[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mgp-users-jp 00677] Forward: Bug#52449: mgp: segfault on long list-item truetype rendering

$B$3$&$$$&%P%0%l%]!<%H$,$-$^$7$?!#(B

$B$3$N%Q%C%A$G$J$*$k$h$&$J$N$G$9$,!"$3$l$G$"$C$F$$$k$N$G$7$g$&$+(B?

--- ../mgp-1.06a.19991206/draw.c	Tue Dec  7 00:08:12 1999
+++ draw.c	Sat Dec 11 02:46:14 1999
@@ -1862,6 +1862,9 @@
 		}
 		for ( ; obj; obj = obj->next) {
 			x = obj->x;
+			if (x + xwidth >= width) {
+				continue;
+			}
 			switch (obj->vertloc) {
 			case VL_BASE:
 				y = state->maxascent;

$B$*$A$k$H$-$N(B backtrace $B$O0J2<$NDL$j$G$9!#(B
tfc_image() $B$G(B bx $B$,$H$s$G$b$J$$CM$K$J$C$F$*$A$F$$$k$h$&$G$9!#(B

(gdb) bt
#0  0x400d0516 in XInitImage () from /usr/X11R6/lib/libX11.so.6
#1  0x805ea99 in tfc_image (tfc=0x828cc58, fore=65504, back=0, xim=0x8294140, 
    bx=4472, by=36) at tfont.c:671
#2  0x8050849 in obj_draw (state=0x8095480, target=41943041, xpos=0, ypos=245)
    at draw.c:1890
#3  0x804ec8b in draw_line_end (state=0x8095480) at draw.c:852
#4  0x804e9e0 in process_direc (state=0x8095480, seenpause=0xbfffd478)
    at draw.c:676
#5  0x804e18a in draw_one (state=0x8095480, e=0xbfffd5fc) at draw.c:347
#6  0x804ccbb in main_loop (start_page=1) at mgp.c:731
#7  0x804c204 in main (argc=1, argv=0xbffff7d4) at mgp.c:423
(gdb) up
#1  0x805ea99 in tfc_image (tfc=0x828cc58, fore=65504, back=0, xim=0x8294140, 
    bx=4472, by=36) at tfont.c:671
671					XPutPixel(xim, bx + tfc->xoff + x,
(gdb) list
666		for (y = 0; y < tfc->height; y++) {
667			for (x = 0; x < tfc->bwidth; x++) {
668				d = *s++;
669				if (d && x < tfc->width) {
670					p = col[d].pixel;
671					XPutPixel(xim, bx + tfc->xoff + x,
672						by - tfc->ascent + y, p);
673				}
674			}
675		}
(gdb) print bx
$1 = 4472
(gdb)print *tfc
$2 = {next = 0x809ee60, prev = 0x809ee60, lrunext = 0x828c3d0, 
  lruprev = 0x828d288, size = 48, width = 7, bwidth = 8, height = 13, 
  code = 44, charlen = 13, ascent = 6, descent = 7, xoff = 3, 
  fontname = 0x828cd10 "/usr/share/fonts/truetype//arial.ttf", 
  dbitmap = 0x828cca0 "", ref = 55}
(gdb) print x
$3 = 2
(gdb) print by
$4 = 36
(gdb) print y
$5 = 12
(gdb) print col[d]
$6 = {pixel = 0, red = 0, green = 0, blue = 0, flags = 0 '\000', 
  pad = 0 '\000'}
(gdb) print xim
$7 = (XImage *) 0x8294140
(gdb) print *xim
$8 = {width = 640, height = 44, xoffset = 0, format = 2, data = 0x8298c60 "", 
  byte_order = 0, bitmap_unit = 32, bitmap_bit_order = 0, bitmap_pad = 16, 
  depth = 16, bytes_per_line = 1280, bits_per_pixel = 16, red_mask = 63488, 
  green_mask = 2016, blue_mask = 31, obdata = 0x0, f = {
    create_image = 0x804adc0 <XCreateImage>, 
    destroy_image = 0x400cfae0 <XInitImage+160>, 
    get_pixel = 0x400cfe98 <XInitImage+1112>, 
    put_pixel = 0x400d04c0 <XInitImage+2688>, 
    sub_image = 0x400d0650 <XInitImage+3088>, 
    add_pixel = 0x400d08c4 <_XSetImage+220>}}
(gdb) list
676		if (mgp_flag & FL_GLYPHEDGE) {
677			/*
678			 * for debugging treatment of font metrics, for 16bpp displays
679			 */
680			/* pixmap bounding box */
681			for (y = 0; y < tfc->height; y++) {
682				XPutPixel(xim, bx + tfc->xoff, by - tfc->ascent + y,
683					0xffff);
684				XPutPixel(xim, bx + tfc->xoff + tfc->width - 1,
685					by - tfc->ascent + y, 0xffff);
(gdb) up
#2  0x8050849 in obj_draw (state=0x8095480, target=41943041, xpos=0, ypos=245)
    at draw.c:1890
1890					(void)tfc_image(obj->data.tfc,
(gdb) list
1885					addarea(vfc);
1886				}
1887	#endif /* VFLIB */
1888	#ifdef FREETYPE
1889				if (obj->type == O_TFONT) {
1890					(void)tfc_image(obj->data.tfc,
1891						obj->fore, bcolor, xim, x, y);
1892					addarea(tfc);
1893				}
1894	#endif /* FREETYPE */
(gdb) print x
$10 = 4472
(gdb) print y
$11 = 36
(gdb) print obj->data
$12 = {vfc = 0x828cc58, tfc = 0x828cc58, xfont = {
    xfont = 0x828cc58 "`.ANn\t\b`Nn\t\bNPNC(\b\210NR(\b0", csize = 0, code = 0, 
    registry = 0x0}, image = {image = 0x828cc58, xzoom = 0, yzoom = 0}, 
  icon = {itype = 136891480, isize = 0, npoint = 0, xpoint = 0x0}}
(gdb) print obj->data.tfc
$13 = (struct tfont *) 0x828cc58
(gdb) print *obj->data.tfc
$14 = {next = 0x809ee60, prev = 0x809ee60, lrunext = 0x828c3d0, 
  lruprev = 0x828d288, size = 48, width = 7, bwidth = 8, height = 13, 
  code = 44, charlen = 13, ascent = 6, descent = 7, xoff = 3, 
  fontname = 0x828cd10 "/usr/share/fonts/truetype//arial.ttf", 
  dbitmap = 0x828cca0 "", ref = 55}
--- Begin Message --- 
Package: mgp
Version: 1.06a.19991206-1

