This was found while fuzzing graphite2 latest revision (bc5409c573aa9ecccacd18cf713021272998cd35) This issue was uncovered using Undefined Behavior Sanitizer (UBSan). More information can be found here: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html. NOTE: Bug 1252943 blocks uncovering this issue. This is likely not a sec issue however I am hiding this bug because of the large number of bugs that have been found and I would like to avoid any unwanted attention until things calm down. To reproduce: Build with UBSan enabled. run: ./gr2fonttest test_case.ttf -auto /home/user/code/graphite/src/GlyphFace.cpp:40:58: runtime error: value -34 is outside the range of representable values of type 'unsigned short' #0 0x7f6e61a79408 in graphite2::GlyphFace::getMetric(unsigned char) const /home/user/code/graphite/src/GlyphFace.cpp:40:58 #1 0x7f6e61a5d504 in graphite2::Face::getGlyphMetric(unsigned short, unsigned char) const /home/user/code/graphite/src/Face.cpp:242:20 #2 0x7f6e619649d7 in graphite2::Segment::getGlyphMetric(graphite2::Slot*, unsigned char, unsigned char, bool) const /home/user/code/graphite/src/inc/Segment.h:225:16 #3 0x7f6e6194ff0e in (anonymous namespace)::push_glyph_metric(unsigned char const*&, int*&, int*, regbank&) /home/user/code/graphite/src/inc/opcodes.h:464:9 #4 0x7f6e619342b0 in graphite2::vm::Machine::run(void* const*, unsigned char const*, graphite2::Slot**&) /home/user/code/graphite/src/call_machine.cpp:121:12 #5 0x7f6e619d4ff1 in graphite2::vm::Machine::Code::run(graphite2::vm::Machine&, graphite2::Slot**&) const /home/user/code/graphite/src/Code.cpp:745:13 #6 0x7f6e61b0726f in graphite2::Pass::doAction(graphite2::vm::Machine::Code const*, graphite2::Slot*&, graphite2::vm::Machine&) const /home/user/code/graphite/src/Pass.cpp:676:17 #7 0x7f6e61af90af in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const /home/user/code/graphite/src/Pass.cpp:545:33 #8 0x7f6e61af3460 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const /home/user/code/graphite/src/Pass.cpp:414:13 #9 0x7f6e61b641d6 in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const /home/user/code/graphite/src/Silf.cpp:423:21 #10 0x7f6e61a5af89 in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const /home/user/code/graphite/src/Face.cpp:186:16 #11 0x7f6e61990ab5 in graphite2::Segment::runGraphite() /home/user/code/graphite/src/inc/Segment.h:97:45 #12 0x7f6e6198973e in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) /home/user/code/graphite/src/gr_segment.cpp:46:67 #13 0x7f6e619890fb in gr_make_seg /home/user/code/graphite/src/gr_segment.cpp:105:24 #14 0x4f98fc in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:684:20 #15 0x4fd33b in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:787:9 #16 0x7f6e614c8ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 #17 0x41b985 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41b985)

Fixed? in e7deaf90c9c8ca30116340419313af527fe90d78

Verified with graphite revision 520d76818052772d614e581dacea69499b912be6

Graphite2 has been updated on all affected branches including ESRs.