FF crashes on files containing 0xea (\^e) [@ HB_GDEF_Get_Glyph_Property]

RESOLVED INVALID

Status

()

Core
Layout: Text
--
critical
RESOLVED INVALID
10 years ago
7 years ago

People

(Reporter: MartinP, Unassigned)

Tracking

({crash})

1.9.0 Branch
x86
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080719 Firefox/2.0.0.16
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080719 Firefox/2.0.0.16, and others

FF 2.0.0.16 and FF 3.0 crash for the following URL:

http://bugs.kde.org/show_bug.cgi?id=137320

The problem seems to be the byte 0xEA somewhere in the comments.

Reproducible: Always

Steps to Reproduce:
1. Redirect browser to "http://bugs.kde.org/show_bug.cgi?id=137320"

Actual Results:  
FF crashed (segfault in Linux)

Expected Results:  
No crash
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

I get no connection with http://bugs.kde.org/show_bug.cgi?id=137320 ;
no crash either.
Ok, suddenly I see the page. 
no crash with FF3.01 on win32.

If you use a binary Firefox build from Mozilla.org then send a crash report with the crashreporter, open about:crashes and post the ID here.
If you are using a build from somewhere else or compiled it yourself then attach a Stack trace.
Component: General → Layout: Fonts and Text
Keywords: crash
Product: Firefox → Core
QA Contact: general → layout.fonts-and-text
Version: unspecified → 1.9.0 Branch
(Reporter)

Comment 4

10 years ago
I downloaded FF3.01 for Linux minutes ago and it did crash.  The ID is 3c4e527d-5630-11dd-8cef-001a4bd43e5cmv.
(Reporter)

Comment 5

10 years ago
(In reply to comment #4)
> I downloaded FF3.01 for Linux minutes ago and it did crash.  The ID is
> 3c4e527d-5630-11dd-8cef-001a4bd43e5cmv.

It should be only: 3c4e527d-5630-11dd-8cef-001a4bd43e5c .

Sorry, typo.

Comment 6

10 years ago
Signature	
UUID	3c4e527d-5630-11dd-8cef-001a4bd43e5c
Time	2008-07-20 00:47:15-07:00
Uptime	34
Product	Firefox
Version	3.0.1
Build ID	2008070206
OS	
OS Version	
CPU	
CPU Info	
Crash Reason	
Crash Address	
Comments	

um.... luser?
I dunno. File a server ops or socorro bug.
(Reporter)

Comment 8

10 years ago
reg. "luser": I have not modified the crash-report.

Manual backtrace shows little info as I don't have debug symbols:

#0  0xb67ca2ad in ?? () from /usr/lib/libpangoft2-1.0.so.0
#1  0x002c0001 in ?? ()
#2  0x09533ed8 in ?? ()
#3  0x00000108 in ?? ()
#4  0xbfaa3efe in ?? ()
#5  0xbfaa3efc in ?? ()
#6  0xa7865ab0 in ?? ()
#7  0x002c002c in ?? ()
#8  0x0000ffff in ?? ()
#9  0x00008868 in ?? ()
#10 0x00000000 in ?? ()

Comment 9

10 years ago
well, install symbols for pango from your distro and try to get at least some sort of stack trace....
(Reporter)

Comment 10

10 years ago
more detailed backtrace:

#0  HB_GDEF_Get_Glyph_Property (gdef=0xa6735d60, glyphID=21505, property=0xa7efbd28) at harfbuzz-gdef.c:727
#1  0xb6719c54 in _HB_GDEF_Check_Property (gdef=0x0, gitem=0xa7efbd18, flags=0, property=0xbfddcbfe)
    at harfbuzz-gdef.c:1087
#2  0xb671a691 in GSUB_Do_Glyph_Lookup (gsub=0xa6783e80, lookup_index=51457, buffer=0x95038eb0, context_length=65535, 
    nesting_level=1) at harfbuzz-gsub.c:3688
#3  0xb671c258 in HB_GSUB_Apply_String (gsub=0xa6783e80, buffer=0x95038eb0) at harfbuzz-gsub.c:4206
#4  0xb671538f in pango_ot_ruleset_substitute (ruleset=0xa8219a00, buffer=0xffffffff) at pango-ot-ruleset.c:521
#5  0xaf021ea2 in basic_engine_shape (engine=0x95019330, font=0xa809baf8, text=0xbfddce08 " \\ѶôÏâ¶", 
    length=-1474192896, analysis=0xbfddce14, glyphs=0xa77f9040) at basic-fc.c:211
#6  0xb6dfcd56 in _pango_engine_shape_shape (engine=0xbfddc901, font=0xffffffff, 
    text=0xffffffff <Address 0xffffffff out of bounds>, length=-1, analysis=0xffffffff, glyphs=0xffffffff)
    at pango-engine.c:71
#7  0xb6e0df74 in pango_shape (text=0xbfddce08 " \\ѶôÏâ¶", length=1, analysis=0xbfddce14, glyphs=0xa77f9040)
    at shape.c:55
#8  0xb7c9141b in ?? () from /opt/firefox/libxul.so
#9  0xbfddce08 in ?? ()
#10 0x00000001 in ?? ()
#11 0xbfddce14 in ?? ()
#12 0xa77f9040 in ?? ()
#13 0xa809baf8 in ?? ()
#14 0xb6206a58 in ?? ()
#15 0x00000020 in ?? ()
#16 0xb7c91399 in ?? () from /opt/firefox/libxul.so
#17 0xa809baf8 in ?? ()
#18 0xbfddce14 in ?? ()
#19 0xb6d15c20 in g_object_unref () from /usr/lib/libgobject-2.0.so.0
#20 0xa809baf8 in ?? ()

Comment 11

10 years ago
  case UNCLASSIFIED_GLYPH:
    *property = 0;

is what i see in http://svn.gnome.org/svn/pango/trunk/pango/opentype/harfbuzz-gdef.c @ r2546 

if you can go to frame 0 in gdb, try:

p *property

anyway, you're eventually going to need to file a bug against harfbuzz/pango, as this isn't our stuff.

pango bugs live in bugzilla.gnome.org: http://bugzilla.gnome.org/enter_bug.cgi?product=Pango
harfbuzz bugs live in bugs.freedesktop.org: https://bugs.freedesktop.org/enter_bug.cgi?product=HarfBuzz
Summary: FF crashes on files containing 0xea (\^e) → FF crashes on files containing 0xea (\^e) [@ HB_GDEF_Get_Glyph_Property]
(Reporter)

Comment 12

10 years ago
The problem seems to be pango-1.20.3.  It works with pango-1.20.5 and pango-1.18.4.

Fixed for me.
(Reporter)

Updated

10 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
(Assignee)

Updated

7 years ago
Crash Signature: [@ HB_GDEF_Get_Glyph_Property]
You need to log in before you can comment on or make changes to this bug.