libfreetype6: Many packages which use freetype now segfault

Automatically imported from Debian bug report #305413 http://bugs.debian.org/305413

Message-Id: <email address hidden>
Date: Tue, 19 Apr 2005 17:21:02 -0400
From: Dennis Boone <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libfreetype6: Many packages which use freetype now segfault

Package: libfreetype6
Version: 2.1.7-2.3
Severity: grave
Justification: renders package unusable

A number of packages which were previously working now segfault.
The ones I've found so far include Mozilla and Firefox downloaded
from mozilla.org, the Firefox installer from the same source, gaim,
xchat and gnumeric. Things which continue to work include xv, xterm,
xconsole. The top section of a traceback of an xchat coredump follows.
Tracebacks of coredumps from other programs with the same issue look
much the same in the top 4+ lines.

I'm having trouble tracking this down, so it's entirely possible I'm
blaming the wrong package.

(gdb) where
#0 0x408650ff in FT_Outline_Get_BBox () from /usr/lib/libfreetype.so.6
#1 0x40864119 in FT_Outline_Get_BBox () from /usr/lib/libfreetype.so.6
#2 0x4086639c in FT_Outline_Get_BBox () from /usr/lib/libfreetype.so.6
#3 0x40866af1 in FT_Outline_Get_BBox () from /usr/lib/libfreetype.so.6
#4 0x408579ae in FT_Load_Char () from /usr/lib/libfreetype.so.6
#5 0x40858970 in FT_Open_Face () from /usr/lib/libfreetype.so.6
#6 0x40857a7a in FT_New_Face () from /usr/lib/libfreetype.so.6
#7 0x408d7f5f in FcFreeTypeQuery () from /usr/lib/libfontconfig.so.1
#8 0x408d71ef in FcFileScanConfig () from /usr/lib/libfontconfig.so.1
#9 0x408d76bc in FcDirScanConfig () from /usr/lib/libfontconfig.so.1
#10 0x408d1f8a in FcConfigBuildFonts () from /usr/lib/libfontconfig.so.1
#11 0x408da8fc in FcInitLoadConfigAndFonts () from
/usr/lib/libfontconfig.so.1
#12 0x408da955 in FcInit () from /usr/lib/libfontconfig.so.1
#13 0x408d20d8 in FcConfigGetCurrent () from /usr/lib/libfontconfig.so.1
#14 0x408d3c82 in FcConfigSubstituteWithPat () from
/usr/lib/libfontconfig.so.1
#15 0x408d3cd3 in FcConfigSubstitute () from /usr/lib/libfontconfig.so.1
#16 0x403ada76 in _pango_xft_font_map_get_renderer ()
   from /usr/lib/libpangoxft-1.0.so.0
#17 0x4090d503 in _pango_fc_font_map_remove ()
   from /usr/lib/libpangoft2-1.0.so.0
#18 0x4090d5ab in _pango_fc_font_map_remove ()
   from /usr/lib/libpangoft2-1.0.so.0
#19 0x4090d8c4 in _pango_fc_font_map_remove ()
   from /usr/lib/libpangoft2-1.0.so.0
#20 0x403d18b1 in pango_font_map_load_fontset ()
   from /usr/lib/libpango-1.0.so.0
#21 0x403cfeb3 in pango_context_get_base_dir () from
/usr/lib/libpango-1.0.so.0
#22 0x403cff86 in pango_context_get_base_dir () from
/usr/lib/libpango-1.0.so.0
#23 0x403d0258 in pango_itemize_with_base_dir ()
   from /usr/lib/libpango-1.0.so.0
#24 0x403d769f in pango_layout_get_pixel_size ()
   from /usr/lib/libpango-1.0.so.0
#25 0x403d5b86 in pango_layout_get_cursor_pos ()
   from /usr/lib/libpango-1.0.so.0
#26 0x403d5ef7 in pango_layout_get_extents () from
/usr/lib/libpango-1.0.so.0
#27 0x40128288 in gtk_label_get () from /usr/lib/libgtk-x11-2.0.so.0
#28 0x40444b63 in g_cclosure_marshal_VOID__BOXED ()
   from /usr/lib/libgobject-2.0.so.0
#29 0x404329c9 in g_cclosure_new_swap () from
/usr/lib/libgobject-2.0.so.0
#30...