The following mgp file causes a segfault.  It seems to be related to
the long list-item line.  Using an xfont, shortening the item, or
removing the previous line, all prevent the segfault.

Note: the arial.ttf file is from an NT 4.0 sp5 box.

====
%page

title

%tfont "arial.ttf"
D
	BugIds: 4182748,4202056,4206177,4209605,4209621,4212138,4212534,4213022,4217654,4217668,4217704,4218906,4219308,4219310,4221487,4221984,4222882,4223413,4224811,4224829,4225423,4225531,4225934,4228246,4229190,4229427,4229893,4229898,4231596,4232172,4232898,4233522,4234271,4234776,4236666,4237087,4237098,4242227,4245471,4245880,4249454,4249679,4249693,4249699,4249706,4251615,4252504,4255731,4256636,4261255,4261501,4263812,4264677,4265945,4265954,4266474
====

--
      /\       Yann Dirson            <ydirson@sunchorus.france.sun.com>
     \\ \
    \ \\ /     Sun Microsystems Inc.               <http://www.sun.com/>
   / \/ / /    Consumer and Embedded / ChorusOS Support
  / /   \//\
  \//\   / /   Phone: +33 139 44 74 50
   / / /\ /    Phone: 44450           
    / \\ \
     \ \\
      \/       Subcontractant from Logatique  <http://www.logatique.fr/>

--- End Message ---