Last Comment Bug 570968 - Divison By Zero in pango code with font containing bad GPOS table
: Divison By Zero in pango code with font containing bad GPOS table
: crash, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: unspecified
: x86 Linux
-- critical (vote)
: ---
Assigned To: John Daggett (:jtd)
: Milan Sreckovic [:milan]
Depends on: 580962
Blocks: fuzzing-fonts
  Show dependency treegraph
Reported: 2010-06-09 08:13 PDT by Christoph Diehl [:posidron]
Modified: 2012-07-16 16:56 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (170.98 KB, application/java-archive)
2010-06-09 08:15 PDT, Christoph Diehl [:posidron]
no flags Details
stacktrace (3.41 KB, text/plain)
2010-06-09 08:16 PDT, Christoph Diehl [:posidron]
no flags Details

Description User image Christoph Diehl [:posidron] 2010-06-09 08:13:47 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv: Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a5pre) Gecko/20100608 Minefield/3.7a5pre

###!!! ABORT: Divide by zero: file /home/posidron/Mozilla/mozcentral/toolkit/xre/nsSigHandlers.cpp, line 206

Reproducible: Always

Steps to Reproduce:
Load the provided .html file.
Comment 1 User image Christoph Diehl [:posidron] 2010-06-09 08:15:47 PDT
Created attachment 450121 [details]
Comment 2 User image Christoph Diehl [:posidron] 2010-06-09 08:16:23 PDT
Created attachment 450122 [details]
Comment 3 User image John Daggett (:jtd) 2010-06-09 21:02:32 PDT
The stacktrace is in Pango code, not in harfbuzz code:

#0  0x0068f716 in ?? () from /usr/lib/
#1  0x0068fe02 in ?? () from /usr/lib/
#2  0x006854a6 in ?? () from /usr/lib/
#3  0x0068127b in ?? () from /usr/lib/
#4  0x0067dd03 in pango_ot_info_get () from /usr/lib/
#5  0x04b4105d in ?? () from /usr/lib/pango/1.6.0/modules/
#6  0x0053383a in ?? () from /usr/lib/
#7  0x005462ac in pango_shape () from /usr/lib/
#8  0x01c54c11 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=0x1c55aba, aTextRun=0xb161aa10, aUTF8=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=3214610236, 
    aUTF8HeaderLen=3) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:3096
#9  0x01c55aba in gfxPangoFontGroup::InitTextRun (this=0xb161aa10, aTextRun=0xb0473700, aUTF8Text=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=14, aUTF8HeaderLength=3, 
    aTake8BitPath=1) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2445
#10 0x01c55c76 in gfxPangoFontGroup::MakeTextRun (this=0xb161aa10, aString=0xbf9b1440 "Lorem ipsum\277|D<", aLength=3214611520, aParams=0xbf9b1008, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2381
#11 0x01c49d24 in TextRunWordCache::MakeTextRun (this=0xb3ba8ce0, aText=0xbf9b298c "Lorem ipsum", aLength=11, aFontGroup=0xb161aa10, aParams=0xbf9b162c, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxTextRunWordCache.cpp:817
Comment 4 User image Karl Tomlinson (:karlt) 2010-06-09 21:28:50 PDT
Here, with Pango-1.26.2, it is clearly in hb:
#0  0x00007ffff32e7850 in _hb_sanitize_array (this=0x7fffd2f16698, context=
    0x7fffffff4b60) at hb-open-type-private.hh:219
#1  PairPosFormat2::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:625
#2  PairPos::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:677
#3  PosLookupSubTable::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:1337
#4  0x00007ffff32deaa7 in GenericOffsetTo<USHORT, PosLookupSubTable>::sanitize
    (face=0x7fffc4b48980) at hb-open-type-private.hh:477
#5  GenericArrayOf<USHORT, OffsetTo<PosLookupSubTable> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#6  PosLookup::sanitize (face=0x7fffc4b48980)
    at hb-ot-layout-gpos-private.hh:1448
#7  GenericOffsetTo<USHORT, PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:477
#8  GenericArrayOf<USHORT, OffsetTo<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#9  OffsetListOf<PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:600
#10 GenericOffsetTo<USHORT, OffsetListOf<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:477
#11 GPOS::sanitize (face=0x7fffc4b48980) at hb-ot-layout-gpos-private.hh:1479
#12 Sanitizer<GPOS>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:286
#13 _hb_ot_layout_init (face=0x7fffc4b48980) at
#14 0x00007ffff32da066 in hb_face_create_for_data (
    blob=<value optimized out>, index=0) at
#15 0x00007ffff32d76e3 in pango_ot_info_get (face=0x7fffd30e0800)
    at pango-ot-info.c:154
#16 0x00007fffdadd6537 in basic_engine_shape (engine=<value optimized out>, 
    font=0x7fffc4799710, text=0x7fffffff5023 "Lorem ipsum", 
    length=<value optimized out>, analysis=0x7fffc494bd10, glyphs=
    0x7fffc4990b60) at basic-fc.c:209
#17 0x00007ffff251561d in pango_shape (text=0x7fffffff5023 "Lorem ipsum", 
    length=11, analysis=0x7fffc494bd10, glyphs=0x7fffc4990b60) at shape.c:55
#18 0x00007ffff6cbcdf2 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=
    0x7fffc4765900, aTextRun=0x7fffc4b552c0, aUTF8=
    0x7fffffff5020 "Lorem ipsum", aUTF8Length=14, aUTF8HeaderLen=3)
    at /home/karl/moz/dev/gfx/thebes/src/gfxPangoFonts.cpp:3095
Comment 5 User image John Daggett (:jtd) 2010-06-09 22:00:09 PDT
Sorry, I should have been more clear.  The bug here is in the *Pango* version of harfbuzz which is different than the version being worked on as part of bug 449292.  Eventually they'll be merged but not at this point.
Comment 6 User image Joe Drew (not getting mail) 2010-07-19 11:03:23 PDT
Do we even still use the pango version of Harfbuzz?
Comment 7 User image Karl Tomlinson (:karlt) 2010-07-19 15:02:13 PDT
I'm not clear why this is a blocker.  It is a bug in a system library that we use (but not in our tree).  It's a DoS, but i'm not sure that should mean we strive to find a workaround.  Maybe it will be fixed by other verification checks in other bugs, but, on it's own, this bug doesn't seem to need to block.

Note You need to log in before you can comment on or make changes to this bug.