Message-Id: <email address hidden>
Date: Wed, 20 Apr 2005 20:43:07 +0300
From: Lars Wirzenius <email address hidden>
To: <email address hidden>
Cc: Dennis Boone <email address hidden>
Subject: Re: libfreetype6: Many packages which use freetype now segfault

I tried to reproduce this. I took upgraded a two-week-old qemu sid image
(with basic X, but without GNOME), installed GNOME on it, and ran xchat
and gnumeric. Both started up fine.

Dennis, could you figure out which font is causing this?

Bug #302269 (filed against fontconfig, but seems to really be a problem
with libfreetype6) shows problem with a BDF font
(Small-Fonts_r400-3.bdf), for example. This might be related, or it
might not be, but knowing the font would be helpful.

Do the apps crash on you as soon as they start up or do you need to do
something else?

Message-Id: <email address hidden>
Date: Thu, 21 Apr 2005 01:09:05 +0300
From: Lars Wirzenius <email address hidden>
To: <email address hidden>
Subject: Re: libfreetype6: Many packages which use freetype now segfault

Dennis told me in private that the problem was with a particular font
file and removing that made things work again. I hav a copy of the file
(it is probably not distributable and anyway, it is 17 megabytes
compressed, so sending it to the BTS is not a good idea) and will see
tomorrow whether this is the same problem as #302269 (currently assigned
to fontconfig).

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 16:40:27 +0300
From: Lars Wirzenius <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: NMU patch for two rc bugs

--=-b0gfL67UX8olF8pI9ONc
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Attached is the patch to fix two release critical bugs in the Debian
freetype package:
#302269: fontconfig: Segmentation fault with certain bdf fonts
#305413: libfreetype6: Many packages which use freetype now segfault

I will make an NMU with this patch in a moment, since Anthony has been
inactive in maintaining the package and Martin Michlmayr told in
http://lists.debian.org/debian-devel/2005/03/msg00805.html that Anthony
had told him people should go ahead with adopting any of his packages.
I'm not ready to adopt this package, however.

--=-b0gfL67UX8olF8pI9ONc
Content-Disposition: attachment; filename=patch-for-302269-and-305413.patch
Content-Type: text/x-patch; name=patch-for-302269-and-305413.patch; charset=ISO-8859-1
Content-Transfer-Encoding: base64

