bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#16457: 24.3.50; crash rendering Arabic Uthmani script

From: Dmitry Antipov
Subject: bug#16457: 24.3.50; crash rendering Arabic Uthmani script
Date: Thu, 16 Jan 2014 12:01:04 +0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 
I'm not familiar with composition sequences in detail, but there is a hint.

For the uthmani-test.txt, the following code in set_iterator_to_next:

  7127                /* Composition created while scanning forward.  */
  7128                /* Update IT's char/byte positions to point to the first
  7129                   character of the next grapheme cluster, or to the
  7130                   character visually after the current composition.  */
  7131                for (i = 0; i < it->cmp_it.nchars; i++)
  7132                  bidi_move_to_visually_next (&it->bidi_it);
  7133                IT_BYTEPOS (*it) = it->bidi_it.bytepos;
  7134                IT_CHARPOS (*it) = it->bidi_it.charpos;

advances IT from charpos:bytepos 11:21 to 13:25.  But the following fragment
from scan_for_column:

   586        /* Check composition sequence.  */
   587        if (cmp_it.id >= 0
   588            || (scan == cmp_it.stop_pos
   589                && composition_reseat_it (&cmp_it, scan, scan_byte, end,
   590                                          w, NULL, Qnil)))
   591          composition_update_it (&cmp_it, scan, scan_byte, Qnil);
   592        if (cmp_it.id >= 0)
   593          {
   594            scan += cmp_it.nchars;
   595            scan_byte += cmp_it.nbytes;

advances SCAN:SCAN_BYTE from 11:21 to 13:24.  So the byte position becomes 
invalid
and FETCH_CHAR_ADVANCE decodes invalid byte sequence to invalid character C.
Finally, CHAR_TABLE_REF (Vcomposition_function_table, C) goes out of bounds.

Dmitry
reply via email to
[Prev in Thread] Current Thread [Next in Thread]