Bug 92829 - Array index out of bound crash in cairo_cff_font_subset_charstrings_and_subroutines when using the PDF backend
Summary: Array index out of bound crash in cairo_cff_font_subset_charstrings_and_subro...
Status: RESOLVED DUPLICATE of bug 91902
Alias: None
Product: cairo
Classification: Unclassified
Component: pdf backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Adrian Johnson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2015-11-05 05:33 UTC by Jonas Ådahl
Modified: 2015-11-05 09:55 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Backtrace (7.63 KB, text/plain)
2015-11-05 05:33 UTC, Jonas Ådahl

Description Jonas Ådahl 2015-11-05 05:33:30 UTC
Created attachment 119421 [details]

Cairo version: 1.14.4.

I tried to print a web page as a PDF but doing so just resulted in the web browser / browser tab process crashing. Didn't matter whether I used Epiphany or Firefox, they both crashed in the same place in cairo.

The page printed contained lots of chinese characters which I suspect might be the reason. I'm attaching a full stack trace I caught when testing in Epiphany. I cut it off at the uninteresting WebKit message loop parts.

The crash (or assert if those are enabled) seems to happen because the 'glyph' index is far larger than the length of the array:

1791	        element = _cairo_array_index (&font->charstrings_index, glyph);
(gdb) print glyph
$2 = 45472
(gdb) print font->charstrings_index 
$3 = {size = 32768, num_elements = 30907, element_size = 24, 
  elements = 0x560839b3abe0 ""}

I cannot attach the content that reproduces the crash because the document is a national park entry permission paper with personal information, but I have a HTML file with sensitive information I could find stripped out I could provide privately to a developer wanting to look at a reproduction case.
Comment 1 Adrian Johnson 2015-11-05 09:55:47 UTC
Has been fixed in master but the fix didn't get included in 1.14.4.
Comment 2 Adrian Johnson 2015-11-05 09:55:59 UTC

*** This bug has been marked as a duplicate of bug 91902 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.