Closed
Bug 570968
Opened 14 years ago
Closed 12 years ago
Divison By Zero in pango code with font containing bad GPOS table
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: posidron, Assigned: jtd)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos])
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a5pre) Gecko/20100608 Minefield/3.7a5pre ###!!! ABORT: Divide by zero: file /home/posidron/Mozilla/mozcentral/toolkit/xre/nsSigHandlers.cpp, line 206 Reproducible: Always Steps to Reproduce: Load the provided .html file.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
Ever confirmed: true
Assignee | ||
Comment 3•14 years ago
|
||
The stacktrace is in Pango code, not in harfbuzz code: #0 0x0068f716 in ?? () from /usr/lib/libpangoft2-1.0.so.0 #1 0x0068fe02 in ?? () from /usr/lib/libpangoft2-1.0.so.0 #2 0x006854a6 in ?? () from /usr/lib/libpangoft2-1.0.so.0 #3 0x0068127b in ?? () from /usr/lib/libpangoft2-1.0.so.0 #4 0x0067dd03 in pango_ot_info_get () from /usr/lib/libpangoft2-1.0.so.0 #5 0x04b4105d in ?? () from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so #6 0x0053383a in ?? () from /usr/lib/libpango-1.0.so.0 #7 0x005462ac in pango_shape () from /usr/lib/libpango-1.0.so.0 #8 0x01c54c11 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=0x1c55aba, aTextRun=0xb161aa10, aUTF8=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=3214610236, aUTF8HeaderLen=3) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:3096 #9 0x01c55aba in gfxPangoFontGroup::InitTextRun (this=0xb161aa10, aTextRun=0xb0473700, aUTF8Text=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=14, aUTF8HeaderLength=3, aTake8BitPath=1) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2445 #10 0x01c55c76 in gfxPangoFontGroup::MakeTextRun (this=0xb161aa10, aString=0xbf9b1440 "Lorem ipsum\277|D<", aLength=3214611520, aParams=0xbf9b1008, aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2381 #11 0x01c49d24 in TextRunWordCache::MakeTextRun (this=0xb3ba8ce0, aText=0xbf9b298c "Lorem ipsum", aLength=11, aFontGroup=0xb161aa10, aParams=0xbf9b162c, aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxTextRunWordCache.cpp:817
No longer blocks: 569531
Summary: Divison By Zero while rendering GPOS table → Divison By Zero in pango code with font containing bad GPOS table
Comment 4•14 years ago
|
||
Here, with Pango-1.26.2, it is clearly in hb: #0 0x00007ffff32e7850 in _hb_sanitize_array (this=0x7fffd2f16698, context= 0x7fffffff4b60) at hb-open-type-private.hh:219 #1 PairPosFormat2::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60) at hb-ot-layout-gpos-private.hh:625 #2 PairPos::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60) at hb-ot-layout-gpos-private.hh:677 #3 PosLookupSubTable::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60) at hb-ot-layout-gpos-private.hh:1337 #4 0x00007ffff32deaa7 in GenericOffsetTo<USHORT, PosLookupSubTable>::sanitize (face=0x7fffc4b48980) at hb-open-type-private.hh:477 #5 GenericArrayOf<USHORT, OffsetTo<PosLookupSubTable> >::sanitize (face= 0x7fffc4b48980) at hb-open-type-private.hh:541 #6 PosLookup::sanitize (face=0x7fffc4b48980) at hb-ot-layout-gpos-private.hh:1448 #7 GenericOffsetTo<USHORT, PosLookup>::sanitize (face=0x7fffc4b48980) at hb-open-type-private.hh:477 #8 GenericArrayOf<USHORT, OffsetTo<PosLookup> >::sanitize (face= 0x7fffc4b48980) at hb-open-type-private.hh:541 #9 OffsetListOf<PosLookup>::sanitize (face=0x7fffc4b48980) at hb-open-type-private.hh:600 #10 GenericOffsetTo<USHORT, OffsetListOf<PosLookup> >::sanitize (face= 0x7fffc4b48980) at hb-open-type-private.hh:477 #11 GPOS::sanitize (face=0x7fffc4b48980) at hb-ot-layout-gpos-private.hh:1479 #12 Sanitizer<GPOS>::sanitize (face=0x7fffc4b48980) at hb-open-type-private.hh:286 #13 _hb_ot_layout_init (face=0x7fffc4b48980) at hb-ot-layout.cc:53 #14 0x00007ffff32da066 in hb_face_create_for_data ( blob=<value optimized out>, index=0) at hb-font.cc:182 #15 0x00007ffff32d76e3 in pango_ot_info_get (face=0x7fffd30e0800) at pango-ot-info.c:154 #16 0x00007fffdadd6537 in basic_engine_shape (engine=<value optimized out>, font=0x7fffc4799710, text=0x7fffffff5023 "Lorem ipsum", length=<value optimized out>, analysis=0x7fffc494bd10, glyphs= 0x7fffc4990b60) at basic-fc.c:209 #17 0x00007ffff251561d in pango_shape (text=0x7fffffff5023 "Lorem ipsum", length=11, analysis=0x7fffc494bd10, glyphs=0x7fffc4990b60) at shape.c:55 #18 0x00007ffff6cbcdf2 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this= 0x7fffc4765900, aTextRun=0x7fffc4b552c0, aUTF8= 0x7fffffff5020 "Lorem ipsum", aUTF8Length=14, aUTF8HeaderLen=3) at /home/karl/moz/dev/gfx/thebes/src/gfxPangoFonts.cpp:3095
Assignee | ||
Comment 5•14 years ago
|
||
Sorry, I should have been more clear. The bug here is in the *Pango* version of harfbuzz which is different than the version being worked on as part of bug 449292. Eventually they'll be merged but not at this point.
Updated•14 years ago
|
blocking2.0: ? → final+
Comment 6•14 years ago
|
||
Do we even still use the pango version of Harfbuzz?
Assignee: nobody → jdaggett
Comment 7•14 years ago
|
||
I'm not clear why this is a blocker. It is a bug in a system library that we use (but not in our tree). It's a DoS, but i'm not sure that should mean we strive to find a workaround. Maybe it will be fixed by other verification checks in other bugs, but, on it's own, this bug doesn't seem to need to block.
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-fonts
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•