Closed Bug 604380 Opened 14 years ago Closed 13 years ago

Crash [@ libpangoft2-1.0.so.0.1400.9@0x148a3]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 605347

People

(Reporter: bc, Assigned: karlt)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

stack
94.86 KB, text/plain
Details 
1. http://code.google.com/webfonts
2. crash linux 1.9.2 debug only.

Operating system: Linux
                  0.0.0 Linux 2.6.18-194.8.1.el5 #1 SMP Thu Jul 1 19:07:06 EDT 2010 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0xa69403c

Thread 0 (crashed)
 0  libpangoft2-1.0.so.0.1400.9 + 0x148a3
    eip = 0x009098a3   esp = 0xbffb1d00   ebp = 0xbffb1d48   ebx = 0x009227a0
    esi = 0x00000004   edi = 0xbffb1e38   eax = 0x000351aa   ecx = 0x0a694038
    edx = 0x000351aa   efl = 0x00010202
    Found by: given as instruction pointer in context

I couldn't reproduce by hand with a nightly nor with a debug build, but was able to reproduce using the sisyphus automation.

the crash address varies therefore making this sensitive.
Attached file stack 

    
    

    
  
I was wrong. It occurs on 1.9.1,1.9.2 and 2.0.0
Version: 1.9.2 Branch → Trunk

    
    

    
  
, can you take a look at this and connect with Bob?
Assignee: nobody → karlt

    
    

    
  
Related to bug 605347, but this is a very old Pango library.

There have been a number of vulnerabilities repaired in Pango since 1.14 and I doubt 1.14.9 includes any backports.

We won't use this path for this page when bug 569770 lands.

For the branches, this becomes a SIGFPE DoS (bug 605347) with newer Pango versions.
Depends on: 605347

    
    

    
  
Bob, based on your kernel version you're running a pretty old linux installation, is that so? Roc thinks that the version of pango that you have is too old.

    
    

    
  
Karl thought that, I just parroted it :-).

But I do think this is clearly a Pango bug, and since we don't ship Pango, I think it's up to the distro to package a fixed Pango.

    
    

    
  
Sounds reasonable. This is on a Centos 5.5 box. I guess I'll need to start using Fedora or RHEL6beta. Should we clue some RedHat folks in here?
Whiteboard: [sg:vector-critical? (pango)]

    
    

    
  
I set up Fedora 14 for testing and can again reproduce crashes using the automation but not locally. Locally I hang.

The installed version of pango is 1.28.1-4.fc14.

running 1.9.2 under gdb with debuginfo gives:

Program received signal SIGFPE, Arithmetic exception.
0x002e65f6 in _hb_sanitize_array (this=0x8f80124, context=0xbfff2e14) at hb-open-type-private.hh:202
202	  bool overflows = len >= ((unsigned int) -1) / record_size;

with record_size == 0. It looks like 1.9.2 gets hung up with repeated SIGFPEs

    
  
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago

          status1.9.1:
          wanted → ---

          status1.9.2:
          wanted → ---
Resolution: --- → DUPLICATE
Whiteboard: [sg:vector-critical? (pango)]
Crash Signature: [@ libpangoft2-1.0.so.0.1400.9@0x148a3]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: