Bug 998812 - gedit segfaults when loading a certain file
Summary: gedit segfaults when loading a certain file
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: harfbuzz
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Parag Nemade
QA Contact: QE Internationalization Bugs
Depends On: 998667
Blocks: 1164793
TreeView+ depends on / blocked
Reported: 2013-08-20 06:31 UTC by Mike FABIAN
Modified: 2014-11-25 11:25 UTC (History)
3 users (show)

Fixed In Version: harfbuzz-0.9.20-4.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 998667
Last Closed: 2014-11-25 11:25:49 UTC

Attachments (Terms of Use)
fix this bug (1.38 KB, patch)
2014-07-10 07:50 UTC, Parag Nemade
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1900 normal SHIPPED_LIVE harfbuzz bug fix update 2014-11-25 16:25:39 UTC
FreeDesktop.org 75076 None None None Never
GNOME Bugzilla 723582 None None None Never

Comment 2 Ray Strode [halfline] 2014-01-28 19:45:37 UTC
This seems to be a pango issue.  the invalid write happens in the pango_glyph_item_get_logical_widths function.  The function expects the array that's passed in to be item->num_chars * sizeof(int) big (as specified in the documentation), and the caller (PangoLayout) is making the array that's passed in that size, but it then goes and writes an entry one element passed that in the array.  The implementation never looks at item->num_chars directly, but through some helpers for iterating over the glyphs. I suppose some invariant has been broken (or something).

reassigning to pango for further analysis by the pango maintainer.

Comment 3 Akira TAGOH 2014-02-14 05:26:43 UTC
This seems introduced by the negative values in log_clusters array at PangoGlyphString, where is came from hg_glyph->cluster - item_offset in basic_engine_shape in basic-fc.c. in this case hb_glyph->cluster points to 0 even though it isn't a first cluster.

This seems fixed in the harfbuzz git at least.

Reassigning to harfbuzz

Comment 4 RHEL Product and Program Management 2014-03-22 06:41:26 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 5 Akira TAGOH 2014-06-02 06:31:09 UTC
This seems fixed in harfbuzz upstream.

Comment 9 Parag Nemade 2014-07-10 07:50:16 UTC
Created attachment 917005 [details]
fix this bug

Comment 10 Parag Nemade 2014-07-15 06:11:03 UTC
the upstream patch link is http://cgit.freedesktop.org/harfbuzz/commit/?id=6ae13f257c3986517c097fa666ab9f58bdc918b5 which is same what we want to use for this bug.

Comment 11 Parag Nemade 2014-08-18 09:01:50 UTC
built the fix in harfbuzz-0.9.20-4.el7

Comment 15 errata-xmlrpc 2014-11-25 11:25:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.