Bug#948876: kodi: FTBFS: something segfaults

Discussion:

(too old to reply)

Bálint Réczey

2020-01-17 17:00:01 UTC

Control: reassign -1 fontforge 1:20190801~dfsg-2
Control: affects -1 kodi

Hi Mattia,

Source: kodi
Version: 2:17.6+dfsg1-4
Severity: serious
Tags: ftbfs
Dear maintainer,
your package failed to rebuild in a standard sid chroot.
If this is caused by a dependency, please reassign and sent an
approriate "affects".
debian/rules override_dh_auto_configure
make[1]: Entering directory '/build/1st/kodi-17.6+dfsg1'
cp -r /build/1st/kodi-17.6+dfsg1/webinterface-default /build/1st/kodi-17.6+dfsg1/addons/webinterface.default
sed -i 's/DEB_VERSION/"'2:17.6+dfsg1-4'"/' xbmc/Application.cpp xbmc/utils/SystemInfo.cpp
fontforge -script /build/1st/kodi-17.6+dfsg1/debian/mergefonts.ff \
/usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf \
/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf \
/build/1st/kodi-17.6+dfsg1/media/Fonts/arial.ttf
Copyright (c) 2000-2019. See AUTHORS for Contributors.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
Version: 20190801
Based on sources from 12:20 UTC 13-Nov-2019-ML-D-GDK3.
Cannot find your hotkey definition file!
This font contains both a 'kern' table and a 'GPOS' table.
The 'kern' table will only be read if there is no 'kern' feature in 'GPOS'.
Use-my-metrics flag set on at least two components in glyph 685
The glyph named Omega is mapped to U+03A9.
But its name indicates it should be mapped to U+2126.
Attempt to output 233084170 into a 16-bit field. It will be truncated and the file may not be useful.make[1]: *** [debian/rules:112: override_dh_auto_configure] Segmentation fault
make[1]: Leaving directory '/build/1st/kodi-17.6+dfsg1'
make: *** [debian/rules:87: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

Thanks, this is a bug in fontforge.

Cheers,
Balint

Debian Bug Tracking System

2020-01-17 17:00:02 UTC

Permalink

Post by BÃ¡lint RÃ©czey
reassign -1 fontforge 1:20190801~dfsg-2

Bug #948876 [src:kodi] kodi: FTBFS: something segfaults
Bug #948977 [src:kodi] kodi ftbfs in unstable (fontforge segfault)
Bug reassigned from package 'src:kodi' to 'fontforge'.
Bug reassigned from package 'src:kodi' to 'fontforge'.
No longer marked as found in versions kodi/2:17.6+dfsg1-4.
No longer marked as found in versions kodi/2:17.6+dfsg1-4.
Ignoring request to alter fixed versions of bug #948876 to the same values previously set
Ignoring request to alter fixed versions of bug #948977 to the same values previously set
Bug #948876 [fontforge] kodi: FTBFS: something segfaults
Bug #948977 [fontforge] kodi ftbfs in unstable (fontforge segfault)
Marked as found in versions fontforge/1:20190801~dfsg-2.
Marked as found in versions fontforge/1:20190801~dfsg-2.

Post by BÃ¡lint RÃ©czey
affects -1 kodi

Bug #948876 [fontforge] kodi: FTBFS: something segfaults
Bug #948977 [fontforge] kodi ftbfs in unstable (fontforge segfault)
Added indication that 948876 affects kodi
Added indication that 948977 affects kodi

--
948876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948876
948977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948977
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Bernhard Übelacker

2020-01-22 10:40:01 UTC

Permalink

Dear Maintainer,
I tried to look into this issue without being involved
in packaging fontforge.
I found it most reproducible when building with
"-fsanitize=address", and then always failing on accessing
the same address. [1]

As far as I see this is what happens:

- Address 0x60400008a210 gets returned by the allocator [2],
and stored in "sf->glyphs[49391]->vert_variants".

- Memory gets freed below SplineFontFree while still
stored below "sf->..." [3].

- Address 0x60400008a210 gets returned a second time.
This is returned as the previous allocation by AddressSanitizer [1].

- And freed again.

- The first pointer gets further copied around (See attached file.)

- Now in gv_len this address is again accessed and causes the crash. [1]

(Is there a way to force AddressSanitizer to return unique memory addresses?)
The line numbers of the AddressSanitizer outputs do not
completely match because of some added fprintf's.

A temporary workaround could be to disable the call to
SplineFontFree in _MergeFont. Then no crash happens.

