Bug 5177 - segfault in _cairo_atsui_font_text_to_glyphs
Summary: segfault in _cairo_atsui_font_text_to_glyphs
Status: RESOLVED FIXED
Alias: None
Product: cairo
Classification: Unclassified
Component: quartz font backend (show other bugs)
Version: 1.1.1
Hardware: PowerPC Mac OS X (All)
: high major
Assignee: Carl Worth
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-27 10:53 UTC by Jeff Muizelaar
Modified: 2007-01-04 08:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Prevents the segfault by checking if the supplied string is empty. (910 bytes, patch)
2006-12-21 16:37 UTC, Brian Ewins
Details | Splinter Review

Description Jeff Muizelaar 2005-11-27 10:53:01 UTC
_cairo_atsui_font_text_to_glyphs segfaults when called with a string of length 0 (i.e.             
cairo_text_extents (cr, "", &extents);). 

The segfault is reproducable on Mac OS X 10.4 with gtk_slide as well as with the following program that 
basically does the same thing cairo does.

/* build with: gcc -framework Carbon crash.c */
#include <Carbon/Carbon.h>

int main()
{
	short utf16 = 0;
	ItemCount glyphCount;
	ATSLayoutRecord *layoutRecords;
	ATSUTextLayout textLayout;

	ATSUCreateTextLayout(&textLayout);

	ATSUSetTextPointerLocation(textLayout, &utf16, kATSUFromTextBeginning, kATSUToTextEnd, 0);
	
	ATSUDirectGetLayoutDataArrayPtrFromTextLayout(textLayout, 0, 
kATSUDirectDataLayoutRecordATSLayoutRecordCurrent, (void *)&layoutRecords, &glyphCount);
}
Comment 1 Brian Ewins 2006-12-21 16:37:02 UTC
Created attachment 8195 [details] [review]
Prevents the segfault by checking if the supplied string is empty.

The callers always check if num_glyphs is 0 before dereferencing glyphs.
Comment 2 Behdad Esfahbod 2006-12-23 14:09:05 UTC
Again, no need to handle it in the backend.  Just made higher levels (surface
and scaled_font) not call into the backends for zero num_glyphs.

8fd7328ebb77b0a641cf30bded85e482ea63ad97
Comment 3 Brian Ewins 2006-12-28 05:50:16 UTC
Behdad, I retested this and it still fails. The problem is that the segfault
happens before the number of glyphs is calculated (in the last line of Jeff's
code above), so its unrelated to the fixes you made. It is an atsui-specific
problem.

My patch above is still needed, I think.
Comment 4 Behdad Esfahbod 2006-12-28 12:19:02 UTC
What about this:

diff --git a/src/cairo-scaled-font.c b/src/cairo-scaled-font.c
index 73afb5f..c63f774 100755
--- a/src/cairo-scaled-font.c
+++ b/src/cairo-scaled-font.c
@@ -790,6 +790,12 @@ _cairo_scaled_font_text_to_glyphs (cairo_scaled_font_t
*scaled_font,
     cairo_status_t status = CAIRO_STATUS_SUCCESS;
     cairo_scaled_glyph_t *scaled_glyph;
 
+    if (utf8[0] == '\0') {
+       *num_glyphs = 0;
+       *glyphs = NULL;
+       return CAIRO_STATUS_SUCCESS;
+    }
+
     if (scaled_font->backend->text_to_glyphs) {
        status = scaled_font->backend->text_to_glyphs (scaled_font,
                                                       x, y, utf8,
Comment 5 Behdad Esfahbod 2006-12-28 17:02:20 UTC
I pushed a test case, and another fix in cairo-scaled-font.c.  Can you check
that 1) the test fails before the patch, and 2) the patch fixes your problem.

commit eafd6e454a85c807f2addf7768046fea58aea3f9
Author: Behdad Esfahbod <behdad@behdad.org>
Date:   Thu Dec 28 20:01:18 2006 -0500

    In _cairo_scaled_font_text_to_glyphs, bail if text is zero-length (#5177)

commit ab29396ef9f68f5534f927b2b5bb0a7ffac86509
Author: Behdad Esfahbod <behdad@behdad.org>
Date:   Thu Dec 28 19:51:20 2006 -0500

    [test] Add new test text-zero-len (#5177)
    
    The test passes an empty string to cairo_show_text, cairo_text_path, and
    cairo_text_extents, and NULL and an invalid pointer, with zero num_glyphs to
    cairo_show_glyphs, cairo_glyph_path, and cairo_glyph_extents.



Thanks
Comment 6 Brian Ewins 2007-01-04 08:48:59 UTC
Thanks Behdad, yes the test triggers the crash and the patch fixed it. 


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.