Closed Bug 1468134 Opened 6 years ago Closed 6 years ago

Graphite2: UBSan: addition of unsigned offset overflowed in [@ graphite2::TtfUtil::GlyfLookup]

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1483566
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

testcase.html
15 bytes, text/html
Details
Attached file testcase.html 
Found in mozilla-central changeset: 422090:874dedd55599. Built with -fsanitize=pointer-overflow

gfx/graphite2/src/TtfUtil.cpp:1255:25: runtime error: addition of unsigned offset to 0x7f730db27008 overflowed to 0x7f730db27007
    #0 0x7f732db74485 in graphite2::TtfUtil::GlyfLookup(void const*, unsigned long, unsigned long) gfx/graphite2/src/TtfUtil.cpp:1255:25
    #1 0x7f732db5ea5d in graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const gfx/graphite2/src/GlyphCache.cpp:360:28
    #2 0x7f732db5c20b in graphite2::GlyphCache::glyph(unsigned short) const gfx/graphite2/src/GlyphCache.cpp:221:36
    #3 0x7f732db6d8e2 in graphite2::Segment::appendSlot(int, int, int, int, unsigned long) gfx/graphite2/src/Segment.cpp:153:51
    #4 0x7f732db7a810 in void process_utf_data<graphite2::_utf_iterator<unsigned short const> >(graphite2::Segment&, graphite2::Face const&, int, graphite2::_utf_iterator<unsigned short const>, unsigned long) gfx/graphite2/src/Segment.cpp:504:13
    #5 0x7f732db6f3c6 in graphite2::Segment::read_text(graphite2::Face const*, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long) gfx/graphite2/src/Segment.cpp:519:21
    #6 0x7f732db797e6 in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) gfx/graphite2/src/gr_segment.cpp:46:18
    #7 0x7f732db796d4 in gr_make_seg gfx/graphite2/src/gr_segment.cpp:105:24
    #8 0x7f732adfc42d in gfxGraphiteShaper::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) gfx/thebes/gfxGraphiteShaper.cpp:183:23
    #9 0x7f732add35b0 in gfxFont::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) gfx/thebes/gfxFont.cpp:2945:35
    #10 0x7f732add3248 in gfxFont::ShapeText(mozilla::gfx::DrawTarget*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) gfx/thebes/gfxFont.cpp:2921:12
    #11 0x7f732ade4f46 in bool gfxFont::ShapeFragmentWithoutWordCache<unsigned char>(mozilla::gfx::DrawTarget*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxTextRun*) gfx/thebes/gfxFont.cpp:3037:14
    #12 0x7f732ade4b9c in bool gfxFont::ShapeTextWithoutWordCache<unsigned char>(mozilla::gfx::DrawTarget*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxTextRun*) gfx/thebes/gfxFont.cpp:3084:18
    #13 0x7f732ade447b in bool gfxFont::SplitAndInitTextRun<unsigned char>(mozilla::gfx::DrawTarget*, gfxTextRun*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, mozilla::gfx::ShapedTextFlags) gfx/thebes/gfxFont.cpp:3191:20
    #14 0x7f732ae2da8a in void gfxFontGroup::InitScriptRun<unsigned char>(mozilla::gfx::DrawTarget*, gfxTextRun*, unsigned char const*, unsigned int, unsigned int, mozilla::unicode::Script, gfxMissingFontRecorder*) gfx/thebes/gfxTextRun.cpp:2582:31
    #15 0x7f732ae20b52 in void gfxFontGroup::InitTextRun<unsigned char>(mozilla::gfx::DrawTarget*, gfxTextRun*, unsigned char const*, unsigned int, gfxMissingFontRecorder*) gfx/thebes/gfxTextRun.cpp:2435:13
    #16 0x7f732ae12807 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) gfx/thebes/gfxTextRun.cpp:2315:5
    #17 0x7f732cf939a3 in BuildTextRunsScanner::BuildTextRunForFrames(void*) layout/generic/nsTextFrame.cpp:2408:28
    #18 0x7f732cf9217b in BuildTextRunsScanner::FlushFrames(bool, bool) layout/generic/nsTextFrame.cpp:1697:17
    #19 0x7f732cf96675 in BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) layout/generic/nsTextFrame.cpp:1623:11
    #20 0x7f732cf95c70 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) layout/generic/nsTextFrame.cpp:2866:7
    #21 0x7f732cfa83fd in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) layout/generic/nsTextFrame.cpp:9412:5
    #22 0x7f732cf4e911 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) layout/generic/nsLineLayout.cpp:927:7
    #23 0x7f732cf4e28e in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) layout/generic/nsInlineFrame.cpp:717:15
    #24 0x7f732cf4dab8 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) layout/generic/nsInlineFrame.cpp:599:7
    #25 0x7f732cf4d491 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsInlineFrame.cpp:401:3
    #26 0x7f732cf4e94d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) layout/generic/nsLineLayout.cpp:924:13
    #27 0x7f732ceadf3a in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:4158:15
