Last Comment Bug 570968 - Divison By Zero in pango code with font containing bad GPOS table
: Divison By Zero in pango code with font containing bad GPOS table
Status: RESOLVED FIXED
[sg:dos]
: crash, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: unspecified
: x86 Linux
: -- critical (vote)
: ---
Assigned To: John Daggett (:jtd)
:
:
Mentors:
Depends on: 580962
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2010-06-09 08:13 PDT by Christoph Diehl [:posidron]
Modified: 2012-07-16 16:56 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
testcase (170.98 KB, application/java-archive)
2010-06-09 08:15 PDT, Christoph Diehl [:posidron]
no flags Details
stacktrace (3.41 KB, text/plain)
2010-06-09 08:16 PDT, Christoph Diehl [:posidron]
no flags Details

Description Christoph Diehl [:posidron] 2010-06-09 08:13:47 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a5pre) Gecko/20100608 Minefield/3.7a5pre

###!!! ABORT: Divide by zero: file /home/posidron/Mozilla/mozcentral/toolkit/xre/nsSigHandlers.cpp, line 206




Reproducible: Always

Steps to Reproduce:
Load the provided .html file.
Comment 1 Christoph Diehl [:posidron] 2010-06-09 08:15:47 PDT
Created attachment 450121 [details]
testcase
Comment 2 Christoph Diehl [:posidron] 2010-06-09 08:16:23 PDT
Created attachment 450122 [details]
stacktrace
Comment 3 John Daggett (:jtd) 2010-06-09 21:02:32 PDT
The stacktrace is in Pango code, not in harfbuzz code:

#0  0x0068f716 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#1  0x0068fe02 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#2  0x006854a6 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#3  0x0068127b in ?? () from /usr/lib/libpangoft2-1.0.so.0
#4  0x0067dd03 in pango_ot_info_get () from /usr/lib/libpangoft2-1.0.so.0
#5  0x04b4105d in ?? () from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
#6  0x0053383a in ?? () from /usr/lib/libpango-1.0.so.0
#7  0x005462ac in pango_shape () from /usr/lib/libpango-1.0.so.0
#8  0x01c54c11 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=0x1c55aba, aTextRun=0xb161aa10, aUTF8=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=3214610236, 
    aUTF8HeaderLen=3) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:3096
#9  0x01c55aba in gfxPangoFontGroup::InitTextRun (this=0xb161aa10, aTextRun=0xb0473700, aUTF8Text=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=14, aUTF8HeaderLength=3, 
    aTake8BitPath=1) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2445
#10 0x01c55c76 in gfxPangoFontGroup::MakeTextRun (this=0xb161aa10, aString=0xbf9b1440 "Lorem ipsum\277|D<", aLength=3214611520, aParams=0xbf9b1008, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2381
#11 0x01c49d24 in TextRunWordCache::MakeTextRun (this=0xb3ba8ce0, aText=0xbf9b298c "Lorem ipsum", aLength=11, aFontGroup=0xb161aa10, aParams=0xbf9b162c, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxTextRunWordCache.cpp:817
Comment 4 Karl Tomlinson (:karlt) 2010-06-09 21:28:50 PDT
Here, with Pango-1.26.2, it is clearly in hb:
#0  0x00007ffff32e7850 in _hb_sanitize_array (this=0x7fffd2f16698, context=
    0x7fffffff4b60) at hb-open-type-private.hh:219
#1  PairPosFormat2::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:625
#2  PairPos::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:677
#3  PosLookupSubTable::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:1337
#4  0x00007ffff32deaa7 in GenericOffsetTo<USHORT, PosLookupSubTable>::sanitize
    (face=0x7fffc4b48980) at hb-open-type-private.hh:477
#5  GenericArrayOf<USHORT, OffsetTo<PosLookupSubTable> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#6  PosLookup::sanitize (face=0x7fffc4b48980)
    at hb-ot-layout-gpos-private.hh:1448
#7  GenericOffsetTo<USHORT, PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:477
#8  GenericArrayOf<USHORT, OffsetTo<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#9  OffsetListOf<PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:600
#10 GenericOffsetTo<USHORT, OffsetListOf<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:477
#11 GPOS::sanitize (face=0x7fffc4b48980) at hb-ot-layout-gpos-private.hh:1479
#12 Sanitizer<GPOS>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:286
#13 _hb_ot_layout_init (face=0x7fffc4b48980) at hb-ot-layout.cc:53
#14 0x00007ffff32da066 in hb_face_create_for_data (
    blob=<value optimized out>, index=0) at hb-font.cc:182
#15 0x00007ffff32d76e3 in pango_ot_info_get (face=0x7fffd30e0800)
    at pango-ot-info.c:154
#16 0x00007fffdadd6537 in basic_engine_shape (engine=<value optimized out>, 
    font=0x7fffc4799710, text=0x7fffffff5023 "Lorem ipsum", 
    length=<value optimized out>, analysis=0x7fffc494bd10, glyphs=
    0x7fffc4990b60) at basic-fc.c:209
#17 0x00007ffff251561d in pango_shape (text=0x7fffffff5023 "Lorem ipsum", 
    length=11, analysis=0x7fffc494bd10, glyphs=0x7fffc4990b60) at shape.c:55
#18 0x00007ffff6cbcdf2 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=
    0x7fffc4765900, aTextRun=0x7fffc4b552c0, aUTF8=
    0x7fffffff5020 "Lorem ipsum", aUTF8Length=14, aUTF8HeaderLen=3)
    at /home/karl/moz/dev/gfx/thebes/src/gfxPangoFonts.cpp:3095
Comment 5 John Daggett (:jtd) 2010-06-09 22:00:09 PDT
Sorry, I should have been more clear.  The bug here is in the *Pango* version of harfbuzz which is different than the version being worked on as part of bug 449292.  Eventually they'll be merged but not at this point.
Comment 6 Joe Drew (not getting mail) 2010-07-19 11:03:23 PDT
Do we even still use the pango version of Harfbuzz?
Comment 7 Karl Tomlinson (:karlt) 2010-07-19 15:02:13 PDT
I'm not clear why this is a blocker.  It is a bug in a system library that we use (but not in our tree).  It's a DoS, but i'm not sure that should mean we strive to find a workaround.  Maybe it will be fixed by other verification checks in other bugs, but, on it's own, this bug doesn't seem to need to block.

Note You need to log in before you can comment on or make changes to this bug.