836898 – media-libs/freetype-2.12.0: SIGSEGV in cff_slot_load (with evolution-3.44.0)

Bug 836898 - media-libs/freetype-2.12.0: SIGSEGV in cff_slot_load (with evolution-3.44.0)

Summary: media-libs/freetype-2.12.0: SIGSEGV in cff_slot_load (with evolution-3.44.0)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Lars Wendler (Polynomial-C) (RETIRED)

URL:	https://gitlab.freedesktop.org/freety...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-06 07:48 UTC by Bernd Feige
Modified:	2022-04-16 15:19 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernd Feige 2022-04-06 07:48:15 UTC

After trying to display an email (apparently containing the wrong glyph), I get a segfault with freetype-2.12.0. Downgrading to 2.11.1 fixes it.
This is an up-to-date ~amd64 system.

I compiled freetype with debugging information, traceback:

Thread 1 "evolution" received signal SIGSEGV, Segmentation fault.
cff_slot_load (glyph=0x55556349a6b0, size=0x0, glyph_index=91, load_flags=1124907) at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/cff/cffgload.c:373
373	/var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/cff/cffgload.c: Datei oder Verzeichnis nicht gefunden.
(gdb) where
#0  cff_slot_load (glyph=0x55556349a6b0, size=0x0, glyph_index=91, load_flags=1124907)
    at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/cff/cffgload.c:373
#1  0x00007fffefafe452 in FT_Load_Glyph
    (face=face@entry=0x55555b39b400, glyph_index=glyph_index@entry=91, load_flags=1124907, 
    load_flags@entry=1124897)
    at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/base/ftobjs.c:1064
#2  0x00007fffefb62e43 in af_loader_load_glyph
    (load_flags=1124897, glyph_index=91, face=0x55555b39b400, module=0x5555564aec20, loader=0x7fffffff6020)
    at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/autofit/afloader.c:342
#3  af_autofitter_load_glyph
    (module=0x5555564aec20, slot=<optimized out>, size=<optimized out>, glyph_index=91, load_flags=1114656)
    at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/autofit/afmodule.c:489
#4  0x00007fffefafea6c in FT_Load_Glyph (face=0x55555b39b400, glyph_index=91, load_flags=1114656)
    at /var/tmp/portage/media-libs/freetype-2.12.0/work/freetype-2.12.0/src/base/ftobjs.c:1055
#5  0x00007ffff27b2b15 in  () at /usr/lib64/libcairo.so.2
#6  0x00007ffff27b557d in  () at /usr/lib64/libcairo.so.2
#7  0x00007ffff274e0b9 in  () at /usr/lib64/libcairo.so.2
#8  0x00007ffff274e353 in cairo_scaled_font_glyph_extents () at /usr/lib64/libcairo.so.2
#9  0x00007ffff2992a59 in  () at /usr/lib64/libpangocairo-1.0.so.0
#10 0x00007ffff6ae2f70 in pango_glyph_string_extents_range () at /usr/lib64/libpango-1.0.so.0
#11 0x00007ffff6af0ae9 in  () at /usr/lib64/libpango-1.0.so.0
#12 0x00007ffff6af0fd7 in  () at /usr/lib64/libpango-1.0.so.0
#13 0x00007ffff6af2046 in  () at /usr/lib64/libpango-1.0.so.0
#14 0x00007ffff6af7242 in  () at /usr/lib64/libpango-1.0.so.0
#15 0x00007ffff6af7516 in pango_layout_get_size () at /usr/lib64/libpango-1.0.so.0
#16 0x00007ffff6af61d7 in  () at /usr/lib64/libpango-1.0.so.0
#17 0x00007ffff6af72ae in  () at /usr/lib64/libpango-1.0.so.0
#18 0x00007ffff2992570 in  () at /usr/lib64/libpangocairo-1.0.so.0
#19 0x00007ffff6af0ec9 in  () at /usr/lib64/libpango-1.0.so.0
#20 0x00007ffff6af0fd7 in  () at /usr/lib64/libpango-1.0.so.0
#21 0x00007ffff6af4711 in  () at /usr/lib64/libpango-1.0.so.0
#22 0x00007ffff6af5a7a in  () at /usr/lib64/libpango-1.0.so.0
#23 0x00007ffff6af7cf9 in  () at /usr/lib64/libpango-1.0.so.0
#24 0x00007ffff6b00087 in pango_renderer_draw_layout () at /usr/lib64/libpango-1.0.so.0
#25 0x00007ffff29958e2 in pango_cairo_show_layout () at /usr/lib64/libpangocairo-1.0.so.0
#26 0x00007ffff6f0e077 in  () at /usr/lib64/evolution/libevolution-util.so
#27 0x00007ffff6f12b02 in e_cell_draw () at /usr/lib64/evolution/libevolution-util.so
#28 0x00007ffff6f11a04 in  () at /usr/lib64/evolution/libevolution-util.so
#29 0x00007ffff6f12b02 in e_cell_draw () at /usr/lib64/evolution/libevolution-util.so
#30 0x00007ffff6feb5d4 in  () at /usr/lib64/evolution/libevolution-util.so
#31 0x00007ffff18ba011 in  () at /usr/lib64/evolution/libgnomecanvas.so
#32 0x00007ffff18bc6b1 in  () at /usr/lib64/evolution/libgnomecanvas.so
#33 0x00007ffff780af14 in  () at /usr/lib64/libgtk-3.so.0
#34 0x00007ffff75e3241 in gtk_container_propagate_draw () at /usr/lib64/libgtk-3.so.0
#35 0x00007ffff75e334c in  () at /usr/lib64/libgtk-3.so.0
#36 0x00007ffff780af14 in  () at /usr/lib64/libgtk-3.so.0


Reproducible: Always

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2022-04-06 11:07:54 UTC

Can you please report this to upstream?

  https://gitlab.freedesktop.org/freetype/freetype/-/issues

Comment 2 GB 2022-04-16 14:57:43 UTC

Fixed upstream by https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/158 - consider adding as a patch to the Gentoo package?

Comment 3 Larry the Git Cow gentoo-dev

2022-04-16 15:19:43 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6e7b3645177076453227365354f37fab7f53c55

commit d6e7b3645177076453227365354f37fab7f53c55
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2022-04-16 15:17:31 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2022-04-16 15:19:31 +0000

    media-libs/freetype: Revbump to fix segfault
    
    Closes: https://bugs.gentoo.org/836898
    Thanks-to: Georg Brandl <g.brandl@gmx.net>
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../freetype-2.12.0-cffgload_segfault_fix.patch    |  31 +++
 media-libs/freetype/freetype-2.12.0-r1.ebuild      | 261 +++++++++++++++++++++
 2 files changed, 292 insertions(+)