Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-21766

crash in qfontengine_ft because of combined characters

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Not Evaluated
    • None
    • 4.8.x
    • GUI: Font handling
    • None
    • Qt 4.8.x (does not crash with 4.7.4)
      Linux x64

    Description

      for the following example

      #include <QApplication>
#include <QString>
#include <QFontMetrics>
#include <QFont>
#include <QDebug>


int main(int argc, char** argv)
{
    QApplication app(argc, argv);

    QChar normal_o(0x006F), crashChar(0x030C);

    QString crashString;
    crashString += normal_o;
    crashString += crashChar;

    QFont font;
#if 0
    font.setPointSize(9);
    font.setFamily("DejaVu Sans");
#endif

    QFontMetrics met(font);
    int width;

    width = met.width(crashString);
    qDebug() << "width is: " << width << " string:" << crashString;

    return 0;
}

      Qt-4.8.x crashes with

      QFontEngineFT::loadFlags (this=<optimized out>, set=0x0, format=<optimized out>, flags=<optimized out>, 
    hsubpixel=@0x7fffffff965f, vfactor=@0x7fffffff9658) at text/qfontengine_ft.cpp:804
804     text/qfontengine_ft.cpp: Datei oder Verzeichnis nicht gefunden.
        in text/qfontengine_ft.cpp
(gdb) bt
#0  QFontEngineFT::loadFlags (this=<optimized out>, set=0x0, format=<optimized out>, 
    flags=<optimized out>, hsubpixel=@0x7fffffff965f, vfactor=@0x7fffffff9658)
    at text/qfontengine_ft.cpp:804
#1  0x00007ffff7061410 in QFontEngineFT::getPointInOutline (this=0x7bd670, glyph=701, flags=0, point=7, 
    xpos=0x7fffffff97f0, ypos=0x7fffffff97ec, nPoints=0x7fffffff96b8) at text/qfontengine_ft.cpp:1969
#2  0x00007ffff79cf22d in Get_Anchor (gpi=<optimized out>, an=0x819798, glyph_index=<optimized out>, 
    x_value=0x7fffffff97f0, y_value=0x7fffffff97ec) at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:759
#3  0x00007ffff79d19ec in Lookup_MarkBasePos (context_length=65535, flags=<optimized out>, 
    buffer=0x745e00, st=0x6d3690, gpi=0x7fffffff9870, nesting_level=<optimized out>)
    at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:2302
#4  GPOS_Do_Glyph_Lookup (gpi=<optimized out>, lookup_index=<optimized out>, buffer=0x745e00, 
    context_length=65535, nesting_level=1) at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:5808
#5  0x00007ffff79d83f0 in GPOS_Do_String_Lookup (buffer=0x745e00, lookup_index=13, gpi=0x7fffffff9870)
    at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:5902
#6  HB_GPOS_Apply_String (font=<optimized out>, gpos=0x70dcd0, load_flags=<optimized out>, 
    buffer=0x745e00, dvi=<optimized out>, r2l=<optimized out>)
    at ../3rdparty/harfbuzz/src/harfbuzz-gpos.c:6073
#7  0x00007ffff79dd0a8 in HB_OpenTypePosition (item=0x7fffffffa070, availableGlyphs=2, 
    doLogClusters=1 '\001') at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:1232
#8  0x00007ffff79e1624 in HB_ShapeItem (shaper_item=0x7fffffffa070)
    at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:1364
#9  0x00007ffff6fad5d2 in QTextEngine::shapeTextWithHarfbuzz (this=0x7fffffffa450, item=<optimized out>)
    at text/qtextengine.cpp:1329
#10 0x00007ffff6fadfea in QTextEngine::shapeText (this=0x7fffffffa450, item=0) at text/qtextengine.cpp:922
#11 0x00007ffff6fae3c2 in QTextEngine::shape (this=0x7fffffffa450, item=0) at text/qtextengine.cpp:1437
#12 0x00007ffff6fb2ff1 in QTextEngine::width (this=0x7fffffffa450, from=0, len=<optimized out>)
    at text/qtextengine.cpp:1670
#13 0x00007ffff6f8a8a9 in QFontMetrics::width (this=0x7fffffffd670, text=..., len=2, 
    flags=<optimized out>) at text/qfontmetrics.cpp:582
#14 0x0000000000402779 in main (argc=1, argv=0x7fffffffd7d8)
    at /home/buscher/QT/qHarfbuzzCrash/main.cpp:27

      it crashes in qfontengine_ft.cpp:804 because "set" is 0.
      if you look at qfontengine_ft.cpp:801
      http://qt.gitorious.org/qt/qt/blobs/4.8/src/gui/text/qfontengine_ft.cpp#line801
      you can see that "set" can be 0.

      crash introduced by
      http://qt.gitorious.org/qt/qt/commit/5a4df38a

      Patch attached to fix that crash.

      Attachments

        Issue Links

          is replaced by

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-21647 Possible null pointer access in QFontEngineFT::loadFlags()

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              esabraha Eskil Abrahamsen Blomfeldt
              buscher Bernd Buschinski
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes