Bug 93274

Summary: hb_ot_map_builder_t::feature_info_t::cmp triggers undefined behavior
Product: HarfBuzz Reporter: Yury Gribov <tetra2005>
Component: srcAssignee: Behdad Esfahbod <freedesktop>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: freedesktop, tetra2005
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Yury Gribov 2015-12-06 16:56:40 UTC 
hb_ot_map_builder_t::feature_info_t::cmp function returns 1 for equal arguments. This violates requirements to qsort's comparison function (which must be a total ordering) and causes UB at runtime. In practice this may mean strange runtime misbehaviors.

The issue can be easily fixed by prepending "a->seq == b->seq ? 0 :" to "a->seq < b->seq ? -1 : 1 to a->seq < b->seq ? -1 : 1".

This seems to be the only comparison function in HarfBazz which have such problems.
Comment 1 Behdad Esfahbod 2015-12-07 09:35:17 UTC 
Fixed.  Thanks.
Comment 2 Yury Gribov 2015-12-07 18:19:45 UTC 
Thanks, Behdad. Just wanted to mention that bug was found using SortChecker tool.
Comment 3 Behdad Esfahbod 2015-12-07 18:23:24 UTC 
Thanks Yury.

Do you have a link?
Comment 4 Yury Gribov 2015-12-07 18:25:26 UTC 
Ah, sorry: https://github.com/yugr/sortcheck

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.