Bug#744756: libftgl2: FTTextureFont crashes with large font-sizes

[IOhannes m zmoelnig]

Package: libftgl2
Version: 2.1.3~rc5-4+nmu1
Severity: normal
Tags: patch

Dear Maintainer,

using FTTextureFont can lead to a crash with a "Floating Point Exception".
the problem only appears with very large font-sizes.

my system:
  integrated intel gfx card (Ivybridge Mobile)
  mesa
  maximum texture size: 8192

how to reproduce:
 - create a FTTextureFont from
    /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf (as found in the
    ttf-dejavu-core package)
      font=new 
FTGLTextureFont("/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf")
 - set the fontsize to something large
      font->FaceSize(3033);
 - render the font
      font->Render("foo");

this will eventually hit the boundaries of the maximum texture size, leading to
a division by zero in src/FTFont/FTTextureFont.cpp:186.
this in turn crashes the host application.

i'm attaching a short demo program (crasher.cpp; based on FTGL's simple.cpp)
that increases the fontsize, until it crashes.
compile with:
  $ g++ -o crasher crasher.cpp $(pkg-config --cflags --libs ftgl) -lglut -lGLU 
-lGL


i'm also attaching a fix for the problem, that clamps the divisor to be >=1,
thus making a division by zero impossible.


fmgdsar
IOhannes



-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libftgl2 depends on:
ii  libc6                     2.18-4
ii  libfreetype6              2.5.2-1
ii  libgcc1                   1:4.8.2-19
ii  libgl1-mesa-glx [libgl1]  10.1.0-5
ii  libglu1-mesa [libglu1]    9.0.0-2
ii  libpng12-0                1.2.50-1
ii  libstdc++6                4.8.2-19
ii  multiarch-support         2.18-4
ii  zlib1g                    1:1.2.8.dfsg-1

libftgl2 recommends no packages.

libftgl2 suggests no packages.

-- no debconf information

#define FONT_FILE "/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf"

#include <stdlib.h> // exit()

#include <GL/glut.h>
#include <FTGL/ftgl.h>

static FTFont *font;
static int fontsize=1024;

static void RenderScene(void)
{
    char str[10];
    GLint w, h;
    float scale=72./(float)fontsize;
    glGetTexLevelParameteriv(GL_TEXTURE_2D, 0, GL_TEXTURE_WIDTH, &w);
    glGetTexLevelParameteriv(GL_TEXTURE_2D, 0, GL_TEXTURE_HEIGHT, &h);
    snprintf(str, 9, "%d", fontsize);
    str[9]=0;

    font->FaceSize(fontsize);
    fprintf(stderr, "facesize=%d\ttexture=%dx%d\n", fontsize, w, h);
    fontsize+=10;

    glClear(GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT);

    glEnable(GL_DEPTH_TEST);

    glPushMatrix();
        glTranslatef(-260.0, -0.2, 20.0);
        glColor3f(1.0, 1.0, 1.0);
        glScalef(scale, scale, scale);
        font->Render(str);
    glPopMatrix();

    glutSwapBuffers();
}

//
//  Main program entry point: set up GLUT window, load fonts, run GLUT loop.
//
int main(int argc, char **argv)
{
    char const *file = NULL;

    file = FONT_FILE;

    if(argc > 1)
    {
        file = argv[1];
    }

    // Initialise GLUT stuff
    glutInit(&argc, argv);
    glutInitDisplayMode(GLUT_DEPTH | GLUT_DOUBLE | GLUT_RGBA);
    glutInitWindowPosition(100, 100);
    glutInitWindowSize(640, 480);
    glutCreateWindow("simple FTGL C++ demo");

    glutDisplayFunc(RenderScene);
    glutIdleFunc(RenderScene);

    glMatrixMode(GL_PROJECTION);
    glLoadIdentity();
    gluPerspective(90, 640.0f / 480.0f, 1, 1000);
    glMatrixMode(GL_MODELVIEW);
    glLoadIdentity();
    gluLookAt(0.0, 0.0, 640.0f / 2.0f, 0.0, 0.0, 0.0, 0.0, 1.0, 0.0);

    // Initialise FTGL stuff
    font = new FTTextureFont(file);

    if(font->Error())
    {
        fprintf(stderr, "%s: could not load font `%s'\n", argv[0], file);
        return EXIT_FAILURE;
    }

    font->FaceSize(10);
    font->Depth(10);
    font->Outset(0, 3);
    font->CharMap(ft_encoding_unicode);

    // Run GLUT loop
    glutMainLoop();

    return EXIT_SUCCESS;
}


>From eee58e1a78af5439398cc0014809c0e994191d08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?=
 <zmoel...@umlautq.umlaeute.mur.at>
Date: Mon, 14 Apr 2014 13:41:52 +0200
Subject: [PATCH] fix floating point exception

clamp minimum height of texture to 1, so we don't get a division-by-zero on very large texture sizes
---
 src/FTFont/FTTextureFont.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/FTFont/FTTextureFont.cpp b/src/FTFont/FTTextureFont.cpp
index 4e385ea..4c93598 100644
--- a/src/FTFont/FTTextureFont.cpp
+++ b/src/FTFont/FTTextureFont.cpp
@@ -181,6 +181,7 @@ void FTTextureFontImpl::CalculateTextureSize()
     textureWidth = textureWidth > maximumGLTextureSize ? maximumGLTextureSize : textureWidth;
 
     int h = static_cast<int>((textureWidth - (padding * 2)) / glyphWidth + 0.5);
+    if(h<1)h=1;
 
     textureHeight = NextPowerOf2(((numGlyphs / h) + 1) * glyphHeight);
     textureHeight = textureHeight > maximumGLTextureSize ? maximumGLTextureSize : textureHeight;
-- 
1.9.1