Debian Bug report logs -
#724571
t1utils: t1disasm segmentation faults on certain fonts
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, niels@thykier.net, C.M. Connelly <cmc@debian.org>:
Bug#724571; Package t1utils.
(Wed, 25 Sep 2013 05:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>:
New Bug report received and forwarded. Copy sent to niels@thykier.net, C.M. Connelly <cmc@debian.org>.
(Wed, 25 Sep 2013 05:42:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: t1utils
Version: 1.37-2
Severity: normal
File: /usr/bin/t1disasm
"""
$ t1disasm bkaiu67.pfb > /dev/null
"""
During the run, it will repeatedly print:
"""
2 index /CharStrings 179 dict dup begin
"""
Under gdb, I see the following trace:
"""
#0 0xf7e8beac in _IO_new_file_write (f=0xf7fc6a20 <_IO_2_1_stdout_>, data=0xf7fd8000, n=40) at fileops.c:1262
#1 0xf7e8bd96 in new_do_write (fp=fp@entry=0xf7fc6a20 <_IO_2_1_stdout_>, data=data@entry=0xf7fd8000 "2 index /CharStrings 179 dict dup begin\n exec\ncement.\n def\nCo., Ltd.\\012\\012Subfont version 2013-07-05.) readonly def\n", to_do=to_do@entry=40) at fileops.c:538
#2 0xf7e8d3ee in _IO_new_do_write (fp=fp@entry=0xf7fc6a20 <_IO_2_1_stdout_>, data=0xf7fd8000 "2 index /CharStrings 179 dict dup begin\n exec\ncement.\n def\nCo., Ltd.\\012\\012Subfont version 2013-07-05.) readonly def\n", to_do=40) at fileops.c:511
#3 0xf7e8d79d in _IO_new_file_overflow (f=0xf7fc6a20 <_IO_2_1_stdout_>, ch=-1) at fileops.c:868
#4 0xf7e8ca13 in _IO_new_file_xsputn (n=40, data=0x8053348, f=0xf7fc6a20 <_IO_2_1_stdout_>) at fileops.c:1333
#5 _IO_new_file_xsputn (f=0xf7fc6a20 <_IO_2_1_stdout_>, data=0x8053348, n=40) at fileops.c:1278
#6 0xf7e626d6 in _IO_vfprintf_internal (s=s@entry=0xf7fc6a20 <_IO_2_1_stdout_>, format=<optimized out>, format@entry=0x804ef4c "%.*s\n", ap=0xff7fe6a4 "43\005\bK\220\346", <incomplete sequence \367>, ap@entry=0xff7fe69c "(") at vfprintf.c:1649
#7 0xf7f1d6d1 in ___fprintf_chk (fp=0xf7fc6a20 <_IO_2_1_stdout_>, flag=1, format=0x804ef4c "%.*s\n") at fprintf_chk.c:36
#8 0x0804da37 in ?? ()
#9 0x0804da48 in ?? ()
[... repeat verbatim except for the number after the "#" ...]
#7948 0x0804da48 in ?? ()
#7949 0x0804da48 in ?? ()
"""
(NB: I quit after #7949; there didn't seem to be much point in
continuing getting the trace...)
This bug might be related to (or have same underlying cause as)
#717228.
~Niels
[bkaiu67.pfb (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, C.M. Connelly <cmc@debian.org>:
Bug#724571; Package t1utils.
(Wed, 25 Sep 2013 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to C.M. Connelly <cmc@debian.org>.
(Wed, 25 Sep 2013 09:33:04 GMT) (full text, mbox, link).
Message #10 received at 724571@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2013-09-25 07:39, Niels Thykier wrote:
> Package: t1utils
> Version: 1.37-2
> Severity: normal
> File: /usr/bin/t1disasm
>
> """
> $ t1disasm bkaiu67.pfb > /dev/null
>
> """
>
> During the run, it will repeatedly print:
> """
> 2 index /CharStrings 179 dict dup begin
> """
>
> Under gdb, I see the following trace:
>
> """
> [...]
> """
>
> (NB: I quit after #7949; there didn't seem to be much point in
> continuing getting the trace...)
