[Pkg-fonts-devel] Bug#948876: kodi: FTBFS: something segfaults
Bernhard Übelacker
bernhardu at mailbox.org
Wed Jan 22 10:27:20 GMT 2020
Dear Maintainer,
I tried to look into this issue without being involved
in packaging fontforge.
I found it most reproducible when building with
"-fsanitize=address", and then always failing on accessing
the same address. [1]
As far as I see this is what happens:
- Address 0x60400008a210 gets returned by the allocator [2],
and stored in "sf->glyphs[49391]->vert_variants".
- Memory gets freed below SplineFontFree while still
stored below "sf->..." [3].
- Address 0x60400008a210 gets returned a second time.
This is returned as the previous allocation by AddressSanitizer [1].
- And freed again.
- The first pointer gets further copied around (See attached file.)
- Now in gv_len this address is again accessed and causes the crash. [1]
(Is there a way to force AddressSanitizer to return unique memory addresses?)
The line numbers of the AddressSanitizer outputs do not
completely match because of some added fprintf's.
A temporary workaround could be to disable the call to
SplineFontFree in _MergeFont. Then no crash happens.
Kind regards,
Bernhard
[1]
==111281==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400008a210 at pc 0x7fc246fb1ea9 bp 0x7fff40ed9800 sp 0x7fff40ed97f8
READ of size 8 at 0x60400008a210 thread T0
#0 0x7fc246fb1ea8 in gv_len ./fontforge/tottfgpos.c:3838
#1 0x7fc246fcce1f in ttf_math_dump_glyphvariant ./fontforge/tottfgpos.c:3979
#2 0x7fc246fcce1f in otf_dump_math ./fontforge/tottfgpos.c:4139
#3 0x7fc246fff7f0 in initATTables ./fontforge/tottf.c:5316
#4 0x7fc24700297e in initTables ./fontforge/tottf.c:5792
#5 0x7fc247003737 in _WriteTTFFont ./fontforge/tottf.c:6143
#6 0x7fc2470040b1 in WriteTTFFont ./fontforge/tottf.c:6171
#7 0x7fc246d09d1b in _DoSave ./fontforge/savefont.c:845
#8 0x7fc246d0ec2b in GenerateScript ./fontforge/savefont.c:1269
#9 0x7fc246d5d592 in bGenerate ./fontforge/scripting.c:2061
#10 0x7fc246d63b7d in docall ./fontforge/scripting.c:9632
#11 0x7fc246d64be1 in handlename ./fontforge/scripting.c:9745
#12 0x7fc246d67aa1 in term ./fontforge/scripting.c:9983
#13 0x7fc246d684fb in mul ./fontforge/scripting.c:10128
#14 0x7fc246d68a0b in add ./fontforge/scripting.c:10174
#15 0x7fc246d6943c in comp ./fontforge/scripting.c:10249
#16 0x7fc246d69b10 in _and ./fontforge/scripting.c:10293
#17 0x7fc246d6a04a in _or ./fontforge/scripting.c:10325
#18 0x7fc246d6a04a in assign ./fontforge/scripting.c:10358
#19 0x7fc246d620d9 in expr ./fontforge/scripting.c:10436
#20 0x7fc246d620d9 in ff_statement ./fontforge/scripting.c:10649
#21 0x7fc246d6bddd in ProcessNativeScript ./fontforge/scripting.c:10796
#22 0x7fc246d6c944 in _CheckIsScript ./fontforge/scripting.c:10890
#23 0x7fc246d6c944 in CheckIsScript ./fontforge/scripting.c:10927
#24 0x7fc2477c8643 in fontforge_main ./fontforgeexe/startnoui.c:122
#25 0x7fc24762cbba in __libc_start_main ../csu/libc-start.c:308
#26 0x5568a79b80c9 in _start (/home/benutzer/source/libfontforge3/try2/fontforge-20190801~dfsg/debian/fontforge-nox/usr/bin/fontforge+0x10c9)
0x60400008a210 is located 0 bytes inside of 35-byte region [0x60400008a210,0x60400008a233)
freed by thread T0 here:
#0 0x7fc2478d4277 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107277)
#1 0x7fc246fe6564 in dumpglyph ./fontforge/tottf.c:1331
previously allocated by thread T0 here:
#0 0x7fc2478d4628 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x107628)
#1 0x7fc246fe6336 in dumpglyph ./fontforge/tottf.c:1316
[2]
# Alloction 1
(gdb) print gv
$1 = (struct glyphvariants *) 0x60400008a210
(gdb) bt
#0 0x00007ffff69adb01 in ttf_math_read_gvtable (ttf=ttf at entry=0x6160002bfb80, info=info at entry=0x7fffffffc3c0, start=<optimized out>, justinuse=justinuse at entry=git_normal, basesc=basesc at entry=0x613002af2800, isv=isv at entry=1) at ././fontforge/parsettfatt.c:5318
#1 0x00007ffff69c7653 in ttf_math_read_variants (justinuse=git_normal, start=47440, info=0x7fffffffc3c0, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5474
#2 0x00007ffff69c7653 in _otf_read_math (justinuse=git_normal, info=<optimized out>, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5518
#3 0x00007ffff69c7653 in _otf_read_math (ttf=0x6160002bfb80, info=<optimized out>, justinuse=git_normal) at ././fontforge/parsettfatt.c:5496
#4 0x00007ffff6a08515 in readttf (filename=<optimized out>, info=<optimized out>, ttf=0x6020004fd210) at ././fontforge/parsettf.c:5673
#5 0x00007ffff6a08515 in _SFReadTTF (ttf=ttf at entry=0x6160002bfb80, flags=flags at entry=0, openflags=openflags at entry=(unknown: 0), filename=filename at entry=0x604000070690 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", chosenname=chosenname at entry=0x0, fd=fd at entry=0x0) at ././fontforge/parsettf.c:6327
#6 0x00007ffff6c08d80 in _ReadSplineFont (file=<optimized out>, file at entry=0x0, filename=filename at entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1141
#7 0x00007ffff6c0a3ac in ReadSplineFont (filename=filename at entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1321
#8 0x00007ffff6c0a6b2 in LoadSplineFont (filename=filename at entry=0x604000070610 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1379
#9 0x00007ffff6b13512 in bMergeFonts (c=0x7fffffffd030) at ././fontforge/scripting.c:5601
#10 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "MergeFonts", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
...
