Bug#958017: libpango-1.0-0: Crash in pango_font_get_hb_font

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#958017: libpango-1.0-0: Crash in pango_font_get_hb_font

Sam Morris
Package: libpango-1.0-0
Version: 1.44.7-3
Severity: grave
Justification: renders package unusable

After upgrading libpango-1.0-0 from version 1.42.4-7~deb10u1 to version
1.44.7, gnome-terminal-server will no longer start. It crashes with:

    #0  0x0000000000000000 in ?? ()
    #1  0x00007fa7b8049383 in pango_font_get_hb_font (font=font@entry=0x558d8a9a9860) at ../pango/fonts.c:1908
    #2  0x00007fa7b8063173 in pango_font_get_hb_font_for_context (context=0x7ffcb2ff2fd0, font=0x558d8a9a9860) at ../pango/pangofc-shape.c:345
    #3  pango_hb_shape (font=0x558d8a9a9860, item_text=item_text@entry=0x558d8a6826f0 "!", item_length=item_length@entry=1, analysis=analysis@entry=0x558d8a914110, glyphs=glyphs@entry=0x558d8a75b180, paragraph_text=paragraph_text@entry=0x558d8a6826f0 "!", paragraph_length=1) at ../pango/pangofc-shape.c:345
    #4  0x00007fa7b80629ea in pango_shape_with_flags (item_text=0x558d8a6826f0 "!", item_length=1, paragraph_text=<optimized out>, paragraph_length=1, analysis=analysis@entry=0x558d8a914110, glyphs=glyphs@entry=0x558d8a75b180, flags=PANGO_SHAPE_ROUND_POSITIONS) at ../pango/shape.c:205
    #5  0x00007fa7b8053a33 in shape_run (line=line@entry=0x558d8a92a5e0, state=state@entry=0x7ffcb2ff3580, item=item@entry=0x558d8a914100) at ../pango/pango-layout.c:3354
    #6  0x00007fa7b8055e78 in process_item (layout=layout@entry=0x558d8a65a400, line=line@entry=0x558d8a92a5e0, state=state@entry=0x7ffcb2ff3580, force_fit=force_fit@entry=1, no_break_at_end=no_break_at_end@entry=0) at ../pango/pango-layout.c:3633
    #7  0x00007fa7b8057f6d in process_line (state=0x7ffcb2ff3580, layout=0x558d8a65a400) at ../pango/pango-layout.c:3951
    #8  pango_layout_check_lines (layout=<optimized out>) at ../pango/pango-layout.c:4315
    #9  pango_layout_check_lines (layout=<optimized out>) at ../pango/pango-layout.c:4175
    #10 0x00007fa7b8059a59 in pango_layout_get_extents_internal (layout=0x558d8a65a400, ink_rect=ink_rect@entry=0x0, logical_rect=logical_rect@entry=0x7ffcb2ff3720, line_extents=line_extents@entry=0x0) at ../pango/pango-layout.c:2623
    #11 0x00007fa7b8059e7c in pango_layout_get_extents (layout=<optimized out>, ink_rect=ink_rect@entry=0x0, logical_rect=logical_rect@entry=0x7ffcb2ff3720) at ../pango/pango-layout.c:2817
    #12 0x00007fa7b88a1e00 in font_info_measure_font (info=0x558d8a8e9c00) at ../src/vtedraw.cc:398
    #13 font_info_allocate (context=0x558d8a8e9700) at ../src/vtedraw.cc:448
    #14 font_info_find_for_context (context=0x558d8a8e9700) at ../src/vtedraw.cc:612
    #15 font_info_create_for_context (fontconfig_timestamp=<optimized out>, language=<optimized out>, desc=0x1, context=0x558d8a8e9700) at ../src/vtedraw.cc:657
    #16 font_info_create_for_screen (language=<optimized out>, desc=0x1, screen=<optimized out>) at ../src/vtedraw.cc:668