>
> This bug might be related to (or have same underlying cause as)
> #717228.
>
> ~Niels
>
Further debugging reveals that is a C call stack overflow caused by
save_len.
"""
static int
eexec_line(unsigned char *line, int line_len)
{
[...]
if (save_len) {
append_save(line, line_len);
line = save;
line_len = save_len;
}
[...]
}
"""
In the above, if you insert two fprintfs to print the "before and after"
values of line_len and save_len, it will show that (before) line_len is
0 and save_len is 40. At the end of the blog, both line_len and
save_len is 40. This process repeats itself (with exactly those values)
by hitting the "not_charstring" case (or label) and then recursing into
itself by giving line_len with value 0.
Example (partial) output caused inserting some fprintfs (see attached
patch):
"""
save_len (before): 34, after: 40
line_len (before): 6, after: 40
2 index /CharStrings 179 dict dup begin
line_len: 40, len: 40, n: 21
save_len (before): 40, after: 40
line_len (before): 0, after: 40
2 index /CharStrings 179 dict dup begin
[...]
line_len: 40, len: 40, n: 21
save_len (before): 40, after: 40
line_len (before): 0, after: 40
2 index /CharStrings 179 dict dup begin
line_len: 40, len: 40, n: 21
save_len (before): 40, after: 40
line_len (before): 0, after: 40
2 index /CharStrings 179 dict dup begin
"""
The "2 index /CharStrings 179 dict dup begin" is the text can keeps
being revived (and is printed by t1disasm naturally).
I am not sure that fixing this is as simple as setting save_len to 0 (it
might be, but I don't know the code nor the expected output well enough
to say it is). However, setting it to 0 does stop the "infinite
recursion" (but I guess that wasn't much of a surprise).
~Niels
[t1utils-printf-debugging.debdiff (application/x-extension-debdiff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, C.M. Connelly <cmc@debian.org>:
Bug#724571; Package t1utils.
(Sun, 29 Sep 2013 07:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to C.M. Connelly <cmc@debian.org>.
(Sun, 29 Sep 2013 07:39:09 GMT) (full text, mbox, link).
Message #15 received at 724571@bugs.debian.org (full text, mbox, reply):
Control: forwarded -1 https://github.com/kohler/t1utils/issues/1
Hi,
I took the liberty of forwarding this to upstream.
~Niels
Information forwarded
to debian-bugs-dist@lists.debian.org, C.M. Connelly <cmc@debian.org>:
Bug#724571; Package t1utils.
(Sun, 29 Sep 2013 14:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to C.M. Connelly <cmc@debian.org>.
(Sun, 29 Sep 2013 14:15:04 GMT) (full text, mbox, link).
Message #22 received at 724571@bugs.debian.org (full text, mbox, reply):
Control: tags -1 fixed-upstream
On 2013-09-29 09:37, Niels Thykier wrote:
> Control: forwarded -1 https://github.com/kohler/t1utils/issues/1
>
> Hi,
>
> I took the liberty of forwarding this to upstream.
>
> ~Niels
>
>
Upstream has reported that this bug is now fixed in 1.38.
~Niels
Added tag(s) fixed-upstream.
Request was from Niels Thykier <niels@thykier.net>
to 724571-submit@bugs.debian.org.
(Sun, 29 Sep 2013 14:15:04 GMT) (full text, mbox, link).
Reply sent
to Niels Thykier <niels@thykier.net>:
You have taken responsibility.
(Tue, 14 Oct 2014 18:37:18 GMT) (full text, mbox, link).
Notification sent
to Niels Thykier <niels@thykier.net>:
Bug acknowledged by developer.
(Tue, 14 Oct 2014 18:37:18 GMT) (full text, mbox, link).
Message #29 received at 724571-close@bugs.debian.org (full text, mbox, reply):
Source: t1utils
Source-Version: 1.38-1
We believe that the bug you reported is fixed in the latest version of
t1utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 724571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated t1utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Oct 2014 20:10:04 +0200
Source: t1utils
Binary: t1utils
Architecture: source amd64
Version: 1.38-1
Distribution: unstable
Urgency: medium
Maintainer: Niels Thykier <niels@thykier.net>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
t1utils - Collection of simple Type 1 font manipulation programs
Closes: 724571 744736
Changes:
t1utils (1.38-1) unstable; urgency=medium
.
