Closed Bug 570968 Opened 14 years ago Closed 12 years ago

Divison By Zero in pango code with font containing bad GPOS table

Categories

(Core :: Graphics, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- -

People

(Reporter: posidron, Assigned: jtd)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a5pre) Gecko/20100608 Minefield/3.7a5pre

###!!! ABORT: Divide by zero: file /home/posidron/Mozilla/mozcentral/toolkit/xre/nsSigHandlers.cpp, line 206




Reproducible: Always

Steps to Reproduce:
Load the provided .html file.
Blocks: 569531
Attached file testcase
Attached file stacktrace
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
Ever confirmed: true
The stacktrace is in Pango code, not in harfbuzz code:

#0  0x0068f716 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#1  0x0068fe02 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#2  0x006854a6 in ?? () from /usr/lib/libpangoft2-1.0.so.0
#3  0x0068127b in ?? () from /usr/lib/libpangoft2-1.0.so.0
#4  0x0067dd03 in pango_ot_info_get () from /usr/lib/libpangoft2-1.0.so.0
#5  0x04b4105d in ?? () from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
#6  0x0053383a in ?? () from /usr/lib/libpango-1.0.so.0
#7  0x005462ac in pango_shape () from /usr/lib/libpango-1.0.so.0
#8  0x01c54c11 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=0x1c55aba, aTextRun=0xb161aa10, aUTF8=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=3214610236, 
    aUTF8HeaderLen=3) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:3096
#9  0x01c55aba in gfxPangoFontGroup::InitTextRun (this=0xb161aa10, aTextRun=0xb0473700, aUTF8Text=0xbf9b0f3c "?Lorem ipsum", aUTF8Length=14, aUTF8HeaderLength=3, 
    aTake8BitPath=1) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2445
#10 0x01c55c76 in gfxPangoFontGroup::MakeTextRun (this=0xb161aa10, aString=0xbf9b1440 "Lorem ipsum\277|D<", aLength=3214611520, aParams=0xbf9b1008, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxPangoFonts.cpp:2381
#11 0x01c49d24 in TextRunWordCache::MakeTextRun (this=0xb3ba8ce0, aText=0xbf9b298c "Lorem ipsum", aLength=11, aFontGroup=0xb161aa10, aParams=0xbf9b162c, 
    aFlags=<value optimized out>) at /home/posidron/Mozilla/mozcentral/gfx/thebes/src/gfxTextRunWordCache.cpp:817
No longer blocks: 569531
Summary: Divison By Zero while rendering GPOS table → Divison By Zero in pango code with font containing bad GPOS table
Here, with Pango-1.26.2, it is clearly in hb:
#0  0x00007ffff32e7850 in _hb_sanitize_array (this=0x7fffd2f16698, context=
    0x7fffffff4b60) at hb-open-type-private.hh:219
#1  PairPosFormat2::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:625
#2  PairPos::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:677
#3  PosLookupSubTable::sanitize (this=0x7fffd2f16698, context=0x7fffffff4b60)
    at hb-ot-layout-gpos-private.hh:1337
#4  0x00007ffff32deaa7 in GenericOffsetTo<USHORT, PosLookupSubTable>::sanitize
    (face=0x7fffc4b48980) at hb-open-type-private.hh:477
#5  GenericArrayOf<USHORT, OffsetTo<PosLookupSubTable> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#6  PosLookup::sanitize (face=0x7fffc4b48980)
    at hb-ot-layout-gpos-private.hh:1448
#7  GenericOffsetTo<USHORT, PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:477
#8  GenericArrayOf<USHORT, OffsetTo<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:541
#9  OffsetListOf<PosLookup>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:600
#10 GenericOffsetTo<USHORT, OffsetListOf<PosLookup> >::sanitize (face=
    0x7fffc4b48980) at hb-open-type-private.hh:477
#11 GPOS::sanitize (face=0x7fffc4b48980) at hb-ot-layout-gpos-private.hh:1479
#12 Sanitizer<GPOS>::sanitize (face=0x7fffc4b48980)
    at hb-open-type-private.hh:286
#13 _hb_ot_layout_init (face=0x7fffc4b48980) at hb-ot-layout.cc:53
#14 0x00007ffff32da066 in hb_face_create_for_data (
    blob=<value optimized out>, index=0) at hb-font.cc:182
#15 0x00007ffff32d76e3 in pango_ot_info_get (face=0x7fffd30e0800)
    at pango-ot-info.c:154
#16 0x00007fffdadd6537 in basic_engine_shape (engine=<value optimized out>, 
    font=0x7fffc4799710, text=0x7fffffff5023 "Lorem ipsum", 
    length=<value optimized out>, analysis=0x7fffc494bd10, glyphs=
    0x7fffc4990b60) at basic-fc.c:209
#17 0x00007ffff251561d in pango_shape (text=0x7fffffff5023 "Lorem ipsum", 
    length=11, analysis=0x7fffc494bd10, glyphs=0x7fffc4990b60) at shape.c:55
#18 0x00007ffff6cbcdf2 in gfxPangoFontGroup::CreateGlyphRunsItemizing (this=
    0x7fffc4765900, aTextRun=0x7fffc4b552c0, aUTF8=
    0x7fffffff5020 "Lorem ipsum", aUTF8Length=14, aUTF8HeaderLen=3)
    at /home/karl/moz/dev/gfx/thebes/src/gfxPangoFonts.cpp:3095
Sorry, I should have been more clear.  The bug here is in the *Pango* version of harfbuzz which is different than the version being worked on as part of bug 449292.  Eventually they'll be merged but not at this point.
blocking2.0: ? → final+
Do we even still use the pango version of Harfbuzz?
Assignee: nobody → jdaggett
I'm not clear why this is a blocker.  It is a bug in a system library that we use (but not in our tree).  It's a DoS, but i'm not sure that should mean we strive to find a workaround.  Maybe it will be fixed by other verification checks in other bugs, but, on it's own, this bug doesn't seem to need to block.
blocking2.0: final+ → -
Keywords: crash
Keywords: testcase
Whiteboard: [sg:dos]
Depends on: 580962
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.