GNU bug report logs - #16457
24.3.50; crash rendering Arabic Uthmani script

Previous Next

Full log

View this message in rfc822 format

From: Dmitry Antipov <dmantipov <at> yandex.ru>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 16457 <at> debbugs.gnu.org
Subject: bug#16457: 24.3.50; crash rendering Arabic Uthmani script
Date: Thu, 16 Jan 2014 12:01:04 +0400

I'm not familiar with composition sequences in detail, but there is a hint.

For the uthmani-test.txt, the following code in set_iterator_to_next:

  7127                /* Composition created while scanning forward.  */
  7128                /* Update IT's char/byte positions to point to the first
  7129                   character of the next grapheme cluster, or to the
  7130                   character visually after the current composition.  */
  7131                for (i = 0; i < it->cmp_it.nchars; i++)
  7132                  bidi_move_to_visually_next (&it->bidi_it);
  7133                IT_BYTEPOS (*it) = it->bidi_it.bytepos;
  7134                IT_CHARPOS (*it) = it->bidi_it.charpos;

advances IT from charpos:bytepos 11:21 to 13:25.  But the following fragment
from scan_for_column:

   586        /* Check composition sequence.  */
   587        if (cmp_it.id >= 0
   588            || (scan == cmp_it.stop_pos
   589                && composition_reseat_it (&cmp_it, scan, scan_byte, end,
   590                                          w, NULL, Qnil)))
   591          composition_update_it (&cmp_it, scan, scan_byte, Qnil);
   592        if (cmp_it.id >= 0)
   593          {
   594            scan += cmp_it.nchars;
   595            scan_byte += cmp_it.nbytes;

advances SCAN:SCAN_BYTE from 11:21 to 13:24.  So the byte position becomes invalid
and FETCH_CHAR_ADVANCE decodes invalid byte sequence to invalid character C.
Finally, CHAR_TABLE_REF (Vcomposition_function_table, C) goes out of bounds.

Dmitry

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.