ZGlmZiAtcnVOIG9yaWcvZGViaWFuL2NoYW5nZWxvZyBmcmVldHlwZS0yLjEuNy9kZWJpYW4vY2hh
bmdlbG9nDQotLS0gb3JpZy9kZWJpYW4vY2hhbmdlbG9nCTIwMDUtMDQtMjQgMTU6NDE6NTMuMDAw
MDAwMDAwICswMzAwDQorKysgZnJlZXR5cGUtMi4xLjcvZGViaWFuL2NoYW5nZWxvZwkyMDA1LTA0
LTI0IDE2OjAyOjI0LjAwMDAwMDAwMCArMDMwMA0KQEAgLTEsMyArMSwyNSBAQA0KK2ZyZWV0eXBl
ICgyLjEuNy0yLjQpIHVuc3RhYmxlOyB1cmdlbmN5PWhpZ2gNCisNCisgICogTm9uLW1haW50YWlu
ZXIgdXBsb2FkLg0KKyAgKiBmcmVldHlwZS0yLjEuNy9zcmMvYmRmL2JkZmxpYi5jOiBXaGVuIGEg
Z2x5cGggaGFzIHplcm8gd2lkdGggb3IgaGVpZ2h0LA0KKyAgICBhIGJpdG1hcCBpcyBub3QgYWN0
dWFsbHkgYWxsb2NhdGVkIGZvciBpdCwgYnV0IHRoZSBjb2RlIHVzZWQgdG8gdHJ5IHRvDQorICAg
IHVzZSBpdCBhbnl3YXkuIE5vdyBpdCBubyBsb25nZXIgZG9lcyB0aGF0LiBGaXggYnkgU3RldmUg
TGFuZ2FzZWssDQorICAgIGJhc2VkIG9uIHNvbWV0aGluZyBJIGRpZCBlYXJsaWVyLiBBZGRlZA0K
KyAgICBkZWJpYW4vcGF0Y2hlcy8zMDAtYmRmbGliLXplcm8td2lkdGgtZ2x5cGhzLmRpZmYuIENs
b3NlczogIzMwMjI2OQ0KKyAgICAoU2VnbWVudGF0aW9uIGZhdWx0IHdpdGggY2VydGFpbiBiZGYg
Zm9udHMpLg0KKyAgKiBmcmVldHlwZS0yLjEuNy9zcmMvYmRmL2JkZmxpYi5jOiBCREYgZm9udCBm
aWxlcyB3aXRoIGdseXBocyB3aXRoIGFuDQorICAgIGVuY29kaW5nIHZhbHVlIG9mIGF0IGxlYXN0
IDY1NTM2IHdvdWxkIG92ZXJmbG93IHRoZSBiaXRtYXAgd2l0aCANCisgICAgNjU1MzYgYml0cyB3
aGljaCBiZGZsaWIuYyB1c2VzIHRvIGtlZXAgdHJhY2sgb2Ygd2hldGhlciBpdCBoYXMgc2Vlbg0K
KyAgICBhbiBlbmNvZGluZyBhbHJlYWR5LiBDaGFuZ2VkIHRoaW5ncyBzbyB0aGF0IGVuY29kaW5n
cyBhYm92ZSB0aGUgDQorICAgIGxpbWl0IGNhdXNlIGFuIGVycm9yIGNvZGUgdG8gYmUgcmV0dXJu
ZWQgaW5zdGVhZCBvZiBhIHNlZ2ZhdWx0DQorICAgIGhhcHBlbmluZy4gSWRlYWxseSwgdGhlIGJp
dG1hcCBzaG91bGQgYmUgcmVwbGFjZWQgd2l0aCBhIG1vcmUNCisgICAgY29tcGFjdCByZXByZXNl
bnRhdGlvbiwgYnV0IHRoYXQgaXMgdG9vIGJpZyBhIGNoYW5nZSBmb3Igc29tZXRoaW5nDQorICAg
IHRoaXMgc21hbGwuIEkgd2lsbCwgaG93ZXZlciwgb25seSBsb3dlciB0aGUgc2V2ZXJpdHkgb2Yg
dGhlIGJ1Zw0KKyAgICAoMzA1NDEzKSB0byBub3JtYWwsIGluc3RlYWQgb2YgbWFya2luZyBpdCBm
aXhlZC4gQWRkZWQNCisgICAgZGViaWFuL3BhdGNoZXMvMzAwLWJkZmxpYi1sYXJnZS1lbmNvZGlu
Z3MuZGlmZi4NCisNCisgLS0gTGFycyBXaXJ6ZW5pdXMgPGxpd0Bpa2kuZmk+ICBTdW4sIDI0IEFw
ciAyMDA1IDE1OjQyOjAwICswMzAwDQorDQogZnJlZXR5cGUgKDIuMS43LTIuMykgdW5zdGFibGU7
IHVyZ2VuY3k9bG93DQogDQogICAqIE5NVQ0KZGlmZiAtcnVOIG9yaWcvZGViaWFuL3BhdGNoZXMv
MzAwLWJkZmxpYi1sYXJnZS1lbmNvZGluZ3MuZGlmZiBmcmVldHlwZS0...

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 16:42:05 +0300 (EEST)
From: <email address hidden> (Lars Wirzenius)
To: <email address hidden>
Subject: severity of 305413 is normal

severity 305413 normal

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 16:49:55 +0300 (EEST)
From: <email address hidden> (Lars Wirzenius)
To: <email address hidden>
Subject: tagging 305413

tags 305413 + patch

patch applied, closing it, as it's not RC anymore:

  * freetype-2.1.7/src/bdf/bdflib.c: BDF font files with glyphs with an
    encoding value of at least 65536 would overflow the bitmap with
    65536 bits which bdflib.c uses to keep track of whether it has seen
    an encoding already. Changed things so that encodings above the
    limit cause an error code to be returned instead of a segfault
    happening. Ideally, the bitmap should be replaced with a more
    compact representation, but that is too big a change for something
    this small. I will, however, only lower the severity of the bug
    (305413) to normal, instead of marking it fixed. Added
    debian/patches/300-bdflib-large-encodings.diff.

This looks like it's fixed now. Should we close this one?