Apache OpenOffice (AOO) Bugzilla – Issue 73649
crash in icu/source/layout/DeviceTables.cpp
Last modified: 2007-01-19 11:20:30 UTC
Reproduction: - install Lohit fonts (see http://fedoraproject.org/wiki/Lohit) - start OOo Writer - open "Insert->SpecialCharacters" dialog - select the Lohit-Tamil font (version 1.0, the font file's MD5 is 62e67fef1a45ebb6c79dca6f70b9a372) => crash
#0 0xb69aa49c in icu_3_6::DeviceTable::getAdjustment (this=0xaa8d38ac, ppem=16) at DeviceTables.cpp:36 #1 0xb69a88ad in icu_3_6::Format3AnchorTable::getAnchor (this=0xaa8d389a, fontInstance=0xaa9644d0, anchor=@0x0) at AnchorTables.cpp:97 #2 0xb69a8662 in icu_3_6::AnchorTable::getAnchor (this=0x6574, glyphID=15, fontInstance=0xaa9644d0, anchor=@0xbfc903f4) at AnchorTables.cpp:39 #3 0xb69b0845 in icu_3_6::MarkArray::getMarkClass (this=0xaa8d3890, glyphID=15, coverageIndex=25972, fontInstance=0xf, anchor=@0xf) at MarkArrays.cpp:29 #4 0xb69b0939 in icu_3_6::MarkToBasePositioningSubtable::process (this=0xaa8d3844, glyphIterator=0xbfc9050c, fontInstance=0xaa9644d0) at MarkToBasePosnSubtables.cpp:41 #5 0xb69ab8c8 in icu_3_6::GlyphPositioningLookupProcessor::applySubtable (this=0xbfc9059c, lookupSubtable=0xaa8d3844, lookupType=0, glyphIterator=0xbfc9050c, fontInstance=0xaa9644d0) at GlyphPosnLookupProc.cpp:90 #6 0xb69afa83 in icu_3_6::LookupProcessor::applyLookupTable (this=0xbfc9059c, lookupTable=0xaa8d383c, glyphIterator=0xbfc9050c, fontInstance=0xaa9644d0) at LookupProcessor.cpp:33 #7 0xb69afbbf in icu_3_6::LookupProcessor::process (this=0xbfc9059c, glyphStorage=@0x6574, glyphPositionAdjustments=0xf, rightToLeft=0 '\0', glyphDefinitionTableHeader=0xf, fontInstance=0xaa9644d0) at LookupProcessor.cpp:73 #8 0xb69ac1b9 in icu_3_6::GlyphPositioningTableHeader::process (this=0xf, glyphStorage=@0x8157d38, glyphPositionAdjustments=0x81be358, rightToLeft=0 '\0', scriptTag=15, languageTag=15, glyphDefinitionTableHeader=0xf, fontInstance=0xaa9644d0, featureMap=0xf, featureMapCount=15, featureOrder=1 '\001') at GlyphPositioningTables.cpp:26 #9 0xb69a1832 in icu_3_6::OpenTypeLayoutEngine::adjustGlyphPositions (this=0x817c908, chars=0xaabf0aa4, offset=15, count=1, reverse=0 '\0', glyphStorage=@0x8157d38, success=@0xbfc90884) at OpenTypeLayoutEngine.cpp:298 #10 0xb69a4ab7 in icu_3_6::LayoutEngine::layoutChars (this=0x817c908, chars=0xaabf0aa4, offset=0, count=1, max=1, rightToLeft=0 '\0', x=2.1019477e-44, y=2.1019477e-44, success=@0xbfc90884) at LayoutEngine.cpp:422 #11 0xb7eef947 in IcuLayoutEngine::operator() (this=0xaa9644cc, rLayout=@0xaabefa44, rArgs=@0xbfc9092c) at /src/vcl/source/glyphs/gcach_layout.cxx:475 #12 0xb7eeed97 in ServerFontLayout::LayoutText (this=0xaabefa44, rArgs=@0xbfc9092c) at /src/vcl/source/glyphs/gcach_layout.cxx:88 #13 0xb7cdfc7e in OutputDevice::ImplLayout (this=0xb464c80c, rOrigStr=@0xbfc90b48, nMinIndex=0, nLen=1, rLogicalPos=@0xbfc909f4, nLogicalWidth=0, pDXArray=0x0, bFilter=false) at /src/vcl/source/gdi/outdev3.cxx:6092 #14 0xb7cded9f in OutputDevice::GetTextArray (this=0xb464c80c, rStr=@0xbfc90b48, pDXAry=0x0, nIndex=0, nLen=1) at /src/vcl/source/gdi/outdev3.cxx:5771 #15 0xb7cdeae6 in OutputDevice::GetTextWidth (this=0xb464c80c, rStr=@0xbfc90b48, nIndex=0, nLen=65535) at /src/vcl/source/gdi/outdev3.cxx:5708 #16 0xadc0e1af in SvxShowCharSet::DrawChars_Impl () from /unxlngi6.pro/program/libsvx680li.so #17 0xadc0e77b in SvxShowCharSet::Paint () from /unxlngi6.pro/program/libsvx680li.so
In DeviceTables.cpp's DeviceTable::getAdjustment() method there is a divide by zero caused by accessing a value outside the fieldBits[] array. This is caused by deltaFormat==0, which leads to format==index_into_fieldBits==0xFFFF...
Sorry about not mentioning these to you as well as erack, see http://cvs.fedora.redhat.com/viewcvs/devel/icu/ I have a devicetable fixer there, also the "safety" patch might be relevant for you.
issue 72791 was the original "I have some patches to icu that might be of interest" issue FWIW
@CMC: Great! Thanks a lot for the info and the patches. @ER: this boosts the priority of issue 72791 quite a bit... *** This issue has been marked as a duplicate of 72791 ***
Closing duplicate issue.