73649 – crash in icu/source/layout/DeviceTables.cpp

Issue 73649 - crash in icu/source/layout/DeviceTables.cpp

Summary: crash in icu/source/layout/DeviceTables.cpp

Status:	CLOSED DUPLICATE of issue 72791

Alias:	None

Product:	gsl
Classification:	Code
Component:	code (show other issues)
Version:	680m199
Hardware:	All Unix, all

Importance:	P3 Trivial (vote)
Target Milestone:	OOo 2.2
Assignee:	hdu@apache.org
QA Contact:	issues@gsl

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-01-19 10:34 UTC by hdu@apache.org
Modified:	2007-01-19 11:20 UTC (History)
CC List:	4 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description hdu@apache.org 2007-01-19 10:34:39 UTC

Reproduction:
  - install Lohit fonts (see http://fedoraproject.org/wiki/Lohit)
  - start OOo Writer
  - open "Insert->SpecialCharacters" dialog
  - select the Lohit-Tamil font (version 1.0,
    the font file's MD5 is 62e67fef1a45ebb6c79dca6f70b9a372)
  => crash

Comment 1 hdu@apache.org 2007-01-19 10:35:47 UTC

#0  0xb69aa49c in icu_3_6::DeviceTable::getAdjustment (this=0xaa8d38ac, ppem=16)
    at DeviceTables.cpp:36
#1  0xb69a88ad in icu_3_6::Format3AnchorTable::getAnchor (this=0xaa8d389a,
fontInstance=0xaa9644d0, anchor=@0x0)
    at AnchorTables.cpp:97
#2  0xb69a8662 in icu_3_6::AnchorTable::getAnchor (this=0x6574, glyphID=15,
fontInstance=0xaa9644d0, anchor=@0xbfc903f4)
    at AnchorTables.cpp:39
#3  0xb69b0845 in icu_3_6::MarkArray::getMarkClass (this=0xaa8d3890, glyphID=15,
coverageIndex=25972, fontInstance=0xf,
    anchor=@0xf) at MarkArrays.cpp:29
#4  0xb69b0939 in icu_3_6::MarkToBasePositioningSubtable::process
(this=0xaa8d3844, glyphIterator=0xbfc9050c,
    fontInstance=0xaa9644d0) at MarkToBasePosnSubtables.cpp:41
#5  0xb69ab8c8 in icu_3_6::GlyphPositioningLookupProcessor::applySubtable
(this=0xbfc9059c, lookupSubtable=0xaa8d3844,
    lookupType=0, glyphIterator=0xbfc9050c, fontInstance=0xaa9644d0) at
GlyphPosnLookupProc.cpp:90
#6  0xb69afa83 in icu_3_6::LookupProcessor::applyLookupTable (this=0xbfc9059c,
lookupTable=0xaa8d383c,
    glyphIterator=0xbfc9050c, fontInstance=0xaa9644d0) at LookupProcessor.cpp:33
#7  0xb69afbbf in icu_3_6::LookupProcessor::process (this=0xbfc9059c,
glyphStorage=@0x6574, glyphPositionAdjustments=0xf,
    rightToLeft=0 '\0', glyphDefinitionTableHeader=0xf, fontInstance=0xaa9644d0)
at LookupProcessor.cpp:73
#8  0xb69ac1b9 in icu_3_6::GlyphPositioningTableHeader::process (this=0xf,
glyphStorage=@0x8157d38,
    glyphPositionAdjustments=0x81be358, rightToLeft=0 '\0', scriptTag=15,
languageTag=15, glyphDefinitionTableHeader=0xf,
    fontInstance=0xaa9644d0, featureMap=0xf, featureMapCount=15, featureOrder=1
'\001') at GlyphPositioningTables.cpp:26
#9  0xb69a1832 in icu_3_6::OpenTypeLayoutEngine::adjustGlyphPositions
(this=0x817c908, chars=0xaabf0aa4, offset=15, count=1,
    reverse=0 '\0', glyphStorage=@0x8157d38, success=@0xbfc90884) at
OpenTypeLayoutEngine.cpp:298
#10 0xb69a4ab7 in icu_3_6::LayoutEngine::layoutChars (this=0x817c908,
chars=0xaabf0aa4, offset=0, count=1, max=1,
    rightToLeft=0 '\0', x=2.1019477e-44, y=2.1019477e-44, success=@0xbfc90884)
at LayoutEngine.cpp:422
#11 0xb7eef947 in IcuLayoutEngine::operator() (this=0xaa9644cc,
rLayout=@0xaabefa44, rArgs=@0xbfc9092c)
    at /src/vcl/source/glyphs/gcach_layout.cxx:475
#12 0xb7eeed97 in ServerFontLayout::LayoutText (this=0xaabefa44, rArgs=@0xbfc9092c)
    at /src/vcl/source/glyphs/gcach_layout.cxx:88
#13 0xb7cdfc7e in OutputDevice::ImplLayout (this=0xb464c80c,
rOrigStr=@0xbfc90b48, nMinIndex=0, nLen=1,
    rLogicalPos=@0xbfc909f4, nLogicalWidth=0, pDXArray=0x0, bFilter=false)
    at /src/vcl/source/gdi/outdev3.cxx:6092
#14 0xb7cded9f in OutputDevice::GetTextArray (this=0xb464c80c, rStr=@0xbfc90b48,
pDXAry=0x0, nIndex=0, nLen=1)
    at /src/vcl/source/gdi/outdev3.cxx:5771
#15 0xb7cdeae6 in OutputDevice::GetTextWidth (this=0xb464c80c, rStr=@0xbfc90b48,
nIndex=0, nLen=65535)
    at /src/vcl/source/gdi/outdev3.cxx:5708
#16 0xadc0e1af in SvxShowCharSet::DrawChars_Impl ()
   from /unxlngi6.pro/program/libsvx680li.so
#17 0xadc0e77b in SvxShowCharSet::Paint () from /unxlngi6.pro/program/libsvx680li.so

Comment 2 hdu@apache.org 2007-01-19 10:42:07 UTC

In DeviceTables.cpp's DeviceTable::getAdjustment() method there is a divide by
zero caused by accessing a value outside the fieldBits[] array. This is caused
by deltaFormat==0, which leads to format==index_into_fieldBits==0xFFFF...

Comment 3 caolanm 2007-01-19 10:46:00 UTC

Sorry about not mentioning these to you as well as erack, see
http://cvs.fedora.redhat.com/viewcvs/devel/icu/

I have a devicetable fixer there, also the "safety" patch might be relevant for you.

Comment 4 caolanm 2007-01-19 11:01:32 UTC

issue 72791 was the original "I have some patches to icu that might be of
interest" issue FWIW

Comment 5 hdu@apache.org 2007-01-19 11:20:05 UTC

@CMC: Great! Thanks a lot for the info and the patches.

@ER: this boosts the priority of issue 72791 quite a bit...

*** This issue has been marked as a duplicate of 72791 ***

Comment 6 hdu@apache.org 2007-01-19 11:20:30 UTC

Closing duplicate issue.