Bug ID: JDK-4514102 Regression: Installing certain fonts with bad data, will crash VM

Type: Bug
Component: client-libs
Sub-Component: 2d
Affected Version: 1.4.0

Priority: P4
Status: Resolved
Resolution: Fixed
OS: windows_2000
CPU: x86

Submitted: 2001-10-12
Updated: 2003-01-09
Resolved: 2002-11-12

Other	Other
1.4.1_02 02Fixed	1.4.2Fixed

###@###.### 2001-10-12

J2SE Version (please include all output from java -version flag):
  JDK 1.4.0beta
  java full version "1.4.0-beta2-b65"

  JDK 1.4.0beta2
  java full version "1.4.0-beta2-b77"

  JDK 1.4.0beta3cap build 82
  java full version "1.4.0-beta3-b82"

Does this problem occur on J2SE 1.3?  Yes / No (pick one)
  No. Works fine on 1.3.1.

Operating System Configuration Information (be specific):
  Windows 2000 SP2. OCR-A font installed.

Hardware Configuration Information (be specific):
  Pentium III 800MHz, 256MB RAM, Geforce 256 graphics card. Reported for other
  configurations as well.

Bug Description:
  Cap member's customer reported that their application crashes if certain 
  fonts are installed. They investigated this issue and produced a testcase
  which should offer some insight.

  Installing certain other fonts triggers this behaviour as well. More 
  information can be provided if required.


Steps to Reproduce (be specific):
  1) Install the attached font(Ocr-a.ttf).
  2) Run the attached test-case(FontTest.java).

An sample HotSpot error log(hs_err_pid1780.log) is attached.
============================================================================
An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x6D197DE0
Function=Java_sun_awt_font_NativeFontWrapper_getFontPath+0x3EAD
Library=C:\java\jdk1.4.0-beta3-cap\jre\bin\fontmanager.dll

Current Java thread:
	at sun.awt.font.NativeFontWrapper.getCharMetrics(Native Method)
	- locked <06B539B0> (a java.lang.Class)
	at sun.awt.font.FontDesignMetrics.handleCharWidth(FontDesignMetrics.java:240)
	at sun.awt.font.FontDesignMetrics.getLatinCharWidth(FontDesignMetrics.java:250)
	at sun.awt.font.FontDesignMetrics.charWidth(FontDesignMetrics.java:266)
	at FontTest.isMonospacedFont(FontTest.java:41)
	at FontTest.main(FontTest.java:18)

Dynamic libraries:
0x00400000 - 0x00406000 	C:\java\jdk1.4.0-beta3-cap\bin\javaw.exe
0x77880000 - 0x77901000 	C:\WINNT\System32\ntdll.dll
0x77DA0000 - 0x77DFB000 	C:\WINNT\system32\ADVAPI32.dll
0x77E70000 - 0x77F32000 	C:\WINNT\system32\KERNEL32.DLL
0x77D30000 - 0x77DA0000 	C:\WINNT\system32\RPCRT4.DLL
0x77E00000 - 0x77E64000 	C:\WINNT\system32\USER32.dll
0x77F40000 - 0x77F7C000 	C:\WINNT\system32\GDI32.DLL
0x78000000 - 0x78046000 	C:\WINNT\system32\MSVCRT.dll
0x10000000 - 0x10012000 	C:\WINNT\System32\NVDESK32.DLL
0x6D330000 - 0x6D441000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\client\jvm.dll
0x77540000 - 0x77571000 	C:\WINNT\System32\WINMM.dll
0x6D1D0000 - 0x6D1D7000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\hpi.dll
0x6D300000 - 0x6D30D000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\verify.dll
0x6D210000 - 0x6D227000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\java.dll
0x6D320000 - 0x6D32D000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\zip.dll
0x6D000000 - 0x6D0F5000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\awt.dll
0x777F0000 - 0x7780D000 	C:\WINNT\System32\WINSPOOL.DRV
0x75DF0000 - 0x75E0A000 	C:\WINNT\System32\IMM32.dll
0x77A40000 - 0x77B36000 	C:\WINNT\system32\ole32.dll
0x6D180000 - 0x6D1D0000 	C:\java\jdk1.4.0-beta3-cap\jre\bin\fontmanager.dll
0x22000000 - 0x22007000 	C:\WINNT\System32\PGPhk.dll
0x60000000 - 0x60047000 	C:\WINNT\System32\MSCTF.DLL
0x20420000 - 0x2042B000 	C:\WINNT\TRAYHOOK.dll
0x77580000 - 0x777C8000 	C:\WINNT\system32\SHELL32.dll
0x70BD0000 - 0x70C1C000 	C:\WINNT\system32\SHLWAPI.DLL
0x716F0000 - 0x7177A000 	C:\WINNT\system32\COMCTL32.DLL
0x72810000 - 0x72816000 	C:\WINNT\System32\DCIMAN32.dll
0x69500000 - 0x69686000 	C:\WINNT\System32\nvoglnt.dll
0x77910000 - 0x77933000 	C:\WINNT\system32\imagehlp.dll
0x72970000 - 0x7299D000 	C:\WINNT\system32\DBGHELP.dll
0x68F30000 - 0x68F3B000 	C:\WINNT\System32\PSAPI.DLL

Local Time = Fri Oct 12 12:30:13 2001
Elapsed Time = 5
#
# The exception above was detected in native code outside the VM
#
# Java VM: Java HotSpot(TM) Client VM (1.4.0-beta3-b82 mixed mode)
#

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.4.1_02 mantis FIXED IN: 1.4.1_02 mantis INTEGRATED IN: 1.4.1_02 mantis mantis-b07

14-06-2004

EVALUATION This crash can be observed on solaris as well as windows and is deep in the hinting code. It makes sense that this wasn't reproducible on 1.3 as the hinting support code is all new in 1.4. ###@###.### 2001-10-12 ============================ The font shows severe problems with font verification tools on both Windows and the Macintosh. The "prep" (PREPROGRAM) table has some indices out of range. This seems to cause failures in the Java rasterizer. It needs to be investigated if the Java rasterizer can somehow work around such incorrectly hinted fonts. The font works in Windows as the windows trutetype rasterizer is able to work around this problem. ###@###.### 2001-10-15 Upon further evaluation it seems there are some other problems in the font too. ###@###.### 2001-10-15 Crash is in fnt_MIRP. fnt_MIRP should not be called in the first place. This was caused by wrong func tion being called because the stack containing the function ID was corrupted. T his corruption was due to a call to WS with index beyond the alotted storage spa ce (maxp->maxStorage). To work around this problem, we must increase allocated space for storage. ###@###.### 2002-10-07 =================================

07-10-2002