Kind regards,
Bernhard

[1]
==111281==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400008a210 at pc 0x7fc246fb1ea9 bp 0x7fff40ed9800 sp 0x7fff40ed97f8
READ of size 8 at 0x60400008a210 thread T0
#0 0x7fc246fb1ea8 in gv_len ./fontforge/tottfgpos.c:3838
#1 0x7fc246fcce1f in ttf_math_dump_glyphvariant ./fontforge/tottfgpos.c:3979
#2 0x7fc246fcce1f in otf_dump_math ./fontforge/tottfgpos.c:4139
#3 0x7fc246fff7f0 in initATTables ./fontforge/tottf.c:5316
#4 0x7fc24700297e in initTables ./fontforge/tottf.c:5792
#5 0x7fc247003737 in _WriteTTFFont ./fontforge/tottf.c:6143
#6 0x7fc2470040b1 in WriteTTFFont ./fontforge/tottf.c:6171
#7 0x7fc246d09d1b in _DoSave ./fontforge/savefont.c:845
#8 0x7fc246d0ec2b in GenerateScript ./fontforge/savefont.c:1269
#9 0x7fc246d5d592 in bGenerate ./fontforge/scripting.c:2061
#10 0x7fc246d63b7d in docall ./fontforge/scripting.c:9632
#11 0x7fc246d64be1 in handlename ./fontforge/scripting.c:9745
#12 0x7fc246d67aa1 in term ./fontforge/scripting.c:9983
#13 0x7fc246d684fb in mul ./fontforge/scripting.c:10128
#14 0x7fc246d68a0b in add ./fontforge/scripting.c:10174
#15 0x7fc246d6943c in comp ./fontforge/scripting.c:10249
#16 0x7fc246d69b10 in _and ./fontforge/scripting.c:10293
#17 0x7fc246d6a04a in _or ./fontforge/scripting.c:10325
#18 0x7fc246d6a04a in assign ./fontforge/scripting.c:10358
#19 0x7fc246d620d9 in expr ./fontforge/scripting.c:10436
#20 0x7fc246d620d9 in ff_statement ./fontforge/scripting.c:10649
#21 0x7fc246d6bddd in ProcessNativeScript ./fontforge/scripting.c:10796
#22 0x7fc246d6c944 in _CheckIsScript ./fontforge/scripting.c:10890
#23 0x7fc246d6c944 in CheckIsScript ./fontforge/scripting.c:10927
#24 0x7fc2477c8643 in fontforge_main ./fontforgeexe/startnoui.c:122
#25 0x7fc24762cbba in __libc_start_main ../csu/libc-start.c:308
#26 0x5568a79b80c9 in _start (/home/benutzer/source/libfontforge3/try2/fontforge-20190801~dfsg/debian/fontforge-nox/usr/bin/fontforge+0x10c9)

0x60400008a210 is located 0 bytes inside of 35-byte region [0x60400008a210,0x60400008a233)
freed by thread T0 here:
#0 0x7fc2478d4277 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107277)
#1 0x7fc246fe6564 in dumpglyph ./fontforge/tottf.c:1331

previously allocated by thread T0 here:
#0 0x7fc2478d4628 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x107628)
#1 0x7fc246fe6336 in dumpglyph ./fontforge/tottf.c:1316

[2]
# Alloction 1
(gdb) print gv
$1 = (struct glyphvariants *) 0x60400008a210
(gdb) bt
#0 0x00007ffff69adb01 in ttf_math_read_gvtable (ttf=***@entry=0x6160002bfb80, info=***@entry=0x7fffffffc3c0, start=<optimized out>, justinuse=***@entry=git_normal, basesc=***@entry=0x613002af2800, isv=***@entry=1) at ././fontforge/parsettfatt.c:5318
#1 0x00007ffff69c7653 in ttf_math_read_variants (justinuse=git_normal, start=47440, info=0x7fffffffc3c0, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5474
#2 0x00007ffff69c7653 in _otf_read_math (justinuse=git_normal, info=<optimized out>, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5518
#3 0x00007ffff69c7653 in _otf_read_math (ttf=0x6160002bfb80, info=<optimized out>, justinuse=git_normal) at ././fontforge/parsettfatt.c:5496
#4 0x00007ffff6a08515 in readttf (filename=<optimized out>, info=<optimized out>, ttf=0x6020004fd210) at ././fontforge/parsettf.c:5673
#5 0x00007ffff6a08515 in _SFReadTTF (ttf=***@entry=0x6160002bfb80, flags=***@entry=0, openflags=***@entry=(unknown: 0), filename=***@entry=0x604000070690 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", chosenname=***@entry=0x0, fd=***@entry=0x0) at ././fontforge/parsettf.c:6327
#6 0x00007ffff6c08d80 in _ReadSplineFont (file=<optimized out>, ***@entry=0x0, filename=***@entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=***@entry=(unknown: 0)) at ././fontforge/splinefont.c:1141
#7 0x00007ffff6c0a3ac in ReadSplineFont (filename=***@entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=***@entry=(unknown: 0)) at ././fontforge/splinefont.c:1321
#8 0x00007ffff6c0a6b2 in LoadSplineFont (filename=***@entry=0x604000070610 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=***@entry=(unknown: 0)) at ././fontforge/splinefont.c:1379
#9 0x00007ffff6b13512 in bMergeFonts (c=0x7fffffffd030) at ././fontforge/scripting.c:5601
#10 0x00007ffff6b2b41e in docall (c=***@entry=0x7fffffffdda0, name=***@entry=0x7fffffffd350 "MergeFonts", val=***@entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
...