    #17 font_info_create_for_widget (widget=widget@entry=0x558d8a92c320, desc=desc@entry=0x558d8a993560) at ../src/vtedraw.cc:679
    #18 0x00007fa7b88a2403 in _vte_draw_set_text_font (draw=0x558d8a9211c0, widget=0x558d8a92c320, fontdesc=0x558d8a993560, cell_width_scale=1, cell_height_scale=1) at ../src/vtedraw.cc:910
    #19 0x00007fa7b888ffd6 in vte::terminal::Terminal::ensure_font (this=0x558d8a92e000) at /usr/include/c++/9/bits/unique_ptr.h:360
    #20 vte::terminal::Terminal::ensure_font (this=this@entry=0x558d8a92e000) at ../src/vte.cc:7318
    #21 0x00007fa7b88a985e in vte::terminal::Terminal::get_cell_width (this=0x558d8a92e000) at ../src/vteinternal.hh:1248
    #22 vte_terminal_get_char_width (terminal=<optimized out>) at ../src/vtegtk.cc:3447
    #23 0x0000558d8a1925d8 in ?? ()
    #24 0x0000558d8a198dfc in ?? ()
    #25 0x0000558d8a19bfb5 in ?? ()
    #26 0x0000558d8a19d713 in ?? ()
    #27 0x00007fa7b5ecaccd in ?? () from /usr/lib/x86_64-linux-gnu/libffi.so.7
    #28 0x00007fa7b5eca25a in ?? () from /usr/lib/x86_64-linux-gnu/libffi.so.7
    #29 0x00007fa7b7dd17fc in g_cclosure_marshal_generic (closure=closure@entry=0x558d8a85d470, return_gvalue=return_gvalue@entry=0x0, n_param_values=n_param_values@entry=3, param_values=param_values@entry=0x7ffcb2ff3db0, invocation_hint=invocation_hint@entry=0x7ffcb2ff3d30, marshal_data=marshal_data@entry=0x0) at ../../../gobject/gclosure.c:1500
    #30 0x00007fa7b7dd0fd2 in g_closure_invoke (closure=0x558d8a85d470, return_value=0x0, n_param_values=3, param_values=0x7ffcb2ff3db0, invocation_hint=0x7ffcb2ff3d30) at ../../../gobject/gclosure.c:810
    #31 0x00007fa7b7de41b3 in signal_emit_unlocked_R (node=node@entry=0x558d8a5ffe70, detail=detail@entry=0, instance=instance@entry=0x558d8a8d82a0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffcb2ff3db0) at ../../../gobject/gsignal.c:3812
    #32 0x00007fa7b7def54f in g_signal_emit_valist (instance=instance@entry=0x558d8a8d82a0, signal_id=signal_id@entry=252, detail=detail@entry=0, var_args=var_args@entry=0x7ffcb2ff3ff8) at ../../../gobject/gsignal.c:3498
    #33 0x00007fa7b7df098c in g_signal_emit_by_name (instance=0x558d8a8d82a0, detailed_signal=0x558d8a1a7bac "screen-switched") at ../../../gobject/gsignal.c:3594
    #34 0x0000558d8a189de6 in ?? ()
    #35 0x00007fa7b7dd0fd2 in g_closure_invoke (closure=0x558d8a61c760, return_value=0x0, n_param_values=3, param_values=0x7ffcb2ff4320, invocation_hint=0x7ffcb2ff42a0) at ../../../gobject/gclosure.c:810
    #36 0x00007fa7b7de3f06 in signal_emit_unlocked_R (node=node@entry=0x558d8a628420, detail=detail@entry=0, instance=instance@entry=0x558d8a8d82a0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffcb2ff4320) at ../../../gobject/gsignal.c:3780
    #37 0x00007fa7b7def54f in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffcb2ff4500) at ../../../gobject/gsignal.c:3498
