Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-17238

QTextLayout crashes inside harfbuzz Lookup_MarkMarkPos

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Not Evaluated
    • Resolution: Done
    • Affects Version/s: 4.7.1
    • Fix Version/s: 4.7.4
    • Component/s: GUI: Text handling
    • Labels:
      None
    • Environment:
      Microsoft Windows 7 x64
      Visual Studio 2010
      Quassel Client 0.8-pre+77
    • Commits:
      9ae6f2f9a57f0c3096d5785913e437953fa6775c

      Description

      When attempting to execute the following code:

      // _styledMsg.plainContents() returns a QString containing the text in the attached UTF-8 encoded text file.

      // unsigned char *ChatLineModelItem::TextBoundaryFinderBuffer = (unsigned char *)malloc(512 * sizeof(HB_CharAttributes_Dummy));
      // int ChatLineModelItem::TextBoundaryFinderBufferSize = 512 * (sizeof(HB_CharAttributes_Dummy) / sizeof(unsigned char));

      QString text = _styledMsg.plainContents();
      int length = text.length();
      if(!length)
      return;

      QList<ChatLineModel::Word> wplist; // use a temp list which we'll later copy into a QVector for efficiency
      QTextBoundaryFinder finder(QTextBoundaryFinder::Line, _styledMsg.plainContents().unicode(), length,
      TextBoundaryFinderBuffer, TextBoundaryFinderBufferSize);

      int idx;
      int oldidx = 0;
      ChatLineModel::Word word;
      word.start = 0;
      qreal wordstartx = 0;

      QTextLayout layout(_styledMsg.plainContents());
      QTextOption option;
      option.setWrapMode(QTextOption::NoWrap);
      layout.setTextOption(option);

      // QtUi::style()->toTextLayoutList() will be returning a QList<QTextLayout::FormatRange> containing a single FormatRange for the entire line of text, using a regular formatting string

      layout.setAdditionalFormats(QtUi::style()->toTextLayoutList(_styledMsg.contentsFormatList(), length, messageLabel()));
      layout.beginLayout();
      QTextLine line = layout.createLine();
      line.setNumColumns(length); // Crash occurs deep inside this function
      layout.endLayout();

      The stack trace from that function call to the crash point is as follows:

      QtCored4.dll!Lookup_MarkMarkPos(GPOS_Instance_ * gpi=0x01b7bc28, HB_GPOS_SubTable_ * st=0x130dc388, HB_BufferRec_ * buffer=0x130b91a8, unsigned short flags=1024, unsigned short context_length=65535, int nesting_level=1) Line 3016 + 0x11 bytes C
      QtCored4.dll!GPOS_Do_Glyph_Lookup(GPOS_Instance_ * gpi=0x01b7bc28, unsigned short lookup_index=15, HB_BufferRec_ * buffer=0x130b91a8, unsigned short context_length=65535, int nesting_level=1) Line 5809 + 0x1f bytes C
      QtCored4.dll!GPOS_Do_String_Lookup(GPOS_Instance_ * gpi=0x01b7bc28, unsigned short lookup_index=15, HB_BufferRec_ * buffer=0x130b91a8) Line 5899 + 0x1b bytes C
      QtCored4.dll!HB_GPOS_Apply_String(HB_Font_ * font=0x130b3245, HB_GPOSHeader_ * gpos=0x130c5050, unsigned short load_flags=0, HB_BufferRec_ * buffer=0x130b91a8, unsigned char dvi=0, unsigned char r2l=0) Line 6070 + 0x12 bytes C
      QtCored4.dll!HB_OpenTypePosition(HB_ShaperItem_ * item=0x01b7beb8, int availableGlyphs=20, unsigned char doLogClusters='') Line 1202 + 0x26 bytes C++
      QtCored4.dll!HB_BasicShape(HB_ShaperItem_ * shaper_item=0x01b7beb8) Line 575 + 0xf bytes C++
      QtCored4.dll!HB_ShapeItem(HB_ShaperItem_ * shaper_item=0x01b7beb8) Line 1334 + 0x13 bytes C++
      QtCored4.dll!qShapeItem(HB_ShaperItem_ * item=0x01b7beb8) Line 120 + 0x9 bytes C++
      QtGuid4.dll!QTextEngine::shapeTextWithHarfbuzz(int item=0) Line 1275 + 0xd bytes C++
      QtGuid4.dll!QTextEngine::shapeText(int item=0) Line 877 C++
      QtGuid4.dll!QTextEngine::shape(int item=0) Line 1383 C++
      QtGuid4.dll!QTextLine::layout_helper(int maxGlyphs=176) Line 1837 C++
      QtGuid4.dll!QTextLine::setNumColumns(int numColumns=176) Line 1641 C++

      At the crash point, line 3015 of harfbuzz-gpos.c, buffer->in_pos == 11, i == 12, and j == 65535. It crashes attempting to read from the input string buffer at index 65535.

        Attachments

        1. crash_qt.txt
          0.3 kB
        2. hafbuzz_crash.zip
          214 kB
        3. hb-crash.cpp
          0.4 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            jiang Jiang Jiang
            Reporter:
            kode54 Chris Moeller
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes