Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
4.8.0
-
None
-
e05734987594f0e54f58a2ab3037cdf4956e9036
Description
QFontEngineFT::loadFlags() is called with a 'set' argument of 0 from
QFontEngineFT::getPointInOutline(). If this is the case, then depending
on other conditions a null pointer access will happen if the third term
in the conditional
if (default_hint_style == HintNone || (flags & HB_ShaperFlag_UseDesignMetrics) || set->outline_drawing)
gets evaluated. This possibility is guarded against in the condition above,
if (set && set->outline_drawing)
load_flags = FT_LOAD_NO_BITMAP;
and should happen here also.
The symptom is a crash with certain fonts in Konqueror (backtrace abbreviated):
[KCrash Handler]
#7 0xb5d7d9c7 in QFontEngineFT::loadFlags (this=0xa93be50, set=0x0, format=QFontEngine::Format_A8, flags=<value optimized out>, hsubpixel=@0xbf8e82af, vfactor=@0xbf8e82a8) at text/qfontengine_ft.cpp:804
#8 0xb5d7e3a1 in QFontEngineFT::getPointInOutline (this=0xa93be50, glyph=1443, flags=0, point=18, xpos=0xbf8e8434, ypos=0xbf8e8430, nPoints=0xbf8e8338) at text/qfontengine_ft.cpp:1969
#9 0xb5c77485 in hb_getPointInOutline (font=0xa93be8c, glyph=1443, flags=0, point=18, xpos=0xbf8e8434, ypos=0xbf8e8430, nPoints=0xbf8e8338) at text/qfontengine.cpp:152
#10 0xb6619c35 in Get_Anchor (gpi=<value optimized out>, an=<value optimized out>, glyph_index=1443, x_value=0xbf8e8434, y_value=0xbf8e8430) at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:759
#11 0xb661baac in Lookup_MarkBasePos (gpi=<value optimized out>, lookup_index=<value optimized out>, buffer=0xa8fdd98, context_length=65535, nesting_level=0) at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:2302
#12 GPOS_Do_Glyph_Lookup (gpi=<value optimized out>, lookup_index=<value optimized out>, buffer=0xa8fdd98, context_length=65535, nesting_level=0) at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:5808
#13 0xb661c8ed in GPOS_Do_String_Lookup (font=0xa93be8c, gpos=0xa901bf8, load_flags=0, buffer=0xa8fdd98, dvi=0 '\000', r2l=0 '\000') at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:5902
#14 HB_GPOS_Apply_String (font=0xa93be8c, gpos=0xa901bf8, load_flags=0, buffer=0xa8fdd98, dvi=0 '\000', r2l=0 '\000') at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:6073
#15 0xb6628578 in HB_OpenTypePosition (item=0xbf8e9844, availableGlyphs=13, doLogClusters=0 '\000') at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:1232
#16 0xb6629d0c in indic_shape_syllable (openType=<value optimized out>, item=<value optimized out>, invalid=false) at ../3rdparty/harfbuzz/src/harfbuzz-indic.cpp:1667
#17 0xb662a579 in HB_IndicShape (item=0xbf8e9fe8) at ../3rdparty/harfbuzz/src/harfbuzz-indic.cpp:1851
#18 0xb6625fae in HB_ShapeItem (shaper_item=0xbf8e9fe8) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:1364
#19 0xb662d07b in qShapeItem (item=0xbf8e9fe8) at tools/qharfbuzz.cpp:120
#20 0xb5cb8c5d in QTextEngine::shapeTextWithHarfbuzz (this=0xbf8ea2d4, item=0) at text/qtextengine.cpp:1305
#21 0xb5cb9844 in QTextEngine::shapeText (this=0xbf8ea2d4, item=0) at text/qtextengine.cpp:922
#22 0xb5cb9da7 in QTextEngine::shape (this=0xbf8ea2d4, item=0) at text/qtextengine.cpp:1437
#23 0xb5cbbb2c in QTextEngine::width (this=0xbf8ea2d4, from=0, len=7) at text/qtextengine.cpp:1670
#24 0xb5c8ee34 in QFontMetrics::width (this=0xa36944c, text=..., len=7, flags=0) at text/qfontmetrics.cpp:582
#25 0xb5c8ef73 in QFontMetrics::width (this=0xa36944c, text=..., len=-1) at text/qfontmetrics.cpp:546
#26 0xb1e626be in khtml::Font::width (this=0xab613a0, chs=0xab615f8, pos=0, len=7, fast=false, start=0, end=0, toAdd=0) at /ws/trunk/kdelibs/khtml/rendering/font.cpp:372
Changing the condition to:
if (default_hint_style == HintNone || (flags & HB_ShaperFlag_UseDesignMetrics) ||
(set && set->outline_drawing))
eliminates the crash.
Attachments
Issue Links
- replaces
-
-
- Closed
-