Closed
Bug 1584008
Opened 5 years ago
Closed 5 years ago
member access within address <addr> with insufficient space for an object of type 'tt_cmap_t' in src/gfx/cairo/cairo/src/cairo-truetype-subset.c:1293
Categories
(Core :: Graphics, defect, P3)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla71
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fixed |
People
(Reporter: tsmith, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
This is triggered with an UBSan build. To enable this check add the following to your mozconfig:
ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="object-size"
ac_add_options --disable-jemalloc
browser/components/extensions/test/browser/browser_ext_tabs_saveAsPDF.js
src/gfx/cairo/cairo/src/cairo-truetype-subset.c:1293:37: runtime error: member access within address 0x7ffc8e7d3900 with insufficient space for an object of type 'tt_cmap_t' (aka 'struct _tt_cmap')
0x7ffc8e7d3900: note: pointer points here
00 00 00 00 00 00 00 05 60 61 00 00 80 38 7d 8e fc 7f 00 00 04 00 00 00 00 00 00 00 20 a9 5d 00
^
#0 0x7efef9685eec in _cairo_truetype_index_to_ucs4 src/gfx/cairo/cairo/src/cairo-truetype-subset.c:1293:37
#1 0x7efef971f8e6 in _cairo_sub_font_glyph_lookup_unicode src/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:345:14
#2 0x7efef971f8e6 in _cairo_sub_font_map_glyph src/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:501
#3 0x7efef971ed60 in _cairo_sub_font_create src/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:299:11
#4 0x7efef971c497 in _cairo_scaled_font_subsets_map_glyph src/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:778:22
#5 0x7efef9654e65 in _cairo_pdf_operators_emit_cluster src/gfx/cairo/cairo/src/cairo-pdf-operators.c:1305:11
#6 0x7efef96540cb in _cairo_pdf_operators_show_text_glyphs src/gfx/cairo/cairo/src/cairo-pdf-operators.c:1455:15
#7 0x7efef965cd52 in _cairo_pdf_surface_show_text_glyphs src/gfx/cairo/cairo/src/cairo-pdf-surface.c:6175:11
#8 0x7efef9741e12 in _cairo_surface_show_text_glyphs src/gfx/cairo/cairo/src/cairo-surface.c:2801:15
#9 0x7efef96828e1 in _cairo_surface_wrapper_show_text_glyphs src/gfx/cairo/cairo/src/cairo-surface-wrapper.c:617:14
#10 0x7efef971750c in _cairo_recording_surface_replay_internal src/gfx/cairo/cairo/src/cairo-recording-surface.c:952:15
#11 0x7efef96f14cf in _paint_page src/gfx/cairo/cairo/src/cairo-paginated-surface.c:363:11
#12 0x7efef96f0897 in _cairo_paginated_surface_show_page src/gfx/cairo/cairo/src/cairo-paginated-surface.c:466:14
#13 0x7efef9746a28 in INT__moz_cairo_surface_show_page src/gfx/cairo/cairo/src/cairo-surface.c:2541:21
#14 0x7efef34bed2f in mozilla::gfx::PrintTargetPDF::EndPage() src/gfx/thebes/PrintTargetPDF.cpp:60:3
#15 0x7efef2ebc61d in nsDeviceContext::EndPage() src/gfx/src/nsDeviceContext.cpp:579:31
#16 0x7efef88712bf in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&) src/layout/printing/ipc/RemotePrintJobParent.cpp:135:29
#17 0x7efef88711d4 in mozilla::layout::RemotePrintJobParent::RecvProcessPage() src/layout/printing/ipc/RemotePrintJobParent.cpp:114:17
#18 0x7efef21f6956 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PRemotePrintJobParent.cpp:282:28
#19 0x7efef1eaa266 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentParent.cpp:5873:32
#20 0x7efef1cb95ac in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2185:25
#21 0x7efef1cb632e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2109:9
#22 0x7efef1cb7583 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
#23 0x7efef1cb7d9e in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13
#24 0x7efef0cf9106 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#25 0x7efef0d004dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#26 0x7efef1cc0d8d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
#27 0x7efef1bf5767 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#28 0x7efef1bf5767 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#29 0x7efef1bf5767 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#30 0x7efef7a5afa9 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#31 0x7efefaf315e0 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:276:30
#32 0x7efefb151b3b in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4601:22
#33 0x7efefb153bb5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4736:8
#34 0x7efefb155183 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4817:21
#35 0x55b3c27aa7c8 in do_main src/browser/app/nsBrowserApp.cpp:218:22
#36 0x55b3c27aa7c8 in main src/browser/app/nsBrowserApp.cpp:300
#37 0x7eff1006482f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#38 0x55b3c26cbe18 in _start (application/firefox/firefox+0x8ae18)
|
||
Comment 1•5 years ago
|
||
Looks like we overflow some sort of font structure?
Flags: needinfo?(lsalzman)
Priority: -- → P3
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(lsalzman)
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c10629f2abed silence UBSan warning about tt_cmap_t in Cairo. r=aosmond
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
||
Updated•5 years ago
|
Assignee: nobody → lsalzman
You need to log in
before you can comment on or make changes to this bug.
Description
•