[3]
# Free 1
(gdb) print sc->vert_variants
$2 = (struct glyphvariants *) 0x60400008a210
(gdb) print sc
$3 = (SplineChar *) 0x613002af2800
(gdb) bt
#0 0x00007ffff6cfdd5f in SplineCharFreeContents (sc=***@entry=0x613002af2800) at ././fontforge/splineutil.c:5995
#1 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6008
#2 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6004
#3 0x00007ffff6d058d5 in SplineFontFree (sf=0x61a000270c80) at ././fontforge/splineutil.c:6569
#4 0x00007ffff6d058d5 in SplineFontFree (sf=***@entry=0x61a000270c80) at ././fontforge/splineutil.c:6525
#5 0x00007ffff68bf309 in _MergeFont (mc=0x7fffffffcce0, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1162
#6 0x00007ffff68bf309 in __MergeFont (preserveCrossFontKerning=<optimized out>, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1181
#7 0x00007ffff68bf309 in MergeFont (fv=<optimized out>, other=<optimized out>, preserveCrossFontKerning=<optimized out>) at ././fontforge/fvfonts.c:1263
#8 0x00007ffff6b2b41e in docall (c=***@entry=0x7fffffffdda0, name=***@entry=0x7fffffffd350 "MergeFonts", val=***@entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
...

Bernhard Übelacker

2020-01-25 13:50:01 UTC

Permalink

Dear Maintainer,
a short addition. I got some help that AddressSanitizer
and Valgrind could be squeezed to delay returning previously
free'd addresses from the allocator.

Then both tools point to the mentioned first allocation directly.

