566209 - Harfbuzz UMR [@ _hb_ot_layout_skip_mark]

Status: RESOLVED WORKSFORME

(Core :: Graphics, defect)

Description

[Jesse Ruderman]

Attachment: valgrind output

On Leopard:
1. Apply the patch queue from bug 449292
2. Run Firefox under Valgrind, loading gfx/thebes/crashtests/377232-1.xhtml

Result: "Conditional jump or move depends on uninitialised value(s)" in _hb_ot_layout_skip_mark and several other functions.

Even though Firefox trunk doesn't use harfbuzz yet, I'm marking this as security-sensitive in case this affects other software that uses harfbuzz.

Comment 1

[Jonathan Kew [:jfkthame]]

Jesse, could you please re-test with the latest patch queue from bug 449292, and see if this still occurs? There have been a lot of updates to the harfbuzz code in the last few weeks. I just tried this and was not able to reproduce the issue with the current patches.

Comment 2

[Jesse Ruderman]

Yeah, still happens on trunk for me on Mac OS X 10.5.x.

Comment 3

[Bas Schouten (:bas.schouten)]

Jonathan, could you make sure this is not a problematic security issue?

Comment 4

[Jonathan Kew [:jfkthame]]

There have been numerous updates to harfbuzz in the past couple years, including a rewrite of the mark-skipping code that appears to have been involved here. Hence, wondering whether this is still an issue, or if it has been resolved along the way. Jesse, could you confirm whether this happens with current trunk?

Comment 5

[Jonathan Kew [:jfkthame]]

Closing this as WORKSFORME, given no recent activity and that the harfbuzz code here has been substantially rewritten since this report. Please file a new bug if this shows up again with current code.