[3]
# Free 1
(gdb) print sc->vert_variants
$2 = (struct glyphvariants *) 0x60400008a210
(gdb) print sc
$3 = (SplineChar *) 0x613002af2800
(gdb) bt
#0 0x00007ffff6cfdd5f in SplineCharFreeContents (sc=sc at entry=0x613002af2800) at ././fontforge/splineutil.c:5995
#1 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6008
#2 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6004
#3 0x00007ffff6d058d5 in SplineFontFree (sf=0x61a000270c80) at ././fontforge/splineutil.c:6569
#4 0x00007ffff6d058d5 in SplineFontFree (sf=sf at entry=0x61a000270c80) at ././fontforge/splineutil.c:6525
#5 0x00007ffff68bf309 in _MergeFont (mc=0x7fffffffcce0, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1162
#6 0x00007ffff68bf309 in __MergeFont (preserveCrossFontKerning=<optimized out>, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1181
#7 0x00007ffff68bf309 in MergeFont (fv=<optimized out>, other=<optimized out>, preserveCrossFontKerning=<optimized out>) at ././fontforge/fvfonts.c:1263
#8 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "MergeFonts", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
...
-------------- next part --------------
# Unstable amd64 qemu VM 2020-01-19
apt update
apt dist-upgrade
apt install systemd-coredump fakeroot htop psmisc mc git gdb valgrind rr fontforge-nox-dbgsym libgdraw6-dbgsym libfontforge3-dbgsym libasan5-dbgsym
apt build-dep kodi
apt build-dep fontforge
mkdir /home/benutzer/source/kodi/orig -p
cd /home/benutzer/source/kodi/orig
apt source kodi
cd
mkdir /home/benutzer/source/libfontforge3/orig -p
cd /home/benutzer/source/libfontforge3/orig
apt source libfontforge3
cd
mkdir /home/benutzer/source/libc6/orig -p
cd /home/benutzer/source/libc6/orig
apt source libc6
cd
cd /home/benutzer/source/kodi
cp orig try1 -a
cd try1/kodi-17.6+dfsg1
dpkg-buildpackage
journalctl --no-pager
Jan 19 14:35:54 debian kernel: traps: fontforge[14646] general protection fault ip:7f1b96479b88 sp:7ffc7374df40 error:0 in libfontforge.so.3.0.0[7f1b9623b000+27d000]
Jan 19 14:35:54 debian systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Jan 19 14:35:54 debian systemd[1]: Started Process Core Dump (PID 14647/UID 0).
Jan 19 14:35:58 debian systemd-coredump[14648]: Process 14646 (fontforge) of user 1000 dumped core.
Stack trace of thread 14646:
#0 0x00007f1b96479b88 n/a (libfontforge.so.3 + 0x2d0b88)
#1 0x00007f1b96484dca otf_dump_math (libfontforge.so.3 + 0x2dbdca)
#2 0x00007f1b964964ca n/a (libfontforge.so.3 + 0x2ed4ca)
#3 0x00007f1b96498007 n/a (libfontforge.so.3 + 0x2ef007)
#4 0x00007f1b9649852b _WriteTTFFont (libfontforge.so.3 + 0x2ef52b)
#5 0x00007f1b96498a4a WriteTTFFont (libfontforge.so.3 + 0x2efa4a)
#6 0x00007f1b96378414 _DoSave (libfontforge.so.3 + 0x1cf414)
#7 0x00007f1b9637add0 GenerateScript (libfontforge.so.3 + 0x1d1dd0)
#8 0x00007f1b963933fc n/a (libfontforge.so.3 + 0x1ea3fc)
#9 0x00007f1b96395f0b n/a (libfontforge.so.3 + 0x1ecf0b)
#10 0x00007f1b9639659e n/a (libfontforge.so.3 + 0x1ed59e)
#11 0x00007f1b963977b3 n/a (libfontforge.so.3 + 0x1ee7b3)
#12 0x00007f1b96397b38 n/a (libfontforge.so.3 + 0x1eeb38)
#13 0x00007f1b96397d4e n/a (libfontforge.so.3 + 0x1eed4e)
#14 0x00007f1b963980b9 n/a (libfontforge.so.3 + 0x1ef0b9)
#15 0x00007f1b96398341 n/a (libfontforge.so.3 + 0x1ef341)
#16 0x00007f1b963984e3 n/a (libfontforge.so.3 + 0x1ef4e3)
#17 0x00007f1b963952fd ff_statement (libfontforge.so.3 + 0x1ec2fd)
#18 0x00007f1b96399111 ProcessNativeScript (libfontforge.so.3 + 0x1f0111)
#19 0x00007f1b96399745 CheckIsScript (libfontforge.so.3 + 0x1f0745)
#20 0x00007f1b96ee55b9 fontforge_main (libfontforgeexe.so.3 + 0x1c15b9)
#21 0x00007f1b96b8abbb __libc_start_main (libc.so.6 + 0x26bbb)
#22 0x000055b235ee608a _start (fontforge + 0x108a)
Jan 19 14:35:58 debian systemd[1]: systemd-coredump at 0-14647-0.service: Succeeded.
coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Sun 2020-01-19 14:35:58 CET 14646 1000 1000 11 present /usr/bin/fontforge
coredumpctl gdb 14646
set width 0
set pagination off
directory /home/benutzer/source/libfontforge3/orig/fontforge-20190801~dfsg
bt
root at debian:~# coredumpctl gdb 14646
PID: 14646 (fontforge)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 11 (SEGV)
Timestamp: Sun 2020-01-19 14:35:54 CET (2min 49s ago)
Command Line: fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergefonts.ff /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf
Executable: /usr/bin/fontforge
Control Group: /user.slice/user-1000.slice/session-3.scope
Unit: session-3.scope
Slice: user-1000.slice
Session: 3
Owner UID: 1000 (benutzer)
Boot ID: 8aaf48b792e74927bffcc507e9580f2b
Machine ID: 33f18f39d2a9438eb75b0ed52848afcd
Hostname: debian
Storage: /var/lib/systemd/coredump/core.fontforge.1000.8aaf48b792e74927bffcc507e9580f2b.14646.1579440954000000000000.lz4
Message: Process 14646 (fontforge) of user 1000 dumped core.
Stack trace of thread 14646:
#0 0x00007f1b96479b88 n/a (libfontforge.so.3 + 0x2d0b88)
#1 0x00007f1b96484dca otf_dump_math (libfontforge.so.3 + 0x2dbdca)
#2 0x00007f1b964964ca n/a (libfontforge.so.3 + 0x2ed4ca)
#3 0x00007f1b96498007 n/a (libfontforge.so.3 + 0x2ef007)
#4 0x00007f1b9649852b _WriteTTFFont (libfontforge.so.3 + 0x2ef52b)
#5 0x00007f1b96498a4a WriteTTFFont (libfontforge.so.3 + 0x2efa4a)
#6 0x00007f1b96378414 _DoSave (libfontforge.so.3 + 0x1cf414)
#7 0x00007f1b9637add0 GenerateScript (libfontforge.so.3 + 0x1d1dd0)
#8 0x00007f1b963933fc n/a (libfontforge.so.3 + 0x1ea3fc)
#9 0x00007f1b96395f0b n/a (libfontforge.so.3 + 0x1ecf0b)
#10 0x00007f1b9639659e n/a (libfontforge.so.3 + 0x1ed59e)
#11 0x00007f1b963977b3 n/a (libfontforge.so.3 + 0x1ee7b3)
#12 0x00007f1b96397b38 n/a (libfontforge.so.3 + 0x1eeb38)
#13 0x00007f1b96397d4e n/a (libfontforge.so.3 + 0x1eed4e)
#14 0x00007f1b963980b9 n/a (libfontforge.so.3 + 0x1ef0b9)
#15 0x00007f1b96398341 n/a (libfontforge.so.3 + 0x1ef341)
#16 0x00007f1b963984e3 n/a (libfontforge.so.3 + 0x1ef4e3)
#17 0x00007f1b963952fd ff_statement (libfontforge.so.3 + 0x1ec2fd)
#18 0x00007f1b96399111 ProcessNativeScript (libfontforge.so.3 + 0x1f0111)
#19 0x00007f1b96399745 CheckIsScript (libfontforge.so.3 + 0x1f0745)
#20 0x00007f1b96ee55b9 fontforge_main (libfontforgeexe.so.3 + 0x1c15b9)
#21 0x00007f1b96b8abbb __libc_start_main (libc.so.6 + 0x26bbb)
#22 0x000055b235ee608a _start (fontforge + 0x108a)
GNU gdb (Debian 8.3.1-1) 8.3.1
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/fontforge...
(No debugging symbols found in /usr/bin/fontforge)
[New LWP 14646]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergef'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f1b96479b88 in ?? () from /lib/libfontforge.so.3
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 0x00007f1b96479b88 in () at /lib/libfontforge.so.3
#1 0x00007f1b96484dca in otf_dump_math () at /lib/libfontforge.so.3
#2 0x00007f1b964964ca in () at /lib/libfontforge.so.3
#3 0x00007f1b96498007 in () at /lib/libfontforge.so.3
#4 0x00007f1b9649852b in _WriteTTFFont () at /lib/libfontforge.so.3
#5 0x00007f1b96498a4a in WriteTTFFont () at /lib/libfontforge.so.3
#6 0x00007f1b96378414 in _DoSave () at /lib/libfontforge.so.3
#7 0x00007f1b9637add0 in GenerateScript () at /lib/libfontforge.so.3
#8 0x00007f1b963933fc in () at /lib/libfontforge.so.3
#9 0x00007f1b96395f0b in () at /lib/libfontforge.so.3
#10 0x00007f1b9639659e in () at /lib/libfontforge.so.3
#11 0x00007f1b963977b3 in () at /lib/libfontforge.so.3
#12 0x00007f1b96397b38 in () at /lib/libfontforge.so.3
#13 0x00007f1b96397d4e in () at /lib/libfontforge.so.3
#14 0x00007f1b963980b9 in () at /lib/libfontforge.so.3
#15 0x00007f1b96398341 in () at /lib/libfontforge.so.3
#16 0x00007f1b963984e3 in () at /lib/libfontforge.so.3
#17 0x00007f1b963952fd in ff_statement () at /lib/libfontforge.so.3
#18 0x00007f1b96399111 in ProcessNativeScript () at /lib/libfontforge.so.3
#19 0x00007f1b96399745 in CheckIsScript () at /lib/libfontforge.so.3
#20 0x00007f1b96ee55b9 in fontforge_main () at /lib/libfontforgeexe.so.3
#21 0x00007f1b96b8abbb in __libc_start_main (main=0x55b235ee6050 <main>, argc=6, argv=0x7ffc737514d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc737514c8) at ../csu/libc-start.c:308
#22 0x000055b235ee608a in _start ()
Core was generated by `fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergef'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f1b96479b88 in gv_len (sf=sf at entry=0x55b25d946c10, gv=0x55b25f307960) at ././fontforge/tottfgpos.c:3838
3838 ././fontforge/tottfgpos.c: Datei oder Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 0x00007f1b96479b88 in gv_len (sf=sf at entry=0x55b25d946c10, gv=0x55b25f307960) at ././fontforge/tottfgpos.c:3838
#1 0x00007f1b96484dca in ttf_math_dump_glyphvariant (at=0x7ffc7374e340, at=0x7ffc7374e340, sf=0x55b25d946c10, mathf=0x55b25f258250) at ././fontforge/tottfgpos.c:3979
#2 0x00007f1b96484dca in otf_dump_math (at=at at entry=0x7ffc7374e340, sf=sf at entry=0x55b25d946c10) at ././fontforge/tottfgpos.c:4139
#3 0x00007f1b964964ca in initATTables (at=at at entry=0x7ffc7374e340, sf=sf at entry=0x55b25d946c10, format=format at entry=ff_ttf) at ././fontforge/tottf.c:5316
#4 0x00007f1b96498007 in initTables (at=at at entry=0x7ffc7374e340, sf=sf at entry=0x55b25d946c10, format=format at entry=ff_ttf, bsizes=<optimized out>, bsizes at entry=0x0, bf=bf at entry=bf_none) at ././fontforge/tottf.c:5792
#5 0x00007f1b9649852b in _WriteTTFFont (ttf=ttf at entry=0x55b236512770, sf=sf at entry=0x55b25d946c10, format=format at entry=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=0x55b245c179d0, layer=1) at ././fontforge/tottf.c:6143
#6 0x00007f1b96498a4a in WriteTTFFont (fontname=fontname at entry=0x55b25f2ef230 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sf=sf at entry=0x55b25d946c10, format=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf_none, flags=flags at entry=32, map=0x55b245c179d0, layer=1) at ././fontforge/tottf.c:6171
#7 0x00007f1b96378414 in _DoSave (sf=sf at entry=0x55b25d946c10, newname=newname at entry=0x55b25f2ef230 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sizes=sizes at entry=0x0, res=res at entry=-1, map=map at entry=0x55b245c179d0, subfontdefinition=subfontdefinition at entry=0x0, layer=1) at ././fontforge/savefont.c:845
#8 0x00007f1b9637add0 in GenerateScript (sf=sf at entry=0x55b25d946c10, filename=<optimized out>, filename at entry=0x55b25f2ef230 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", bitmaptype=bitmaptype at entry=0x7f1b964bd537 "", fmflags=fmflags at entry=-1, res=-1, subfontdefinition=0x0, sfs=<optimized out>, map=0x55b245c179d0, rename_to=0x0, layer=1) at ././fontforge/savefont.c:1269
#9 0x00007f1b963933fc in bGenerate (c=0x7ffc7374f860) at ././fontforge/scripting.c:2061
#10 0x00007f1b96395f0b in docall (c=c at entry=0x7ffc7374ffe0, name=name at entry=0x7ffc7374fab0 "Generate", val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:9632
#11 0x00007f1b9639659e in handlename (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:9745
#12 0x00007f1b963977b3 in term (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:9983
#13 0x00007f1b96397b38 in mul (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:10128
#14 0x00007f1b96397d4e in add (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:10174
#15 0x00007f1b963980b9 in comp (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:10249
#16 0x00007f1b96398341 in _and (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:10290
#17 0x00007f1b963984e3 in _or (val=0x7ffc7374fe90, c=0x7ffc7374ffe0) at ././fontforge/scripting.c:10358
#18 0x00007f1b963984e3 in assign (c=c at entry=0x7ffc7374ffe0, val=val at entry=0x7ffc7374fe90) at ././fontforge/scripting.c:10358
#19 0x00007f1b963952fd in expr (val=0x7ffc7374fe90, c=0x7ffc7374ffe0) at ././fontforge/scripting.c:10436
#20 0x00007f1b963952fd in ff_statement (c=c at entry=0x7ffc7374ffe0) at ././fontforge/scripting.c:10649
#21 0x00007f1b96399111 in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7ffc737514d8, script=script at entry=0x0) at ././fontforge/scripting.c:10796
#22 0x00007f1b96399745 in _CheckIsScript (argv=0x7ffc737514d8, argc=6) at ././fontforge/scripting.c:10890
#23 0x00007f1b96399745 in CheckIsScript (argc=6, argv=0x7ffc737514d8) at ././fontforge/scripting.c:10927
#24 0x00007f1b96ee55b9 in fontforge_main (argc=<optimized out>, argv=<optimized out>) at ././fontforgeexe/startui.c:1099
#25 0x00007f1b96b8abbb in __libc_start_main (main=0x55b235ee6050 <main>, argc=6, argv=0x7ffc737514d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc737514c8) at ../csu/libc-start.c:308
#26 0x000055b235ee608a in _start ()
(gdb) display/i $pc
1: x/i $pc
=> 0x7f1b96479b88 <gv_len+40>: movzbl (%rdx),%ebp
(gdb) print/x $rdx
$1 = 0xdcff000000000000
(gdb) list tottfgpos.c:3838
3833 static int gv_len(SplineFont *sf, struct glyphvariants *gv) {
3834 char *pt, *start;
3835 int ch, cnt;
3836 SplineChar *sc;
3837
3838 if ( gv==NULL || (gv->variants==NULL && gv->part_cnt==0))
3839 return( 0 );
3840 if ( gv->variants==NULL )
3841 return( 4 ); /* No variants, but we've got parts to assemble */
3842 cnt = 0;
(gdb) print gv
$2 = (struct glyphvariants *) 0x55b25f307960
(gdb) print gv->variants
$3 = 0xdcff000000000000 <error: Cannot access memory at address 0xdcff000000000000>
(gdb) list tottfgpos.c:3979
3974 putshort(mathf,vlen);
3975 putshort(mathf,hlen);
3976 offset = 5*2+vlen*2+hlen*2;
3977 for ( i=0; i<vlen; ++i ) {
3978 putshort(mathf,offset);
3979 offset += gv_len(sf,vglyphs[i]->vert_variants);
3980 }
3981 for ( i=0; i<hlen; ++i ) {
3982 putshort(mathf,offset);
3983 offset += gv_len(sf,hglyphs[i]->horiz_variants);
###################
cd /home/benutzer/source/libfontforge3
cp orig try1 -a
cd try1/fontforge-20190801~dfsg
export DEB_CFLAGS_APPEND=-fsanitize=address
export DEB_CPPFLAGS_APPEND=-fsanitize=address
export DEB_CXXFLAGS_APPEND=-fsanitize=address
export DEB_LDFLAGS_APPEND='-fsanitize=address'
dpkg-buildpackage
cd /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1
script -c "gdb -q --args /home/benutzer/source/libfontforge3/try1/fontforge-20190801~dfsg/build/nox/fontforgeexe/.libs/fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergefonts.ff /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf" -a output_$(date +%Y-%m-%d_%H-%M-%S).txt
set width 0
set pagination off
directory /home/benutzer/source/libfontforge3/try1/fontforge-20190801~dfsg
b main
run
dele 1
# Alloction 1
b parsettfatt.c:5318 if gv==0x60400008a210
cont
dele 2
print gv
bt
# Free 1
b splineutil.c:5995 if sc->vert_variants==0x60400008a210
cont
dele 3
print sc->vert_variants
print sc
bt
# Allocation 2 (unrelated)
b tottf.c:1321 if fs==0x60400008a210
cont
dele 4
print fs
bt
# Free 2 (unrelated)
b tottf.c:1336 if fs==0x60400008a210
cont
dele 5
print fs
bt
# Assignment of sc: if ( (gid=at->gi.bygid[i])!=-1 && (sc=sf->glyphs[gid])!=NULL ) {
b tottfgpos.c:3971 if sc->vert_variants==0x60400008a210
cont
dele 6
print sc->vert_variants
bt
# Just before access after free 1
b tottfgpos.c:3838 if gv==0x60400008a210
cont
dele 7
print gv==0x60400008a210
print gv->variants
print gv->part_cnt
bt
##################
# Alloction 1
(gdb) print gv
$1 = (struct glyphvariants *) 0x60400008a210
(gdb) bt
#0 0x00007ffff69adb01 in ttf_math_read_gvtable (ttf=ttf at entry=0x6160002bfb80, info=info at entry=0x7fffffffc3c0, start=<optimized out>, justinuse=justinuse at entry=git_normal, basesc=basesc at entry=0x613002af2800, isv=isv at entry=1) at ././fontforge/parsettfatt.c:5318
#1 0x00007ffff69c7653 in ttf_math_read_variants (justinuse=git_normal, start=47440, info=0x7fffffffc3c0, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5474
#2 0x00007ffff69c7653 in _otf_read_math (justinuse=git_normal, info=<optimized out>, ttf=0x6160002bfb80) at ././fontforge/parsettfatt.c:5518
#3 0x00007ffff69c7653 in _otf_read_math (ttf=0x6160002bfb80, info=<optimized out>, justinuse=git_normal) at ././fontforge/parsettfatt.c:5496
#4 0x00007ffff6a08515 in readttf (filename=<optimized out>, info=<optimized out>, ttf=0x6020004fd210) at ././fontforge/parsettf.c:5673
#5 0x00007ffff6a08515 in _SFReadTTF (ttf=ttf at entry=0x6160002bfb80, flags=flags at entry=0, openflags=openflags at entry=(unknown: 0), filename=filename at entry=0x604000070690 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", chosenname=chosenname at entry=0x0, fd=fd at entry=0x0) at ././fontforge/parsettf.c:6327
#6 0x00007ffff6c08d80 in _ReadSplineFont (file=<optimized out>, file at entry=0x0, filename=filename at entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1141
#7 0x00007ffff6c0a3ac in ReadSplineFont (filename=filename at entry=0x604000070650 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1321
#8 0x00007ffff6c0a6b2 in LoadSplineFont (filename=filename at entry=0x604000070610 "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf", openflags=openflags at entry=(unknown: 0)) at ././fontforge/splinefont.c:1379
#9 0x00007ffff6b13512 in bMergeFonts (c=0x7fffffffd030) at ././fontforge/scripting.c:5601
#10 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "MergeFonts", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#11 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#12 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#13 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#14 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#15 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#16 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#17 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#18 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#19 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#20 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#21 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#22 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#23 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#24 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#25 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#26 0x00005555555550ca in _start ()
# Free 1
(gdb) print sc->vert_variants
$2 = (struct glyphvariants *) 0x60400008a210
(gdb) print sc
$3 = (SplineChar *) 0x613002af2800
(gdb) bt
#0 0x00007ffff6cfdd5f in SplineCharFreeContents (sc=sc at entry=0x613002af2800) at ././fontforge/splineutil.c:5995
#1 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6008
#2 0x00007ffff6cfdf6e in SplineCharFree (sc=0x613002af2800) at ././fontforge/splineutil.c:6004
#3 0x00007ffff6d058d5 in SplineFontFree (sf=0x61a000270c80) at ././fontforge/splineutil.c:6569
#4 0x00007ffff6d058d5 in SplineFontFree (sf=sf at entry=0x61a000270c80) at ././fontforge/splineutil.c:6525
#5 0x00007ffff68bf309 in _MergeFont (mc=0x7fffffffcce0, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1162
#6 0x00007ffff68bf309 in __MergeFont (preserveCrossFontKerning=<optimized out>, other=<optimized out>, into=<optimized out>) at ././fontforge/fvfonts.c:1181
#7 0x00007ffff68bf309 in MergeFont (fv=<optimized out>, other=<optimized out>, preserveCrossFontKerning=<optimized out>) at ././fontforge/fvfonts.c:1263
#8 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "MergeFonts", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#9 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#10 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#11 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#12 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#13 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#14 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#15 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#16 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#17 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#18 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#19 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#20 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#21 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#22 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#23 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#24 0x00005555555550ca in _start ()
# Allocation 2 (unrelated)
(gdb) print fs
$6 = 0x60400008a210 ""
(gdb) bt
#0 0x00007ffff6dae7f8 in dumpglyph (sc=sc at entry=0x613002987600, gi=gi at entry=0x7fffffffc568) at ././fontforge/tottf.c:1321
#1 0x00007ffff6db0638 in dumpglyphs (sf=sf at entry=0x61a000246680, gi=gi at entry=0x7fffffffc568) at ././fontforge/tottf.c:1556
#2 0x00007ffff6dc98dc in initTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=<optimized out>, bsizes at entry=0x0, bf=bf at entry=bf_none) at ././fontforge/tottf.c:5771
#3 0x00007ffff6dcbee3 in _WriteTTFFont (ttf=ttf at entry=0x6160002bfb80, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=<optimized out>, layer=<optimized out>) at ././fontforge/tottf.c:6153
#4 0x00007ffff6dcc925 in WriteTTFFont (fontname=fontname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sf=sf at entry=0x61a000246680, format=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=0x6060008f9240, layer=1) at ././fontforge/tottf.c:6182
#5 0x00007ffff6ad1432 in _DoSave (sf=sf at entry=0x61a000246680, newname=newname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sizes=sizes at entry=0x0, res=res at entry=-1, map=map at entry=0x6060008f9240, subfontdefinition=subfontdefinition at entry=0x0, layer=<optimized out>) at ././fontforge/savefont.c:846
#6 0x00007ffff6ad64ac in GenerateScript (sf=sf at entry=0x61a000246680, filename=<optimized out>, filename at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", bitmaptype=bitmaptype at entry=0x7ffff6f5d520 "", fmflags=fmflags at entry=-1, res=res at entry=-1, subfontdefinition=subfontdefinition at entry=0x0, sfs=<optimized out>, map=0x6060008f9240, rename_to=0x0, layer=1) at ././fontforge/savefont.c:1271
#7 0x00007ffff6b24e58 in bGenerate (c=0x7fffffffd030) at ././fontforge/scripting.c:2062
#8 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "Generate", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#9 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#10 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#11 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#12 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#13 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#14 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#15 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#16 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#17 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#18 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#19 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#20 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#21 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#22 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#23 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#24 0x00005555555550ca in _start ()
# Free 2 (unrelated)
(gdb) print fs
$7 = 0x60400008a210 '\001' <repeats 11 times>
(gdb) bt
#0 0x00007ffff6daea39 in dumpglyph (sc=sc at entry=0x613002987600, gi=gi at entry=0x7fffffffc568) at ././fontforge/tottf.c:1336
#1 0x00007ffff6db0638 in dumpglyphs (sf=sf at entry=0x61a000246680, gi=gi at entry=0x7fffffffc568) at ././fontforge/tottf.c:1556
#2 0x00007ffff6dc98dc in initTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=<optimized out>, bsizes at entry=0x0, bf=bf at entry=bf_none) at ././fontforge/tottf.c:5771
#3 0x00007ffff6dcbee3 in _WriteTTFFont (ttf=ttf at entry=0x6160002bfb80, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=<optimized out>, layer=<optimized out>) at ././fontforge/tottf.c:6153
#4 0x00007ffff6dcc925 in WriteTTFFont (fontname=fontname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sf=sf at entry=0x61a000246680, format=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=0x6060008f9240, layer=1) at ././fontforge/tottf.c:6182
#5 0x00007ffff6ad1432 in _DoSave (sf=sf at entry=0x61a000246680, newname=newname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sizes=sizes at entry=0x0, res=res at entry=-1, map=map at entry=0x6060008f9240, subfontdefinition=subfontdefinition at entry=0x0, layer=<optimized out>) at ././fontforge/savefont.c:846
#6 0x00007ffff6ad64ac in GenerateScript (sf=sf at entry=0x61a000246680, filename=<optimized out>, filename at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", bitmaptype=bitmaptype at entry=0x7ffff6f5d520 "", fmflags=fmflags at entry=-1, res=res at entry=-1, subfontdefinition=subfontdefinition at entry=0x0, sfs=<optimized out>, map=0x6060008f9240, rename_to=0x0, layer=1) at ././fontforge/savefont.c:1271
#7 0x00007ffff6b24e58 in bGenerate (c=0x7fffffffd030) at ././fontforge/scripting.c:2062
#8 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "Generate", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#9 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#10 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#11 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#12 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#13 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#14 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#15 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#16 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#17 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#18 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#19 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#20 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#21 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#22 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#23 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#24 0x00005555555550ca in _start ()
# Assignment of sc: if ( (gid=at->gi.bygid[i])!=-1 && (sc=sf->glyphs[gid])!=NULL ) {
(gdb) print sc->vert_variants
$8 = (struct glyphvariants *) 0x60400008a210
(gdb) bt
#0 0x00007ffff6d94d48 in ttf_math_dump_glyphvariant (at=0x7fffffffb840, at=0x7fffffffb840, sf=<optimized out>, mathf=0x616000015680) at ././fontforge/tottfgpos.c:3971
#1 0x00007ffff6d94d48 in otf_dump_math (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680) at ././fontforge/tottfgpos.c:4154
#2 0x00007ffff6dc7e1b in initATTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf) at ././fontforge/tottf.c:5324
#3 0x00007ffff6dcb06b in initTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=<optimized out>, bsizes at entry=0x0, bf=bf at entry=bf_none) at ././fontforge/tottf.c:5801
#4 0x00007ffff6dcbee3 in _WriteTTFFont (ttf=ttf at entry=0x6160002bfb80, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=<optimized out>, layer=<optimized out>) at ././fontforge/tottf.c:6153
#5 0x00007ffff6dcc925 in WriteTTFFont (fontname=fontname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sf=sf at entry=0x61a000246680, format=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=0x6060008f9240, layer=1) at ././fontforge/tottf.c:6182
#6 0x00007ffff6ad1432 in _DoSave (sf=sf at entry=0x61a000246680, newname=newname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sizes=sizes at entry=0x0, res=res at entry=-1, map=map at entry=0x6060008f9240, subfontdefinition=subfontdefinition at entry=0x0, layer=<optimized out>) at ././fontforge/savefont.c:846
#7 0x00007ffff6ad64ac in GenerateScript (sf=sf at entry=0x61a000246680, filename=<optimized out>, filename at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", bitmaptype=bitmaptype at entry=0x7ffff6f5d520 "", fmflags=fmflags at entry=-1, res=res at entry=-1, subfontdefinition=subfontdefinition at entry=0x0, sfs=<optimized out>, map=0x6060008f9240, rename_to=0x0, layer=1) at ././fontforge/savefont.c:1271
#8 0x00007ffff6b24e58 in bGenerate (c=0x7fffffffd030) at ././fontforge/scripting.c:2062
#9 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "Generate", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#10 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#11 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#12 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#13 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#14 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#15 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#16 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#17 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#18 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#19 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#20 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#21 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#22 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#23 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#24 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#25 0x00005555555550ca in _start ()
# Just before access after free 1
Breakpoint 7, gv_len (sf=sf at entry=0x61a000246680, gv=0x60400008a210) at ././fontforge/tottfgpos.c:3838
3838 if ( gv==NULL || (gv->variants==NULL && gv->part_cnt==0))
(gdb) dele 7
(gdb) print gv==0x60400008a210
$9 = 1
(gdb) print gv->variants
$10 = 0x101010179800001 <error: Cannot access memory at address 0x101010179800001>
(gdb) print gv->part_cnt
$11 = 16843009
(gdb) bt
#0 0x00007ffff6d7b4c0 in gv_len (sf=sf at entry=0x61a000246680, gv=0x60400008a210) at ././fontforge/tottfgpos.c:3838
#1 0x00007ffff6d95101 in ttf_math_dump_glyphvariant (at=0x7fffffffb840, at=0x7fffffffb840, sf=<optimized out>, mathf=<optimized out>) at ././fontforge/tottfgpos.c:3992
#2 0x00007ffff6d95101 in otf_dump_math (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680) at ././fontforge/tottfgpos.c:4154
#3 0x00007ffff6dc7e1b in initATTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf) at ././fontforge/tottf.c:5324
#4 0x00007ffff6dcb06b in initTables (at=at at entry=0x7fffffffb840, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=<optimized out>, bsizes at entry=0x0, bf=bf at entry=bf_none) at ././fontforge/tottf.c:5801
#5 0x00007ffff6dcbee3 in _WriteTTFFont (ttf=ttf at entry=0x6160002bfb80, sf=sf at entry=0x61a000246680, format=format at entry=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=<optimized out>, layer=<optimized out>) at ././fontforge/tottf.c:6153
#6 0x00007ffff6dcc925 in WriteTTFFont (fontname=fontname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sf=sf at entry=0x61a000246680, format=ff_ttf, bsizes=bsizes at entry=0x0, bf=bf at entry=bf_none, flags=flags at entry=32, map=0x6060008f9240, layer=1) at ././fontforge/tottf.c:6182
#7 0x00007ffff6ad1432 in _DoSave (sf=sf at entry=0x61a000246680, newname=newname at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", sizes=sizes at entry=0x0, res=res at entry=-1, map=map at entry=0x6060008f9240, subfontdefinition=subfontdefinition at entry=0x0, layer=<optimized out>) at ././fontforge/savefont.c:846
#8 0x00007ffff6ad64ac in GenerateScript (sf=sf at entry=0x61a000246680, filename=<optimized out>, filename at entry=0x6070000a4c10 "/home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf", bitmaptype=bitmaptype at entry=0x7ffff6f5d520 "", fmflags=fmflags at entry=-1, res=res at entry=-1, subfontdefinition=subfontdefinition at entry=0x0, sfs=<optimized out>, map=0x6060008f9240, rename_to=0x0, layer=1) at ././fontforge/savefont.c:1271
#9 0x00007ffff6b24e58 in bGenerate (c=0x7fffffffd030) at ././fontforge/scripting.c:2062
#10 0x00007ffff6b2b41e in docall (c=c at entry=0x7fffffffdda0, name=name at entry=0x7fffffffd350 "Generate", val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9633
#11 0x00007ffff6b2c482 in handlename (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9746
#12 0x00007ffff6b2f342 in term (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:9984
#13 0x00007ffff6b2fd9c in mul (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10129
#14 0x00007ffff6b302ac in add (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10175
#15 0x00007ffff6b30cdd in comp (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10250
#16 0x00007ffff6b313b1 in _and (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10291
#17 0x00007ffff6b318eb in _or (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10326
#18 0x00007ffff6b318eb in assign (c=c at entry=0x7fffffffdda0, val=val at entry=0x7fffffffdb50) at ././fontforge/scripting.c:10359
#19 0x00007ffff6b2997a in expr (val=0x7fffffffdb50, c=0x7fffffffdda0) at ././fontforge/scripting.c:10437
#20 0x00007ffff6b2997a in ff_statement (c=c at entry=0x7fffffffdda0) at ././fontforge/scripting.c:10650
#21 0x00007ffff6b3367e in ProcessNativeScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358, script=script at entry=0x0) at ././fontforge/scripting.c:10797
#22 0x00007ffff6b341e5 in _CheckIsScript (argv=0x7fffffffe358, argc=6) at ././fontforge/scripting.c:10891
#23 0x00007ffff6b341e5 in CheckIsScript (argc=argc at entry=6, argv=argv at entry=0x7fffffffe358) at ././fontforge/scripting.c:10928
#24 0x00007ffff7593644 in fontforge_main (argc=6, argv=0x7fffffffe358) at ././fontforgeexe/startnoui.c:122
#25 0x00007ffff73f7bbb in __libc_start_main (main=0x555555555070 <main>, argc=6, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#26 0x00005555555550ca in _start ()
(gdb) cont
Continuing.
gv==0x60400008a210 /home/benutzer/source/libfontforge3/try1/fontforge-20190801~dfsg/./fontforge/tottfgpos.c:3838
=================================================================
==93686==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400008a210 at pc 0x7ffff6d7b6a3 bp 0x7fffffffb110 sp 0x7fffffffb108
READ of size 8 at 0x60400008a210 thread T0
#0 0x7ffff6d7b6a2 in gv_len ./fontforge/tottfgpos.c:3839
#1 0x7ffff6d95100 in ttf_math_dump_glyphvariant ./fontforge/tottfgpos.c:3992
#2 0x7ffff6d95100 in otf_dump_math ./fontforge/tottfgpos.c:4154
#3 0x7ffff6dc7e1a in initATTables ./fontforge/tottf.c:5324
#4 0x7ffff6dcb06a in initTables ./fontforge/tottf.c:5801
#5 0x7ffff6dcbee2 in _WriteTTFFont ./fontforge/tottf.c:6153
#6 0x7ffff6dcc924 in WriteTTFFont ./fontforge/tottf.c:6182
#7 0x7ffff6ad1431 in _DoSave ./fontforge/savefont.c:846
#8 0x7ffff6ad64ab in GenerateScript ./fontforge/savefont.c:1271
#9 0x7ffff6b24e57 in bGenerate ./fontforge/scripting.c:2062
#10 0x7ffff6b2b41d in docall ./fontforge/scripting.c:9633
#11 0x7ffff6b2c481 in handlename ./fontforge/scripting.c:9746
#12 0x7ffff6b2f341 in term ./fontforge/scripting.c:9984
#13 0x7ffff6b2fd9b in mul ./fontforge/scripting.c:10129
#14 0x7ffff6b302ab in add ./fontforge/scripting.c:10175
#15 0x7ffff6b30cdc in comp ./fontforge/scripting.c:10250
#16 0x7ffff6b313b0 in _and ./fontforge/scripting.c:10294
#17 0x7ffff6b318ea in _or ./fontforge/scripting.c:10326
#18 0x7ffff6b318ea in assign ./fontforge/scripting.c:10359
#19 0x7ffff6b29979 in expr ./fontforge/scripting.c:10437
#20 0x7ffff6b29979 in ff_statement ./fontforge/scripting.c:10650
#21 0x7ffff6b3367d in ProcessNativeScript ./fontforge/scripting.c:10797
#22 0x7ffff6b341e4 in _CheckIsScript ./fontforge/scripting.c:10891
#23 0x7ffff6b341e4 in CheckIsScript ./fontforge/scripting.c:10928
#24 0x7ffff7593643 in fontforge_main ./fontforgeexe/startnoui.c:122
#25 0x7ffff73f7bba in __libc_start_main ../csu/libc-start.c:308
#26 0x5555555550c9 in _start (/home/benutzer/source/libfontforge3/try1/fontforge-20190801~dfsg/build/nox/fontforgeexe/.libs/fontforge+0x10c9)
0x60400008a210 is located 0 bytes inside of 35-byte region [0x60400008a210,0x60400008a233)
freed by thread T0 here:
#0 0x7ffff769f277 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7ffff6daea81 in dumpglyph ./fontforge/tottf.c:1337
previously allocated by thread T0 here:
#0 0x7ffff769f80e in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7ffff6cd4c4e in chunkalloc ./fontforge/splineutil.c:119
SUMMARY: AddressSanitizer: heap-use-after-free ./fontforge/tottfgpos.c:3839 in gv_len
Shadow bytes around the buggy address:
0x0c08800093f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009410: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009420: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009430: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c0880009440: fa fa[fd]fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c0880009450: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c0880009460: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c0880009470: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880009490: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==93686==ABORTING
[Inferior 1 (process 93686) exited with code 01]
More information about the Pkg-fonts-devel
mailing list