UB in GlyphArrangement::addFittedText/SimpleShapedText::getTextRange

dave96 · December 17, 2024, 7:17am

I’ve been hitting some UB in our app deep inside the text rending stack but it’s also easy to trigger in the juce demo.

If you do the following:

In Xcode
Enable UBSan
Add a runtime exception breakpoint for UBSan
Run the JUCE DemoRunner in debug
- Go to “Demos”
- “Widgets”
- “Sliders”

You’ll see the following:

It seems like:

glyphIndex is less than glyphRange.getStart(); so indexInRun (which is an int) is negative
When this is cast to a size_t it underflows to a very large number (well defined behaviour)
This is then used to index in to the glyphRun which overflows the ptr
Adding an assertion that index < size() in there would probably catch this as well

The args to GlyphArrangement::addFittedText look fine.
The weird thing is that this isn’t causing crashes without UBSan enabled. Maybe I’m just lucky and it’s manifesting as minor text corruption?

Cheers

attila · December 17, 2024, 8:38pm

Thank you for the detailed report. There’s a fix out on develop

dave96 · December 18, 2024, 8:59am

Thanks!

Topic		Replies	Views
JUCE Demo - GlyphArrangement Break General JUCE discussion	1	264	July 18, 2012
Possible bug in GlyphArrangement::addJustifiedText General JUCE discussion	2	277	May 12, 2017
Crashes in SimpleShapedText General JUCE discussion	5	196	April 17, 2025
Juce compile failure accessing TextLayout::Run General JUCE discussion	0	40	February 17, 2026
Sporadical AU plugin issue with juce::OSXTypeface::getGlyphPositions MacOSX and iOS	6	820	November 8, 2021

UB in GlyphArrangement::addFittedText/SimpleShapedText::getTextRange

Purchase

Discover

Learn

Support

About

Events

UB in GlyphArrangement::addFittedText/SimpleShapedText::getTextRange

Related topics

Purchase

Discover

Learn

Support

About

Events