    #28 0x7f732cead7ad in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3958:5
    #29 0x7f732ceab00c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3832:9
    #30 0x7f732cea8e24 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2816:5
    #31 0x7f732cea5778 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) layout/generic/nsBlockFrame.cpp:2352:7
    #32 0x7f732cea332c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsBlockFrame.cpp:1225:3
    #33 0x7f732ceacc89 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) layout/generic/nsBlockReflowContext.cpp:306:11
    #34 0x7f732cea9fe9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3463:11
    #35 0x7f732cea8df1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2813:5
    #36 0x7f732cea5778 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) layout/generic/nsBlockFrame.cpp:2352:7
    #37 0x7f732cea332c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsBlockFrame.cpp:1225:3
    #38 0x7f732cebe11f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:951:14
    #39 0x7f732cebdb77 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsCanvasFrame.cpp:713:5
    #40 0x7f732cebe11f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:951:14
    #41 0x7f732cf223e0 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) layout/generic/nsGfxScrollFrame.cpp:580:3
    #42 0x7f732cf22c35 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) layout/generic/nsGfxScrollFrame.cpp:703:3
    #43 0x7f732cf23c41 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsGfxScrollFrame.cpp:1080:3
    #44 0x7f732ce9cc34 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:995:14
    #45 0x7f732ce9c84e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/ViewportFrame.cpp:335:7
    #46 0x7f732cdc81a3 in mozilla::PresShell::DoReflow(nsIFrame*, bool) layout/base/PresShell.cpp:8940:11
    #47 0x7f732cdce6ea in mozilla::PresShell::ProcessReflowCommands(bool) layout/base/PresShell.cpp:9113:24
    #48 0x7f732cdce1b2 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4335:11
    #49 0x7f732cda4854 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1923:16
    #50 0x7f732cdaabe1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:301:7
    #51 0x7f732cdaaac8 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:320:5
    #52 0x7f732cdace4b in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:760:5
    #53 0x7f732cdac4ad in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:673:35
    #54 0x7f732cdac125 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:574:9
    #55 0x7f732d0d5aee in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:68:16
    #56 0x7f732a3f1e70 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:167:20
    #57 0x7f732a05d84c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:2134:25
    #58 0x7f732a05c85c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:2064:17
    #59 0x7f732a05d2b0 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1943:15
    #60 0x7f732985c472 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1088:14
    #61 0x7f732987af5e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:519:10
    #62 0x7f732a06037f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21
    #63 0x7f7329fc9a89 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:298:3
    #64 0x7f732cb97fff in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:157:27
    #65 0x7f732e91a993 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:896:22
    #66 0x7f732a060a98 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269:9
    #67 0x7f7329fc9a89 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:298:3
    #68 0x7f732e91a552 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:722:34
    #69 0x430a7a in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #70 0x430b40 in main browser/app/nsBrowserApp.cpp:287:18
    #71 0x7f734c43e1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #72 0x4092e9 in _start (firefox+0x4092e9)
Flags: in-testsuite?
Any suggestions on how to handle a pointer overflow in the code that is written to check for a pointer overflow?
Fixed? in 2a23be32111cd75fc8851ed34615fc208929b8c8 with some casting footwork. Untested.
Here's a link to the potential fix [1]. If that does indeed fix this issue, we could consider updating to it. I'm not sure what our policy on updating graphite is.

[1] https://github.com/silnrsi/graphite/commit/2a23be32111cd75fc8851ed34615fc208929b8c8
Whiteboard: [gfx-noted]
Looks like bug 1483566 included the fix as part of the update.
Status: NEW → RESOLVED
Closed: 6 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: