627:14
    #39 0x7f73c827e971 in AddFloat src/layout/generic/nsLineLayout.h:182:22
    #40 0x7f73c827e971 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:966
    #41 0x7f73c80b851d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4158:15
    #42 0x7f73c80b6ec7 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3958:5
    #43 0x7f73c80adbe9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3832:9
    #44 0x7f73c80a5b20 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2816:5
    #45 0x7f73c809b3a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #46 0x7f73c80928c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #47 0x7f73c80b4447 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #48 0x7f73c80a8333 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #49 0x7f73c80a5c75 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #50 0x7f73c809b3a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #51 0x7f73c80928c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #52 0x7f73c80b4447 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #53 0x7f73c80a8333 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #54 0x7f73c80a5c75 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #55 0x7f73c809b3a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #56 0x7f73c80928c5 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #57 0x7f73c80f62b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:940:14
    #58 0x7f73c80f4afd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:713:5
    #59 0x7f73c80f62b6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:940:14
    #60 0x7f73c81d1f88 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:554:3
    #61 0x7f73c81d33a9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:677:3
    #62 0x7f73c81d7388 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1054:3
    #63 0x7f73c807687e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:984:14
    #64 0x7f73c80753f9 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:335:7
    #65 0x7f73c7e559d1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8822:11
    #66 0x7f73c7e6b260 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8995:24
    #67 0x7f73c7e69683 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4298:11
    #68 0x7f73c5bc34d9 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:570:5
    #69 0x7f73c5bc34d9 in FlushPendingEvents src/dom/events/EventStateManager.cpp:5357
    #70 0x7f73c5bc34d9 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) src/dom/events/EventStateManager.cpp:735
    #71 0x7f73c7e8eace in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) src/layout/base/PresShell.cpp:7599:19
    #72 0x7f73c7e8c708 in mozilla::PresShell::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**) src/layout/base/PresShell.cpp:7420:17
    #73 0x7f73c5cc7e3c in mozilla::PointerEventHandler::DispatchPointerFromMouseOrTouch(mozilla::PresShell*, nsIFrame*, nsIContent*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) src/dom/events/PointerEventHandler.cpp:535:12
    #74 0x7f73c7e89d00 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:7201:7
    #75 0x7f73c780fda9 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14
    #76 0x7f73c780f5b2 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1139:9
    #77 0x7f73c7875b2c in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:410:35
    #78 0x7f73c23a5abc in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:500:21
    #79 0x7f73c715a317 in DispatchWidgetEventViaAPZ src/dom/ipc/TabChild.cpp:1794:10
    #80 0x7f73c715a317 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1734
    #81 0x7f73c70ed5f4 in mozilla::dom::TabChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() src/dom/ipc/TabChild.cpp:1576:7
    #82 0x7f73c7df8857 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1884:12
    #83 0x7f73c7e08d40 in TickDriver src/layout/base/nsRefreshDriver.cpp:338:13
    #84 0x7f73c7e08d40 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:308
    #85 0x7f73c7e08906 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:330:5
    #86 0x7f73c7e0b67e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:771:5
    #87 0x7f73c7e0b67e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:684
    #88 0x7f73c7e0b27e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:585:9
    #89 0x7f73c86b6aef in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #90 0x7f73c1277730 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #91 0x7f73c11625d4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #92 0x7f73c0d00a9e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2135:25
    #93 0x7f73c0cfda21 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2065:17
    #94 0x7f73c0cff21c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1911:5
    #95 0x7f73c0cff878 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1944:15
    #96 0x7f73bfe27358 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
    #97 0x7f73bfe436c0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #98 0x7f73c0d085f6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #99 0x7f73c0c5bb09 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #100 0x7f73c0c5bb09 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #101 0x7f73c0c5bb09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #102 0x7f73c789f96a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #103 0x7f73cbb377bb in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #104 0x7f73c0c5bb09 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #105 0x7f73c0c5bb09 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #106 0x7f73c0c5bb09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #107 0x7f73cbb3719a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #108 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #109 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:280
    #110 0x7f73df76182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #111 0x420f48 in _start (m-c-1522274149-asan-opt/firefox+0x420f48)

Comment 1

[Jonathan Kew [:jfkthame]]

Ouch. OK, let's see if I can reproduce that... looks like I have a newer freetype locally on my Ubuntu system, which probably masks it. We may need a runtime version check if there are older versions that crash on these fonts.

Comment 2

[Jonathan Kew [:jfkthame]]

Doesn't readily reproduce for me. :\  I removed my local freetype (2.8.1), so that Nightly uses the system's version instead (2.6.1); that made the variation fonts no longer render properly, but didn't lead to a crash.

What exact freetype version do you have there?

Comment 3

[Tyson Smith [:tsmith]]

$ apt-get changelog libfreetype6
freetype (2.6.1-0.1ubuntu2.3) xenial-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds write in t1_decoder_parse_charstrings
    - debian/patches-freetype/CVE-2017-8105.patch: add a check to
      src/psaux/t1decode.c.
    - CVE-2017-8105
  * SECURITY UPDATE: out-of-bounds write in t1_builder_close_contour
    - debian/patches-freetype/CVE-2017-8287.patch: add a check to
      src/psaux/psobjs.c.
    - CVE-2017-8287

And I was running a ASan build[1] with a fresh profile.

[1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-asan-opt

Comment 4

[roxleitan]

I managed to reproduce the crash on Ubuntu 16.04 x64 with Nightly 61.0a1 (2018-03-30).

The crash is not reproducible with "layout.css.font-variations.enabled" set to False.

Comment 5

[Jonathan Kew [:jfkthame]]

This appears to be a bug in FreeType 2.6.1. Updating to FreeType 2.6.2 or later avoids the crash. However, 2.6.1 is the latest offered in the standard Ubuntu repositories for 16.04, so we have to assume it will still be fairly common, and work around this problem.

So I propose to add a runtime version check and simply disable variation-font features if the installed version of freetype is too old to reliably support it.

Testing of variation fonts on Linux, then, will require either a newer Linux distro that ships a more up-to-date freetype (2.8 or later preferred, though 2.7.1 seems to work OK in my testing) or a manually-installed freetype update.

Comment 6

[Maire Reavy [:mreavy]]

Hi Jonathan -- This is currently a blocker for shipping Variable Fonts.  Will you have time to fix/workaround this as you recommend in comment 5 by Wed, April 18th?  (Fri, April 20th is when we need to make a go/no-go decision on whether we ship in 61 or slip to 62.) I can find another owner for this if that makes more sense. Thanks.

Comment 7

[Jonathan Kew [:jfkthame]]

This should be fixed as a result of bug 1451296, which means we will not attempt to render variations if the installed version of FreeType is too old for our needs.

Tyson, can you confirm this is no longer an issue?

Comment 8

[Tyson Smith [:tsmith]]

"layout.css.font-variations.enabled" is set to "false" and is locked as expected. Since the pref is force disabled I cannot trigger any crashes. So looks good to me.

Comment 9

[Jonathan Kew [:jfkthame]]

OK, let's call this fixed.

(Though when you have a moment, you might like to update your FreeType so as to get access to variation fonts again, and then see if any more issues show up...)

Comment 10

[roxleitan]

I confirm that the issue is no longer reproducible on the latest Nightly 61.0a1(2018-04-13)on Ubuntu 16.04 x64 and "layout.css.font-variations.enabled" is set to "false" by default