JDK-8216965 : crash in freetypeScaler.c CopyBW2Grey8
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: openjdk8u232,12,13
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2019-01-14
  • Updated: 2022-06-27
  • Resolved: 2019-01-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 Other
11.0.3-oracleFixed 12 b29Fixed 13Fixed openjdk7uFixed
Related Reports
Relates :  
JDK-8217768 - SIGSEV in Java_sun_font_FreetypeFontScaler_getGlyphMetricsNative+0x17
Relates :  
JDK-8214002 - Cannot use italic font style if the font has embedded bitmap
Description
The jck13 test  

api/javax_swing/SwingUtilities/other.html

test crashes on linuxaarch64 .
It seems that for some reason a buffer overrun occurs in CopyBW2Grey8 .
( src/java.desktop/share/native/libfontmanager/freetypeScaler.c ).

I added output to the coding of freetypeScaler.c CopyBW2Grey8, this shows why the crash occurs . The pointer src8  goes over the allowed src image size.

Crash is at :
# C  [libfontmanager.so+0xb86c]  CopyBW2Grey8+0x164

We notice the crash on linuxaarch64  (but similar crashes can be seen on Solaris Sparc).

Further investigation shows that the linuxaarch64 crash was seen  on a SLES15 (Suse Linux 15) machine.   But  with linux ppc64le  and linux x86_64   on SLES15, the crash  occurs too so it seems to be a SLES15 related issue .
A small standalone java program is attached that shows the issue.
Comments
Fix Request (8u) [critical] This patch is needed after JDK-8214002 backport to 8u. Patch applies cleanly after the usual reshufflings (for reference: http://cr.openjdk.java.net/~shade/8216965/webrev.8u.01/). New test passes both before and after the patch on my system, but we have suspicious failures on other systems with current 8u. Risk is low-ish, as it handles the error code that was not handled before.
10-09-2019
Now that JDK-8214002 is backported to 8u, this bug affects 8u as well? Provisionally putting the relevant affected version.
09-09-2019
Fix Request Let's backport this patch to 11u, so that codebase is in sync (I see 11.0.3-oracle). Patch applies cleanly to 11u. The new regression test passes with and without the actual fix, because as Philip mentions above, this code path is not used on 11u. It might become used with future backports.
15-02-2019
URL: http://hg.openjdk.java.net/jdk/jdk12/rev/ba547b9b4996 User: prr Date: 2019-01-23 01:32:58 +0000
23-01-2019
Fix Request --------------- This fix prevents a crash on freetype errors Webrev: http://cr.openjdk.java.net/~prr/8216965/ Reviewers: serb, mbaesken
22-01-2019
The root cause appears to be a failure to check the return value of a call to freetype, specifically FT_Render_Glyph(..) The call isn't new, but in JDK 11 it was not used at all. In JDK 12 b24 as a result of https://bugs.openjdk.java.net/browse/JDK-8214002 it started to be used
17-01-2019
With the attached program FontCrash.java I can reproduce the issue. Seems the Bitstream Charter,name=Bitstream Charter,style=plain,size=1 of SLES 15 triggers the issue. addr2line always points me to libfontmanager/freetypeScaler.c:611 where the overrun seems to happen . getGlyphImageNative is shown below in the crash, this might be caused by inlining (with slowdebug on linux aarch I saw CopyBW2Grey8). /linuxx86_64/last_known_good/output-jdk12-fastdebug/images/jdk/bin/java FontCrash Looking at font java.awt.Font[family=Bitstream Charter,name=Bitstream Charter,style=plain,size=1] getting the advance widths of the first 256 characters in the Font # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f1c2338272c, pid=4525, tid=4526 # # JRE version: OpenJDK Runtime Environment (12.0.1) (fastdebug build 12.0.0.1-internal+0-adhoc.openjdk.jdk12) # Java VM: OpenJDK 64-Bit Server VM (fastdebug 12.0.0.1-internal+0-adhoc.openjdk.jdk12, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64) # Problematic frame: # C [libfontmanager.so+0x972c] Java_sun_font_FreetypeFontScaler_getGlyphImageNative+0x56c # ..... addr2line -e /linuxx86_64/last_known_good/output-jdk12-fastdebug/images/jdk/lib/libfontmanager.so 972c /linuxx86_64/nightly/jdk12/src/java.desktop/share/native/libfontmanager/freetypeScaler.c:611 more /etc/os-release NAME="SLES" VERSION="15" ....
14-01-2019