Kind regards,
Bernhard

AddressSanitizer: export ASAN_OPTIONS=quarantine_size_mb=1000

Valgrind: --freelist-vol=10000000000
Result with unmodified Debian binaries:
valgrind --tool=memcheck --track-origins=yes --num-callers=100 --freelist-vol=10000000000 fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergefonts.ff /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf
The glyph named Omega is mapped to U+03A9.
But its name indicates it should be mapped to U+2126.
==74312== Invalid read of size 8
==74312== at 0x55F6B69: gv_len (tottfgpos.c:3838)
==74312== by 0x5601DC9: ttf_math_dump_glyphvariant (tottfgpos.c:3979)
==74312== by 0x5601DC9: otf_dump_math (tottfgpos.c:4139)
==74312== by 0x56134C9: initATTables (tottf.c:5316)
==74312== by 0x5615006: initTables (tottf.c:5792)
==74312== by 0x561552A: _WriteTTFFont (tottf.c:6143)
==74312== by 0x5615A49: WriteTTFFont (tottf.c:6171)
==74312== by 0x54F5413: _DoSave (savefont.c:845)
==74312== by 0x54F7DCF: GenerateScript (savefont.c:1269)
==74312== by 0x55103FB: bGenerate (scripting.c:2061)
==74312== by 0x5512F0A: docall (scripting.c:9632)
==74312== by 0x551359D: handlename (scripting.c:9745)
==74312== by 0x55147B2: term (scripting.c:9983)
==74312== by 0x5514B37: mul (scripting.c:10128)
==74312== by 0x5514D4D: add (scripting.c:10174)
==74312== by 0x55150B8: comp (scripting.c:10249)
==74312== by 0x5515340: _and (scripting.c:10293)
==74312== by 0x55154E2: _or (scripting.c:10325)
==74312== by 0x55154E2: assign (scripting.c:10358)
==74312== by 0x55122FC: expr (scripting.c:10436)
==74312== by 0x55122FC: ff_statement (scripting.c:10649)
==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796)
==74312== by 0x5516744: _CheckIsScript (scripting.c:10890)
==74312== by 0x5516744: CheckIsScript (scripting.c:10927)
==74312== by 0x4A165B8: fontforge_main (startui.c:1099)
==74312== by 0x4C13BBA: (below main) (libc-start.c:308)
==74312== Address 0x8f6e3600 is 0 bytes inside a block of size 40 free'd
==74312== at 0x48379AB: free (vg_replace_malloc.c:540)
==74312== by 0x55C7B19: SplineCharFreeContents (splineutil.c:5963)
==74312== by 0x55C7B7D: SplineCharFree (splineutil.c:5974)
==74312== by 0x55C7B7D: SplineCharFree (splineutil.c:5970)
==74312== by 0x55CA66D: SplineFontFree (splineutil.c:6535)
==74312== by 0x55CA66D: SplineFontFree (splineutil.c:6491)
==74312== by 0x542E147: _MergeFont (fvfonts.c:1161)
==74312== by 0x542E147: __MergeFont (fvfonts.c:1179)
==74312== by 0x542E147: MergeFont (fvfonts.c:1261)
==74312== by 0x5512F0A: docall (scripting.c:9632)
==74312== by 0x551359D: handlename (scripting.c:9745)
==74312== by 0x55147B2: term (scripting.c:9983)
==74312== by 0x5514B37: mul (scripting.c:10128)
==74312== by 0x5514D4D: add (scripting.c:10174)
==74312== by 0x55150B8: comp (scripting.c:10249)
==74312== by 0x5515340: _and (scripting.c:10293)
==74312== by 0x55154E2: _or (scripting.c:10325)
==74312== by 0x55154E2: assign (scripting.c:10358)
==74312== by 0x55122FC: expr (scripting.c:10436)
==74312== by 0x55122FC: ff_statement (scripting.c:10649)
==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796)
==74312== by 0x5516744: _CheckIsScript (scripting.c:10890)
==74312== by 0x5516744: CheckIsScript (scripting.c:10927)
==74312== by 0x4A165B8: fontforge_main (startui.c:1099)
==74312== by 0x4C13BBA: (below main) (libc-start.c:308)
==74312== Block was alloc'd at
==74312== at 0x4838B65: calloc (vg_replace_malloc.c:762)
==74312== by 0x5486A1B: ttf_math_read_gvtable (parsettfatt.c:5317)
==74312== by 0x5491113: ttf_math_read_variants (parsettfatt.c:5473)
==74312== by 0x5491113: _otf_read_math (parsettfatt.c:5515)
==74312== by 0x5491113: _otf_read_math (parsettfatt.c:5493)
==74312== by 0x54A87D4: readttf (parsettf.c:5673)
==74312== by 0x54A87D4: _SFReadTTF (parsettf.c:6327)
==74312== by 0x556808E: _ReadSplineFont (splinefont.c:1141)
==74312== by 0x5569238: LoadSplineFont (splinefont.c:1379)
==74312== by 0x550B0E2: bMergeFonts (scripting.c:5600)
==74312== by 0x5512F0A: docall (scripting.c:9632)
==74312== by 0x551359D: handlename (scripting.c:9745)
==74312== by 0x55147B2: term (scripting.c:9983)
==74312== by 0x5514B37: mul (scripting.c:10128)
==74312== by 0x5514D4D: add (scripting.c:10174)
==74312== by 0x55150B8: comp (scripting.c:10249)
==74312== by 0x5515340: _and (scripting.c:10293)
==74312== by 0x55154E2: _or (scripting.c:10325)
==74312== by 0x55154E2: assign (scripting.c:10358)
==74312== by 0x55122FC: expr (scripting.c:10436)
==74312== by 0x55122FC: ff_statement (scripting.c:10649)
==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796)
==74312== by 0x5516744: _CheckIsScript (scripting.c:10890)
==74312== by 0x5516744: CheckIsScript (scripting.c:10927)
==74312== by 0x4A165B8: fontforge_main (startui.c:1099)
==74312== by 0x4C13BBA: (below main) (libc-start.c:308)
==74312==
==74312== Invalid read of size 4
...

Hideki Yamane

2021-02-22 06:30:01 UTC

Permalink

control: severity -1 important
control: retitle -1 fontforge: memory leak issue

Hi,

fontforge: Segmentation fault, making kodi FTBFS

fontforge has still memory leak issues that are able to detect with
sanitize DEB_BUILD_OPTION in debian/rules, however, kodi build can
be without fontforge's segmentation fault now. So, downgrade severity
and retitle it.

--
Hideki Yamane <***@iijmio-mail.jp>

Debian Bug Tracking System

2021-02-22 06:30:01 UTC

Permalink

Post by Hideki Yamane
severity -1 important

Bug #948876 [fontforge] fontforge: Segmentation fault, making kodi FTBFS
Bug #948977 [fontforge] fontforge: Segmentation fault, making kodi FTBFS
Severity set to 'important' from 'serious'
Severity set to 'important' from 'serious'

Post by Hideki Yamane
retitle -1 fontforge: memory leak issue

Bug #948876 [fontforge] fontforge: Segmentation fault, making kodi FTBFS
Bug #948977 [fontforge] fontforge: Segmentation fault, making kodi FTBFS
Changed Bug title to 'fontforge: memory leak issue' from 'fontforge: Segmentation fault, making kodi FTBFS'.
Changed Bug title to 'fontforge: memory leak issue' from 'fontforge: Segmentation fault, making kodi FTBFS'.