Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-18170

QTextLayout crashes inside harfbuzz Lookup_MarkMarkPos

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • Not Evaluated
    • None
    • 4.7.2
    • GUI: Text handling
    • None
    • Windows 7, Qt 4.7.2 opern source edition

    Description

      We have to display strings we get from untrusted sources over the network and display them. During fuzzing tests we found this crash:

      I attached example code so that you can reproduce the problem.

      Related to QTBUG-17238

      > QtCored4.dll!HB_OpenTypePosition(HB_ShaperItem_ * item=0x0015d698, int availableGlyphs=0x000000ea, unsigned char doLogClusters='') Line 1202 + 0x26 bytes C++
      QtCored4.dll!HB_BasicShape(HB_ShaperItem_ * shaper_item=0x0015d698) Line 575 + 0xf bytes C++
      QtCored4.dll!HB_ShapeItem(HB_ShaperItem_ * shaper_item=0x0015d698) Line 1334 + 0x13 bytes C++
      QtCored4.dll!qShapeItem(HB_ShaperItem_ * item=0x0015d698) Line 120 + 0x9 bytes C++
      QtGuid4.dll!QTextEngine::shapeTextWithHarfbuzz(int item=0x00000000) Line 1275 + 0xd bytes C++
      QtGuid4.dll!QTextEngine::shapeText(int item=0x00000000) Line 877 C++
      QtGuid4.dll!QTextEngine::shape(int item=0x00000000) Line 1383 C++
      QtGuid4.dll!QTextLine::layout_helper(int maxGlyphs=0x7fffffff) Line 1837 C++
      QtGuid4.dll!QTextLine::setLineWidth(double width=229.00000000000000) Line 1625 C++
      QtGuid4.dll!QTextDocumentLayoutPrivate::layoutBlock(const QTextBlock & bl=

      {...}, int blockPosition=0x0000a559, const QTextBlockFormat & blockFormat={...}

      , QTextLayoutStruct * layoutStruct=0x0015ea30, int layoutFrom=0x0000a381, int layoutTo=0x7fffffff, const QTextBlockFormat * previousBlockFormat=0x0015e838) Line 2603 C++
      QtGuid4.dll!QTextDocumentLayoutPrivate::layoutFlow(QTextFrame::iterator it=

      {...}, QTextLayoutStruct * layoutStruct=0x0015ea30, int layoutFrom=0x0000a381, int layoutTo=0x7fffffff, QFixed width={...}

      ) Line 2408 C++
      QtGuid4.dll!QTextDocumentLayoutPrivate::layoutFrame(QTextFrame * f=0x02344a48, int layoutFrom=0x0000a381, int layoutTo=0x7fffffff, QFixed frameWidth=

      {...}, QFixed frameHeight={...}

      , QFixed parentY=

      {...}) Line 2147 C++
      QtGuid4.dll!QTextDocumentLayoutPrivate::layoutFrame(QTextFrame * f=0x02344a48, int layoutFrom=0x0000a381, int layoutTo=0x7fffffff, QFixed parentY={...}

      ) Line 2051 + 0x27 bytes C++
      QtGuid4.dll!QTextDocumentLayout::doLayout(int from=0x0000a381, int oldLength=0x00000000, int length=0x7fff5c7e) Line 2914 + 0x25 bytes C++
      QtGuid4.dll!QTextDocumentLayoutPrivate::ensureLayoutedByPosition(int position=0x0005b3ec) Line 3077 C++
      QtGuid4.dll!QTextDocumentLayout::blockBoundingRect(const QTextBlock & block=

      {...}) Line 3139 C++
      QtGuid4.dll!QTextControl::blockBoundingRect(const QTextBlock & block={...}

      ) Line 2956 + 0x23 bytes C++
      QtGuid4.dll!QTextControlPrivate::rectForPosition(int position=0x0005b3eb) Line 1325 + 0x1c bytes C++
      QtGuid4.dll!QTextControl::ensureCursorVisible() Line 2847 + 0x44 bytes C++
      QtGuid4.dll!QTextEdit::ensureCursorVisible() Line 2633 C++
      QtGuid4.dll!QTextEdit::showEvent(QShowEvent * __formal=0x0015f788) Line 1746 C++
      QtGuid4.dll!QWidget::event(QEvent * event=0x0015f788) Line 8467 C++
      QtGuid4.dll!QFrame::event(QEvent * e=0x0015f788) Line 557 + 0xc bytes C++
      QtGuid4.dll!QAbstractScrollArea::event(QEvent * e=0x0015f788) Line 996 + 0xc bytes C++
      QtGuid4.dll!QTextEdit::event(QEvent * e=0x0015f788) Line 1071 C++
      QtGuid4.dll!QTextBrowser::event(QEvent * e=0x0015f788) Line 1269 C++
      QtGuid4.dll!QApplicationPrivate::notify_helper(QObject * receiver=0x0015f838, QEvent * e=0x0015f788) Line 4462 + 0x11 bytes C++
      QtGuid4.dll!QApplication::notify(QObject * receiver=0x0015f838, QEvent * e=0x0015f788) Line 4427 + 0x10 bytes C++
      QtCored4.dll!QCoreApplication::notifyInternal(QObject * receiver=0x0015f838, QEvent * event=0x0015f788) Line 731 + 0x15 bytes C++
      QtCored4.dll!QCoreApplication::sendEvent(QObject * receiver=0x0015f838, QEvent * event=0x0015f788) Line 215 + 0x39 bytes C++
      QtGuid4.dll!QWidgetPrivate::show_helper() Line 7439 + 0xe bytes C++
      QtGuid4.dll!QWidget::setVisible(bool visible=true) Line 7664 C++
      QtGuid4.dll!QWidget::show() Line 487 + 0x16 bytes C++
      hafbuzz_crash.exe!main(int argc=0x00000001, char * * argv=0x02336170) Line 26 C++
      hafbuzz_crash.exe!WinMain(HINSTANCE__ * instance=0x009c0000, HINSTANCE__ * prevInstance=0x00000000, char * __formal=0x0039544f, int cmdShow=0x00000001) Line 131 + 0x12 bytes C++
      hafbuzz_crash.exe!__tmainCRTStartup() Line 578 + 0x35 bytes C
      hafbuzz_crash.exe!WinMainCRTStartup() Line 403 C

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            jiang Jiang Jiang
            kretikus Roman HImmes
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes