Pullup ticket #4775 - requested by sevan

graphics/libwmf: security patch Revisions pulled up: - graphics/libwmf/Makefile 1.77 - graphics/libwmf/distinfo 1.20 - graphics/libwmf/patches/patch-aa 1.8 - graphics/libwmf/patches/patch-src_extra_gd_gd.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gd_png.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdft.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h 1.1 - graphics/libwmf/patches/patch-src_ipa_ipa.h 1.1 - graphics/libwmf/patches/patch-src_player_meta.h 1.1 --- Module Name: pkgsrc Committed By: sevan Date: Fri Jul 17 12:33:47 UTC 2015 Modified Files: pkgsrc/graphics/libwmf: Makefile distinfo pkgsrc/graphics/libwmf/patches: patch-aa Added Files: pkgsrc/graphics/libwmf/patches: patch-src_extra_gd_gd.c patch-src_extra_gd_gd_gd.c patch-src_extra_gd_gd_png.c patch-src_extra_gd_gdft.c patch-src_extra_gd_gdhelpers.c patch-src_extra_gd_gdhelpers.h patch-src_ipa_ipa.h patch-src_player_meta.h Log Message: Patch the following CVEs CVE-2004-0941 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3477 CVE-2009-3546 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 Obtained from: CentOS libwmf RPM git Debian Bug 784205 Debian Bug 784192 Red Hat Bug 1227243 via Jason Unovitch in FreeBSD bug 201513 Reviewed by bsiegert@
author: tron <tron> 2015-07-26 19:49:47 +0000
committer: tron <tron> 2015-07-26 19:49:47 +0000
commit: c74786ee32749df061ef5237a494cdf489de12ed (patch)
tree: 693c1fae094282597c8e9c1a9bce306a340aafd9
parent: 8a1f3b60c01a4f628047f9c9d481c6a8bd71d7e8 (diff)
download: pkgsrc-c74786ee32749df061ef5237a494cdf489de12ed.tar.gz
11 files changed, 429 insertions, 6 deletions
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index f2b1e490595..18b3e781a79 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.76 2014/10/09 14:06:36 wiz Exp $
+# $NetBSD: Makefile,v 1.76.6.1 2015/07/26 19:49:47 tron Exp $
 
 DISTNAME=	libwmf-0.2.8.4
-PKGREVISION=	15
+PKGREVISION=	16
 CATEGORIES=	graphics devel
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=wvware/}
 
diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo
index e589720441d..e522576344a 100644
--- a/graphics/libwmf/distinfo
+++ b/graphics/libwmf/distinfo
@@ -1,8 +1,16 @@
-$NetBSD: distinfo,v 1.19 2011/01/24 13:55:18 wiz Exp $
+$NetBSD: distinfo,v 1.19.36.1 2015/07/26 19:49:47 tron Exp $
 
 SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
-SHA1 (patch-aa) = ba51d096404b6234f52032f0acc337226d823411
+SHA1 (patch-aa) = e687f9f8c20e7a9b1ed4718c8d37b7407658c52c
 SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
 SHA1 (patch-ae) = f5cbb60757261aaf6084e9fcf16f9074b3013538
+SHA1 (patch-src_extra_gd_gd.c) = 4c00b5625cd054313c8780ed0fc4fb65520258a2
+SHA1 (patch-src_extra_gd_gd_gd.c) = 8678d62d2b1bbb5ee5d71c8e12e5f865ace98fdb
+SHA1 (patch-src_extra_gd_gd_png.c) = 4cde34078cb5c79f526493cac578301eb7cfb849
+SHA1 (patch-src_extra_gd_gdft.c) = 157ec6a4be6a0d7a3651227165d7a0c4e5ec82c6
+SHA1 (patch-src_extra_gd_gdhelpers.c) = 9fe826eaca3560a9dc5bbbaafc074f565fd6d4bd
+SHA1 (patch-src_extra_gd_gdhelpers.h) = f8d06383430f81cbe754966ef27f7c3505a5f916
+SHA1 (patch-src_ipa_ipa.h) = 84dd4084e62a1ab9820282e4587ef312eee1c770
+SHA1 (patch-src_player_meta.h) = 1681ef8272efb01de4e340a3347493dcc37473f2
diff --git a/graphics/libwmf/patches/patch-aa b/graphics/libwmf/patches/patch-aa
index 9215c544068..c86418b703f 100644
--- a/graphics/libwmf/patches/patch-aa
+++ b/graphics/libwmf/patches/patch-aa
@@ -1,9 +1,17 @@
-$NetBSD: patch-aa,v 1.7 2011/01/24 13:55:18 wiz Exp $
+$NetBSD: patch-aa,v 1.7.36.1 2015/07/26 19:49:47 tron Exp $
 
 Fix build with png-1.5.
 https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110501
 
---- src/ipa/ipa/bmp.h.orig	2001-10-23 11:24:12.000000000 +0000
+CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf
+0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly
+execute arbitrary code via a crafted "run-length count" in an image in a WMF
+file.
+CVE-2015-0848 - Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
+attackers to cause a denial of service (crash) or possibly execute arbitrary
+code via a crafted BMP image.
+
+--- src/ipa/ipa/bmp.h.orig	2015-07-17 11:09:09.000000000 +0000
 +++ src/ipa/ipa/bmp.h
 @@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmf
  		return;
@@ -14,3 +22,110 @@ https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110
  	{	WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
  		png_destroy_write_struct (&png_ptr,&info_ptr);
  		wmf_free (API,buffer);
+@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,20 @@ static void ReadBMPImage (wmfAPI* API,wm
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))	
++			{
++				WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
++		}
++		else
++		{
++			WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd.c b/graphics/libwmf/patches/patch-src_extra_gd_gd.c
new file mode 100644
index 00000000000..0774e78fdbb
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gd.c
@@ -0,0 +1,78 @@
+$NetBSD: patch-src_extra_gd_gd.c,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function.
+CVE-2007-3473 - The gdImageCreateXbm function in the GD Graphics Library (libgd)
+before 2.0.35 allows user-assisted remote attackers to cause a denial of service
+(crash) via unspecified vectors involving a gdImageCreate failure.
+CVE-2007-3477 - The (a) imagearc and (b) imagefilledarc functions in GD Graphics
+Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU
+consumption) via a large (1) start or (2) end angle degree value.
+
+--- src/extra/gd/gd.c.orig	2005-07-27 20:35:05.000000000 +0000
++++ src/extra/gd/gd.c
+@@ -106,6 +106,18 @@ gdImageCreateTrueColor (int sx, int sy)
+   gdImagePtr im;
+   unsigned long cpa_size;
+ 
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (int *), sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof(int), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   if (im == 0) return 0;
+   memset (im, 0, sizeof (gdImage));
+@@ -1321,10 +1333,31 @@ gdImageFilledArc (gdImagePtr im, int cx,
+   int w2, h2;
+   w2 = w / 2;
+   h2 = h / 2;
+-  while (e < s)
+-    {
+-      e += 360;
+-    }
++
++  if ((s % 360)  == (e % 360)) {
++         s = 0; e = 360;
++  } else {
++         if (s > 360) {
++                 s = s % 360;
++         }
++
++         if (e > 360) {
++                 e = e % 360;
++         }
++
++         while (s < 0) {
++                 s += 360;
++         }
++
++         while (e < s) {
++                 e += 360;
++         }
++
++         if (s == e) {
++                 s = 0; e = 360;
++         }
++  }
++
+   for (i = s; (i <= e); i++)
+     {
+       int x, y;
+@@ -2169,6 +2202,10 @@ gdImageCreateFromXbm (FILE * fd)
+     }
+   bytes = (w * h / 8) + 1;
+   im = gdImageCreate (w, h);
++  if (!im) {
++    return 0;
++  }
++
+   gdImageColorAllocate (im, 255, 255, 255);
+   gdImageColorAllocate (im, 0, 0, 0);
+   x = 0;
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c b/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c
new file mode 100644
index 00000000000..7125872f3d6
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c
@@ -0,0 +1,20 @@
+$NetBSD: patch-src_extra_gd_gd_gd.c,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2009-3546 - The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x
+before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a
+certain colorsTotal structure member, which might allow remote attackers to
+conduct buffer overflow or buffer over-read attacks via a crafted GD file.
+
+--- src/extra/gd/gd_gd.c.orig	2005-07-27 20:35:05.000000000 +0000
++++ src/extra/gd/gd_gd.c
+@@ -37,6 +37,10 @@ _gdGetColors (gdIOCtx * in, gdImagePtr i
+ 	    {
+ 	      goto fail1;
+ 	    }
++	  if (&im->colorsTotal > gdMaxColors)
++	    {
++	      goto fail1;
++	    }
+ 	}
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c b/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c
new file mode 100644
index 00000000000..9b0d6c28d4a
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c
@@ -0,0 +1,37 @@
+$NetBSD: patch-src_extra_gd_gd_png.c,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2004-0941 - Multiple buffer overflows in the gd graphics library
+CVE-2007-2756 - Denial of service (CPU consumption) via a crafted PNG image with
+truncated data
+
+--- src/extra/gd/gd_png.c.orig	2015-07-16 23:29:21.000000000 +0000
++++ src/extra/gd/gd_png.c
+@@ -78,8 +78,11 @@ static void
+ gdPngReadData (png_structp png_ptr,
+ 	       png_bytep data, png_size_t length)
+ {
+-  gdGetBuf (data, length, (gdIOCtx *)
+-	    png_get_io_ptr (png_ptr));
++  int check;
++  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++  if (check != length) {
++    png_error(png_ptr, "Read Error: truncated data");