    #38 0x00007fa7b7defedf in g_signal_emit (instance=instance@entry=0x558d8a8d82a0, signal_id=<optimized out>, detail=detail@entry=0) at ../../../gobject/gsignal.c:3554
    #39 0x00007fa7b83d92d0 in gtk_notebook_switch_page (notebook=notebook@entry=0x558d8a8d82a0, page=page@entry=0x558d8a92a540) at ../../../../gtk/gtknotebook.c:6237
    #40 0x00007fa7b83e02db in gtk_notebook_real_insert_page (notebook=0x558d8a8d82a0, child=0x558d8a8b47b0, tab_label=0x558d8a8b4940, menu_label=<optimized out>, position=<optimized out>) at ../../../../gtk/gtknotebook.c:4856
    #41 0x0000558d8a189ae0 in ?? ()
    #42 0x0000558d8a1870b9 in ?? ()
    #43 0x00007fa7b5ecaccd in ?? () from /usr/lib/x86_64-linux-gnu/libffi.so.7
    #44 0x00007fa7b5eca25a in ?? () from /usr/lib/x86_64-linux-gnu/libffi.so.7
    #45 0x00007fa7b7dd17fc in g_cclosure_marshal_generic (closure=0x558d8a688440, return_gvalue=0x7ffcb2ff4ad0, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>) at ../../../gobject/gclosure.c:1500
    #46 0x00007fa7b7dd0fd2 in g_closure_invoke (closure=0x558d8a688440, return_value=0x7ffcb2ff4ad0, n_param_values=3, param_values=0x558d8a6cd5a0, invocation_hint=0x7ffcb2ff4ab0) at ../../../gobject/gclosure.c:810
    #47 0x00007fa7b7de3f06 in signal_emit_unlocked_R (node=node@entry=0x558d8a701550, detail=detail@entry=0, instance=instance@entry=0x558d8a6fe540, emission_return=emission_return@entry=0x7ffcb2ff4c00, instance_and_params=instance_and_params@entry=0x558d8a6cd5a0) at ../../../gobject/gsignal.c:3780
    #48 0x00007fa7b7dee8af in g_signal_emitv (instance_and_params=0x558d8a6cd5a0, signal_id=<optimized out>, detail=0, return_value=0x7ffcb2ff4c00) at ../../../gobject/gsignal.c:3230
    #49 0x0000558d8a1a023c in ?? ()
    #50 0x00007fa7b7f3bb7a in g_dbus_interface_method_dispatch_helper (interface=<optimized out>, method_call_func=0x558d8a1a0080, invocation=0x7fa7a8014000) at ../../../gio/gdbusinterfaceskeleton.c:613
    #51 0x00007fa7b7f22d10 in call_in_idle_cb (user_data=<optimized out>) at ../../../gio/gdbusconnection.c:4888
    #52 0x00007fa7b7ce64de in g_main_dispatch (context=0x558d8a5ba3a0) at ../../../glib/gmain.c:3309
    #53 g_main_context_dispatch (context=context@entry=0x558d8a5ba3a0) at ../../../glib/gmain.c:3974
    #54 0x00007fa7b7ce6890 in g_main_context_iterate (context=context@entry=0x558d8a5ba3a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4047
    #55 0x00007fa7b7ce691f in g_main_context_iteration (context=context@entry=0x558d8a5ba3a0, may_block=may_block@entry=1) at ../../../glib/gmain.c:4108
    #56 0x00007fa7b7ef7f9d in g_application_run (application=0x558d8a65e1e0, argc=<optimized out>, argv=<optimized out>) at ../../../gio/gapplication.c:2559
    #57 0x0000558d8a1815fe in ?? ()
    #58 0x00007fa7b7acfe0b in __libc_start_main (main=0x558d8a181470, argc=1, argv=0x7ffcb2ff5078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcb2ff5068) at ../csu/libc-start.c:308
    #59 0x0000558d8a18175a in ?? ()

