Bug 96905 - mkfontdir crashes on Mac 10.11.5
Summary: mkfontdir crashes on Mac 10.11.5
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: App/mkfont* (show other bugs)
Version: git
Hardware: x86-64 (AMD64) Mac OS X (All)
: medium major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard: milestone:xquartz-2.7.10
Keywords:
: 97758 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-07-12 16:46 UTC by Douglas Fields
Modified: 2016-10-18 17:33 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Requested DiagnosticReport (14.48 KB, text/plain)
2016-07-14 13:05 UTC, Douglas Fields 		no flags Details
View All

Description Douglas Fields 2016-07-12 16:46:07 UTC 
I have installed Xquartz 2.7.10_beta2, but the same thing happens on 2.7.8's version (manually extracted).

Running mkfontdir anywhere (in an empty directory, in a random directory, in a directory full of bdf files) results in the same crash.

Thanks!

$ mkfontdir
=================================================================
==3068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000de6f at pc 0x000109df79d1 bp 0x7fff55e37d90 sp 0x7fff55e37550
READ of size 1 at 0x60300000de6f thread T0
    #0 0x109df79d0 in wrap_strcmp (libclang_rt.asan_osx_dynamic.dylib+0xe9d0)
    #1 0x109dc8ef7 in fontFileOpen (mkfontscale+0x100001ef7)
    #2 0x109dc8e0b in bitmapIdentify (mkfontscale+0x100001e0b)
    #3 0x109dcc874 in doDirectory (mkfontscale+0x100005874)
    #4 0x109dcbc78 in main (mkfontscale+0x100004c78)
    #5 0x7fff9083f5ac in start (libdyld.dylib+0x35ac)
    #6 0x3  (<unknown module>)

0x60300000de6f is located 1 bytes to the left of 20-byte region [0x60300000de70,0x60300000de84)
allocated by thread T0 here:
    #0 0x109e34570 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x4b570)
    #1 0x109dca92a in dsprintf (mkfontscale+0x10000392a)
    #2 0x109dcc788 in doDirectory (mkfontscale+0x100005788)
    #3 0x109dcbc78 in main (mkfontscale+0x100004c78)
    #4 0x7fff9083f5ac in start (libdyld.dylib+0x35ac)
    #5 0x3  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0xe9d0) in wrap_strcmp
Shadow bytes around the buggy address:
  0x1c0600001b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0600001bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]00 00
  0x1c0600001bd0: 04 fa fa fa 00 00 04 fa fa fa fd fd fd fa fa fa
  0x1c0600001be0: 00 00 04 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x1c0600001bf0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x1c0600001c00: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x1c0600001c10: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3068==ABORTING
Comment 1 Jeremy Huddleston Sequoia 2016-07-13 23:52:25 UTC 
Please attach the full crash log, which you can find in ~/Library/Logs/DiagnosticReports.
Comment 2 Douglas Fields 2016-07-14 13:05:37 UTC 
Created attachment 125067 [details]
Requested DiagnosticReport

As requested, one of the (about a dozen) mkfontscale files in the DiagnosticReports directory.
Comment 3 Jeremy Huddleston Sequoia 2016-09-18 22:49:53 UTC 
*** Bug 97758 has been marked as a duplicate of this bug. ***
Comment 4 Jeremy Huddleston Sequoia 2016-09-18 23:09:39 UTC 
Application Specific Information:
=================================================================
==3068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000de6f at pc 0x000109df79d1 bp 0x7fff55e37d90 sp 0x7fff55e37550
READ of size 1 at 0x60300000de6f thread T0
#0 0x109de9000 + 59856  (missing dsyms, likely in /opt/X11/*/libclang_rt.asan_osx_dynamic.dylib)
#1 fontFileOpen (ident.c:86)
#2 bitmapIdentify (ident.c:232)
#3 doDirectory (mkfontscale.c:877)
#4 main (mkfontscale.c:269)
#5 start (src/start_glue.s:47)
    #6 0x3  (<unknown module>)
 
0x60300000de6f is located 1 bytes to the left of 20-byte region [0x60300000de70,0x60300000de84)
allocated by thread T0 here:
#0 0x109de9000 + 308592  (missing dsyms, likely in /opt/X11/*/libclang_rt.asan_osx_dynamic.dylib)
#1 dsprintf (list.c:71)
#2 doDirectory (mkfontscale.c:857)
#3 main (mkfontscale.c:269)
#4 start (src/start_glue.s:47)
    #5 0x3  (<unknown module>)
Comment 5 Jeremy Huddleston Sequoia 2016-09-18 23:26:53 UTC 
To ssh://git.freedesktop.org/git/xorg/app/mkfontscale
   ecb248d..07b761b  master -> master
Comment 6 Jeremy Huddleston Sequoia 2016-09-27 07:21:20 UTC 
Please test that this is fixed in XQuartz 2.7.10_rc3.
Comment 7 Jeremy Huddleston Sequoia 2016-09-27 07:21:50 UTC 
Note you might need to wait for 2.7.11_beta1 to really confirm the fix since 2.7.10_rc3 doesn't have ASan enabled.
Comment 8 Douglas Fields 2016-10-18 17:33:56 UTC 
I have tested 2.7.10_rc5 on my laptop (OS X 10.11.6, 2013 MBA 11") and mkfontdir seems to work properly and no longer crashes even on empty directories.

Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.