++  }
+ }
+ 
+ static void
+@@ -181,6 +184,14 @@ gdImageCreateFromPngCtx (gdIOCtx * infil
+ 
+   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 		&interlace_type, NULL, NULL);
++  if (overflow2(sizeof (int), width)) 
++    {
++      return NULL;
++    }
++  if (overflow2(sizeof (int) * width, height)) 
++    {
++      return NULL;
++    }  
+   if ((color_type == PNG_COLOR_TYPE_RGB) ||
+       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+     {
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdft.c b/graphics/libwmf/patches/patch-src_extra_gd_gdft.c
new file mode 100644
index 00000000000..462e10d7fcf
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gdft.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-src_extra_gd_gdft.c,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2007-0455 - Buffer overflow in the gdImageStringFTEx
+
+--- src/extra/gd/gdft.c.orig	2005-07-27 20:35:05.000000000 +0000
++++ src/extra/gd/gdft.c
+@@ -809,7 +809,7 @@ gdImageStringFT (gdImage * im, int *brec
+ 	    {
+ 	      ch = c & 0xFF;	/* don't extend sign */
+ 	    }
+-	  next++;
++	  if (*next) next++;
+ 	}
+       else
+ 	{
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c
new file mode 100644
index 00000000000..18e7cd10e86
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-src_extra_gd_gdhelpers.c,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function.
+
+--- src/extra/gd/gdhelpers.c.orig	2015-07-16 23:34:21.000000000 +0000
++++ src/extra/gd/gdhelpers.c
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+ 
+@@ -94,3 +95,18 @@ gdFree (void *ptr)
+ {
+   free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++	if(a < 0 || b < 0) {
++		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++		return 1;
++	}
++	if(b == 0)
++		return 0;
++	if(a > INT_MAX / b) {
++		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++		return 1;
++	}
++	return 0;
++}
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h
new file mode 100644
index 00000000000..21d58882a06
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h
@@ -0,0 +1,14 @@
+$NetBSD: patch-src_extra_gd_gdhelpers.h,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function.
+
+--- src/extra/gd/gdhelpers.h.orig	2001-03-28 09:37:31.000000000 +0000
++++ src/extra/gd/gdhelpers.h
+@@ -13,5 +13,7 @@ void *gdCalloc(size_t nmemb, size_t size
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+ 
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */
+ 
diff --git a/graphics/libwmf/patches/patch-src_ipa_ipa.h b/graphics/libwmf/patches/patch-src_ipa_ipa.h
new file mode 100644
index 00000000000..1d6785147b8
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_ipa_ipa.h
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_ipa_ipa.h,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf
+0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly
+execute arbitrary code via a crafted "run-length count" in an image in a WMF
+file.
+
+--- src/ipa/ipa.h.orig	2015-07-17 00:40:28.000000000 +0000
++++ src/ipa/ipa.h
+@@ -48,7 +48,7 @@ static int            ReadBlobByte (BMPS
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
diff --git a/graphics/libwmf/patches/patch-src_player_meta.h b/graphics/libwmf/patches/patch-src_player_meta.h
new file mode 100644
index 00000000000..2c34cb29d72
--- /dev/null
+++ b/graphics/libwmf/patches/patch-src_player_meta.h
@@ -0,0 +1,85 @@
+$NetBSD: patch-src_player_meta.h,v 1.1.2.2 2015/07/26 19:49:47 tron Exp $
+
+CVE-2015-4695 - meta.h in libwmf 0.2.8.4 allows remote attackers to cause a
+denial of service (out-of-bounds read) via a crafted WMF file.
+CVE-2015-4696 - Use-after-free vulnerability in libwmf 0.2.8.4 allows remote
+attackers to cause a denial of service (crash) via a crafted WMF file to the (1)
+wmf2gd or (2) wmf2eps command.
+
+--- src/player/meta.h.orig	2005-07-27 20:35:06.000000000 +0000
++++ src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2585,6 +2585,8 @@ static int meta_dc_restore (wmfAPI* API,
+ 			polyrect.BR[i] = clip->rects[i].BR;
+ 		}
+ 
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ 		wmf_free (API,polyrect.TL);
+ 		wmf_free (API,polyrect.BR);
+ 	}
+@@ -2593,9 +2595,9 @@ static int meta_dc_restore (wmfAPI* API,
+ 		polyrect.BR = 0;
+ 
+ 		polyrect.count = 0;
+-	}
+ 
+-	if (FR->region_clip) FR->region_clip (API,&polyrect);
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
++	}
+ 
+ 	return (changed);
+ }
+@@ -3067,7 +3069,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3183,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3290,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3398,7 @@ static int meta_palette_create (wmfAPI* 
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
author	tron <tron>	2015-07-26 19:49:47 +0000
committer	tron <tron>	2015-07-26 19:49:47 +0000
commit	c74786ee32749df061ef5237a494cdf489de12ed (patch)
tree	693c1fae094282597c8e9c1a9bce306a340aafd9
parent	8a1f3b60c01a4f628047f9c9d481c6a8bd71d7e8 (diff)
download	pkgsrc-c74786ee32749df061ef5237a494cdf489de12ed.tar.gz