* New upstream release.
- Fixes call-stack overflow/segmentation fault.
(Closes: #724571)
* Take over maintenance of the package.
- New maintainer email. (Closes: #744736)
* Updated debian/copyright.
Checksums-Sha1:
f708e9f39d1223c331b65ea5b336d0033708b358 1707 t1utils_1.38-1.dsc
a97ba119a2e376db49d9d4911472c0033e2fece8 174513 t1utils_1.38.orig.tar.gz
4b605ff38d580af645c81000b567562abae8a78d 5676 t1utils_1.38-1.debian.tar.xz
a2aadd646671c70220e4b4f7c58202b73ec5df62 57578 t1utils_1.38-1_amd64.deb
Checksums-Sha256:
ce903917fee557035bbfbc6c571e0618aa3f94640039825665f816e45dec4249 1707 t1utils_1.38-1.dsc
fc9f1ae744b22a6ecf5f54296d2d6229f1ce14c19aa7306e96ee7bb994bcddde 174513 t1utils_1.38.orig.tar.gz
cb3e9895b5213d0d22b501e54d4b070995634859e4278876a8712ef4f77a788a 5676 t1utils_1.38-1.debian.tar.xz
eed0933b429079436828ab69bb2772da5bb19b7696d0f826e39deb29ee1e3501 57578 t1utils_1.38-1_amd64.deb
Files:
06082350f6eca2188bcb51eb5e471c49 1707 text optional t1utils_1.38-1.dsc
0c823a7fff74d206ecccb98bfcb1053b 174513 text optional t1utils_1.38.orig.tar.gz
7616d37708f10a01d7d47f996be73dc4 5676 text optional t1utils_1.38-1.debian.tar.xz
da3180986a18dac8245512dce7997fa7 57578 text optional t1utils_1.38-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUPWhyAAoJEAVLu599gGRC13UP/Au58yK85KiX/Z1G0z6zlnF6
8he1i+274n1k1Q/aW/ctrIAXIxxgEWOkskVTYxkSgfkXoAyCet5HlZdrBdXgKcxA
QlWgBnfL6vCyFdl8epjJMm0k4E6CMYh3AKStmyH83xKk+0i1VVkSZPnDldfRlP8m
9aeeGQtCQFfBxcNOCwd2/Lt9oOzfyCySgmKBHA/EMLBDRGE8mj02qYQmhsOWXJYe
qyUUBDcRjhYzuyniCnT1O5d7BI04QmvEqXzsQyX+LsWNbmsE/MxiN281NdOYwwwU
YBonhN9cQcZ1j5VJDRhBSRZ3GeH6nC2azFKqjt+4Ay1J9J4QBWjc3qgAQi/5Q4ri
W5tKcp5xu1KLLKBopHKLvk3bmWF/wmTDEJyN8qdz2uFRY3bxDB+vNCzaj3tZ/Try
rCRKuB5691rGLEyW9nEVa2mHVZYMwYSs5+XnE8l2QqRBFC5zjsVngR3HdRdsBAou
CZu+TP/pStG6tPtNZTA3ShAQzOcoc5bukI8iQdafxjLuPgKocXl3PDvQmOb1VIW2
eXNistLoW1c+4v1VUjUF3JBcsWTBz2wrgYY+cRfWIGFtSf0xCoXoURWeOMyBjohm
16kPgY4zTZcjmvX5I/ulwA5nmxz2cw2V53B6f9PZCCRANRJGsNU8pFCz3VsOAqzb
nJlZLU5zx5qrD2mdAbht
=QGzs
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 22 Nov 2014 07:43:32 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Mon, 06 Jul 2015 16:57:03 GMT) (full text, mbox, link).
Marked as found in versions t1utils/1.37-1.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Mon, 06 Jul 2015 16:57:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 04 Aug 2015 07:30:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Nov 19 12:48:29 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.