[tex-live] xdvipdfm seg faults when using some TTF fonts (Was xelatex on OpenBSD sparc64 - Bus Error)

Jonathan Kew jonathan_kew at sil.org
Sun Jun 24 23:18:02 CEST 2007 

On 24 Jun 2007, at 9:03 pm, Edd Barrett wrote:

> (gdb) run -no-pdf test
[snip]
> Program received signal SIGBUS, Bus error.
> icu_3_4::KernTable::process(icu_3_4::LEGlyphStorage&)
> (this=0xfffffffffffdc030, storage=@0x4d631400)
>    at /usr/ports/print/texlive/base/w-texlive_base-2007/ 
> texlive_base-2007/libs/icu-xetex/layout/KernTable.cpp:155
> 155           if (key > SWAPL(tp->key)) {
> Current language:  auto; currently c++

Aha - interesting that this occurs where ICU is processing the kern  
table. One of the things Apple's validator tool reports about the  
font is a kern table error:

> $ ftxvalidator ~/Library/Fonts/SQUATT__.TTF
>
> ====== /Users/jonathan/Library/Fonts/SQUATT__.TTF  
> ============================================
> ------ sfnt: , sfnt ID: -12914 ------
>     Error: 'cmap':  Format 4 idRangeOffset[40] == 0x0000FFFF an  
> unexpeced value for the last segment
>     Error: bad entry count in cmap format 6(index 257)
>     Error: 'cmap':  Format 4 idRangeOffset[40] == 0x0000FFFF an  
> unexpeced value for the last segment
>     Error: missing sentinal kerning pair
>     Error: Postscript name (index 6) has non-ASCII character(s)
>     Error: Postscript name (index 20) has non-ASCII character(s)
>     Error: multiple postscript names: 3
>     Error: OS/2: bad embedding flags (0x0001)
>     Error:  name index isn't unique for glyph # 16 (=2 matches that  
> of glyph # 2)

That may well explain this crash. The TrueType/OpenType spec requires  
a special terminator value at the end of a list of kern pairs, and if  
this is missing it could easily lead to a program looking at invalid  
data or memory locations.

I dumped the 'kern' table and compared the data with Microsoft's spec  
at http://www.microsoft.com/typography/otspec/kern.htm, and it looks  
to me like the binary search header fields for the kern pairs has bad  
data:

Beginning of 'kern' table:
	0000 version
	0001 nTables

	0000 subtable version
	1F82 length
	0001 coverage (horizontal kerning)

	053E nPairs (1342 decimal)
	003C searchRange .... should be 1800 = 0400 * 6
	000A entrySelector .. correct
	1F38 rangeShift  .... should be 0774 = (053E - 0400) * 6
	
	0004 000F 0056   1st kern pair
	0004 0012 FF68   2nd kern pair
	0004 0066 FFC7   etc

Unless I'm misinterpreting things, the data here looks badly broken,  
and that probably explains this crash. But it doesn't explain the  
xdvipdfmx crash, as that program doesn't read the 'kern' data.

Of course, even if the font is broken, it would be nice if xetex  
didn't crash. I'll see if there's an easy way to make the ICU library  
more robust here.

JK

More information about the tex-live mailing list