vim.gtk3 crashes with:

    #0  0x0000000000000000 in ?? ()
    #1  0x00007ffff777c383 in pango_font_get_hb_font (font=font@entry=0x555555f07860) at ../pango/fonts.c:1908
    #2  0x00007ffff7796173 in pango_font_get_hb_font_for_context (context=0x7fffffffc930, font=0x555555f07860) at ../pango/pangofc-shape.c:345
    #3  pango_hb_shape (font=0x555555f07860, item_text=item_text@entry=0x555555e325a0 "MW", item_length=item_length@entry=2, analysis=analysis@entry=0x555555db7010, glyphs=glyphs@entry=0x555555e30ee0, paragraph_text=paragraph_text@entry=0x555555e325a0 "MW", paragraph_length=2) at ../pango/pangofc-shape.c:345
    #4  0x00007ffff77959ea in pango_shape_with_flags (item_text=0x555555e325a0 "MW", item_length=2, paragraph_text=<optimized out>, paragraph_length=2, analysis=analysis@entry=0x555555db7010, glyphs=glyphs@entry=0x555555e30ee0, flags=PANGO_SHAPE_ROUND_POSITIONS) at ../pango/shape.c:205
    #5  0x00007ffff7786a33 in shape_run (line=line@entry=0x555555e269e0, state=state@entry=0x7fffffffcee0, item=item@entry=0x555555db7000) at ../pango/pango-layout.c:3354
    #6  0x00007ffff7788e78 in process_item (layout=layout@entry=0x555555d36580, line=line@entry=0x555555e269e0, state=state@entry=0x7fffffffcee0, force_fit=force_fit@entry=1, no_break_at_end=no_break_at_end@entry=0) at ../pango/pango-layout.c:3633
    #7  0x00007ffff778af6d in process_line (state=0x7fffffffcee0, layout=0x555555d36580) at ../pango/pango-layout.c:3951
    #8  pango_layout_check_lines (layout=<optimized out>) at ../pango/pango-layout.c:4315
    #9  pango_layout_check_lines (layout=<optimized out>) at ../pango/pango-layout.c:4175
    #10 0x00007ffff778ca59 in pango_layout_get_extents_internal (layout=0x555555d36580, ink_rect=0x0, logical_rect=0x7fffffffd050, line_extents=0x0) at ../pango/pango-layout.c:2623
    #11 0x00007ffff778cfa6 in pango_layout_get_size (layout=<optimized out>, width=0x7fffffffd0a0, height=0x0) at ../pango/pango-layout.c:2865
    #12 0x00005555557c0a6a in gui_mch_init_font ()
    #13 0x00005555557b5a2d in gui_init_font ()
    #14 0x00005555557b714a in gui_init ()
    #15 0x000055555576ce23 in set_termname ()
    #16 0x00005555557b7c5b in ?? ()
    #17 0x00005555557b7d5e in gui_start ()
    #18 0x0000555555805ae6 in vim_main2 ()
    #19 0x00005555555ceb1f in main ()

pango-view also crashes with a similar backtrace.

Here's the code that crashes:

    (gdb) list
    1903      g_return_val_if_fail (PANGO_IS_FONT (font), NULL);
    1904
    1905      if (priv->hb_font)
    1906        return priv->hb_font;
    1907
    1908      priv->hb_font = PANGO_FONT_GET_CLASS (font)->create_hb_font (font);
    1909
    1910      hb_font_make_immutable (priv->hb_font);
    1911
    1912      return priv->hb_font;

    (gdb) p *priv
    $4 = {
      hb_font = 0x0
    }

    (gdb) p *font
    $6 = {
      parent_instance = {
        g_type_instance = {
          g_class = 0x555555e31a50
        },
        ref_count = 4,
        qdata = 0x0
      }
    }

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages libpango-1.0-0 depends on:
ii  fontconfig     2.13.1-2
ii  libc6          2.30-4
ii  libfribidi0    1.0.5-3.1+deb10u1
ii  libglib2.0-0   2.64.1-1
ii  libharfbuzz0b  2.3.1-1
ii  libthai0       0.1.28-2

libpango-1.0-0 recommends no packages.

libpango-1.0-0 suggests no packages.

-- no debconf information