93274 – hb_ot_map_builder_t::feature_info_t::cmp triggers undefined behavior

Bug 93274 - hb_ot_map_builder_t::feature_info_t::cmp triggers undefined behavior

Summary: hb_ot_map_builder_t::feature_info_t::cmp triggers undefined behavior

Status:	RESOLVED FIXED

Alias:	None

Product:	HarfBuzz
Classification:	Unclassified
Component:	src (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Behdad Esfahbod
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-12-06 16:56 UTC by Yury Gribov
Modified:	2015-12-07 18:25 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Yury Gribov 2015-12-06 16:56:40 UTC

hb_ot_map_builder_t::feature_info_t::cmp function returns 1 for equal arguments. This violates requirements to qsort's comparison function (which must be a total ordering) and causes UB at runtime. In practice this may mean strange runtime misbehaviors.

The issue can be easily fixed by prepending "a->seq == b->seq ? 0 :" to "a->seq < b->seq ? -1 : 1 to a->seq < b->seq ? -1 : 1".

This seems to be the only comparison function in HarfBazz which have such problems.

Comment 1 Behdad Esfahbod 2015-12-07 09:35:17 UTC

Fixed.  Thanks.

Comment 2 Yury Gribov 2015-12-07 18:19:45 UTC

Thanks, Behdad. Just wanted to mention that bug was found using SortChecker tool.

Comment 3 Behdad Esfahbod 2015-12-07 18:23:24 UTC

Thanks Yury.

Do you have a link?

Comment 4 Yury Gribov 2015-12-07 18:25:26 UTC

Ah, sorry: https://github.com/yugr/sortcheck

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.