Bug 998812

Summary: gedit segfaults when loading a certain file
Product: Red Hat Enterprise Linux 7 Reporter: Mike FABIAN <mfabian>
Component: harfbuzzAssignee: Parag Nemade <pnemade>
Status: CLOSED ERRATA QA Contact: QE Internationalization Bugs <qe-i18n-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: lijli, mfabian, tagoh
Target Milestone: rcKeywords: i18n, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: harfbuzz-0.9.20-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 998667 Environment:
Last Closed: 2014-11-25 11:25:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 998667    
Bug Blocks: 1164793    
Attachments:
Description Flags
fix this bug none

Comment 2 Ray Strode [halfline] 2014-01-28 19:45:37 UTC 
This seems to be a pango issue.  the invalid write happens in the pango_glyph_item_get_logical_widths function.  The function expects the array that's passed in to be item->num_chars * sizeof(int) big (as specified in the documentation), and the caller (PangoLayout) is making the array that's passed in that size, but it then goes and writes an entry one element passed that in the array.  The implementation never looks at item->num_chars directly, but through some helpers for iterating over the glyphs. I suppose some invariant has been broken (or something).

reassigning to pango for further analysis by the pango maintainer.
Comment 3 Akira TAGOH 2014-02-14 05:26:43 UTC 
This seems introduced by the negative values in log_clusters array at PangoGlyphString, where is came from hg_glyph->cluster - item_offset in basic_engine_shape in basic-fc.c. in this case hb_glyph->cluster points to 0 even though it isn't a first cluster.

This seems fixed in the harfbuzz git at least.

Reassigning to harfbuzz
Comment 4 RHEL Program Management 2014-03-22 06:41:26 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 5 Akira TAGOH 2014-06-02 06:31:09 UTC 
This seems fixed in harfbuzz upstream.
Comment 9 Parag Nemade 2014-07-10 07:50:16 UTC 
Created attachment 917005 [details]
fix this bug
Comment 10 Parag Nemade 2014-07-15 06:11:03 UTC 
the upstream patch link is http://cgit.freedesktop.org/harfbuzz/commit/?id=6ae13f257c3986517c097fa666ab9f58bdc918b5 which is same what we want to use for this bug.
Comment 11 Parag Nemade 2014-08-18 09:01:50 UTC 
built the fix in harfbuzz-0.9.20-4.el7
Comment 15 errata-xmlrpc 2014-11-25 11:25:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1900.html