diff options
author | sevan <sevan@pkgsrc.org> | 2015-07-17 12:33:47 +0000 |
---|---|---|
committer | sevan <sevan@pkgsrc.org> | 2015-07-17 12:33:47 +0000 |
commit | edf78568940469cb956163452745c1ebbacb062e (patch) | |
tree | 152f4e2f12c17a2d0d77f4902240278bcbdeba56 /graphics/libwmf | |
parent | c81df5e0f2cf11a2b2d95b3ca9e9621db77dbccf (diff) | |
download | pkgsrc-edf78568940469cb956163452745c1ebbacb062e.tar.gz |
Patch the following CVEs
CVE-2004-0941
CVE-2007-0455
CVE-2007-2756
CVE-2007-3472
CVE-2007-3473
CVE-2007-3477
CVE-2009-3546
CVE-2015-0848
CVE-2015-4588
CVE-2015-4695
CVE-2015-4696
Obtained from:
CentOS libwmf RPM git
Debian Bug 784205
Debian Bug 784192
Red Hat Bug 1227243
via Jason Unovitch in FreeBSD bug 201513
Reviewed by bsiegert@
Diffstat (limited to 'graphics/libwmf')
-rw-r--r-- | graphics/libwmf/Makefile | 4 | ||||
-rw-r--r-- | graphics/libwmf/distinfo | 12 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-aa | 119 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gd.c | 78 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c | 20 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gd_png.c | 37 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gdft.c | 15 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c | 33 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h | 14 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_ipa_ipa.h | 18 | ||||
-rw-r--r-- | graphics/libwmf/patches/patch-src_player_meta.h | 85 |
11 files changed, 429 insertions, 6 deletions
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile index f2b1e490595..951a5040048 100644 --- a/graphics/libwmf/Makefile +++ b/graphics/libwmf/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.76 2014/10/09 14:06:36 wiz Exp $ +# $NetBSD: Makefile,v 1.77 2015/07/17 12:33:47 sevan Exp $ DISTNAME= libwmf-0.2.8.4 -PKGREVISION= 15 +PKGREVISION= 16 CATEGORIES= graphics devel MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=wvware/} diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo index e589720441d..3945008d696 100644 --- a/graphics/libwmf/distinfo +++ b/graphics/libwmf/distinfo @@ -1,8 +1,16 @@ -$NetBSD: distinfo,v 1.19 2011/01/24 13:55:18 wiz Exp $ +$NetBSD: distinfo,v 1.20 2015/07/17 12:33:47 sevan Exp $ SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes -SHA1 (patch-aa) = ba51d096404b6234f52032f0acc337226d823411 +SHA1 (patch-aa) = e687f9f8c20e7a9b1ed4718c8d37b7407658c52c SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa SHA1 (patch-ae) = f5cbb60757261aaf6084e9fcf16f9074b3013538 +SHA1 (patch-src_extra_gd_gd.c) = 4c00b5625cd054313c8780ed0fc4fb65520258a2 +SHA1 (patch-src_extra_gd_gd_gd.c) = 8678d62d2b1bbb5ee5d71c8e12e5f865ace98fdb +SHA1 (patch-src_extra_gd_gd_png.c) = 4cde34078cb5c79f526493cac578301eb7cfb849 +SHA1 (patch-src_extra_gd_gdft.c) = 157ec6a4be6a0d7a3651227165d7a0c4e5ec82c6 +SHA1 (patch-src_extra_gd_gdhelpers.c) = 9fe826eaca3560a9dc5bbbaafc074f565fd6d4bd +SHA1 (patch-src_extra_gd_gdhelpers.h) = f8d06383430f81cbe754966ef27f7c3505a5f916 +SHA1 (patch-src_ipa_ipa.h) = 84dd4084e62a1ab9820282e4587ef312eee1c770 +SHA1 (patch-src_player_meta.h) = 1681ef8272efb01de4e340a3347493dcc37473f2 diff --git a/graphics/libwmf/patches/patch-aa b/graphics/libwmf/patches/patch-aa index 9215c544068..3a194d58537 100644 --- a/graphics/libwmf/patches/patch-aa +++ b/graphics/libwmf/patches/patch-aa @@ -1,9 +1,17 @@ -$NetBSD: patch-aa,v 1.7 2011/01/24 13:55:18 wiz Exp $ +$NetBSD: patch-aa,v 1.8 2015/07/17 12:33:47 sevan Exp $ Fix build with png-1.5. https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110501 ---- src/ipa/ipa/bmp.h.orig 2001-10-23 11:24:12.000000000 +0000 +CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf +0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly +execute arbitrary code via a crafted "run-length count" in an image in a WMF +file. +CVE-2015-0848 - Heap-based buffer overflow in libwmf 0.2.8.4 allows remote +attackers to cause a denial of service (crash) or possibly execute arbitrary +code via a crafted BMP image. + +--- src/ipa/ipa/bmp.h.orig 2015-07-17 11:09:09.000000000 +0000 +++ src/ipa/ipa/bmp.h @@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmf return; @@ -14,3 +22,110 @@ https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110 { WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)"); png_destroy_write_struct (&png_ptr,&info_ptr); wmf_free (API,buffer); +@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src) + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,20 @@ static void ReadBMPImage (wmfAPI* API,wm + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { ++ WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { ++ WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd.c b/graphics/libwmf/patches/patch-src_extra_gd_gd.c new file mode 100644 index 00000000000..2b31cea73de --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gd.c @@ -0,0 +1,78 @@ +$NetBSD: patch-src_extra_gd_gd.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function. +CVE-2007-3473 - The gdImageCreateXbm function in the GD Graphics Library (libgd) +before 2.0.35 allows user-assisted remote attackers to cause a denial of service +(crash) via unspecified vectors involving a gdImageCreate failure. +CVE-2007-3477 - The (a) imagearc and (b) imagefilledarc functions in GD Graphics +Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU +consumption) via a large (1) start or (2) end angle degree value. + +--- src/extra/gd/gd.c.orig 2005-07-27 20:35:05.000000000 +0000 ++++ src/extra/gd/gd.c +@@ -106,6 +106,18 @@ gdImageCreateTrueColor (int sx, int sy) + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +@@ -1321,10 +1333,31 @@ gdImageFilledArc (gdImagePtr im, int cx, + int w2, h2; + w2 = w / 2; + h2 = h / 2; +- while (e < s) +- { +- e += 360; +- } ++ ++ if ((s % 360) == (e % 360)) { ++ s = 0; e = 360; ++ } else { ++ if (s > 360) { ++ s = s % 360; ++ } ++ ++ if (e > 360) { ++ e = e % 360; ++ } ++ ++ while (s < 0) { ++ s += 360; ++ } ++ ++ while (e < s) { ++ e += 360; ++ } ++ ++ if (s == e) { ++ s = 0; e = 360; ++ } ++ } ++ + for (i = s; (i <= e); i++) + { + int x, y; +@@ -2169,6 +2202,10 @@ gdImageCreateFromXbm (FILE * fd) + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) { ++ return 0; ++ } ++ + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c b/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c new file mode 100644 index 00000000000..a5a85bfeb94 --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c @@ -0,0 +1,20 @@ +$NetBSD: patch-src_extra_gd_gd_gd.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2009-3546 - The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x +before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a +certain colorsTotal structure member, which might allow remote attackers to +conduct buffer overflow or buffer over-read attacks via a crafted GD file. + +--- src/extra/gd/gd_gd.c.orig 2005-07-27 20:35:05.000000000 +0000 ++++ src/extra/gd/gd_gd.c +@@ -37,6 +37,10 @@ _gdGetColors (gdIOCtx * in, gdImagePtr i + { + goto fail1; + } ++ if (&im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c b/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c new file mode 100644 index 00000000000..68fe100457c --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gd_png.c @@ -0,0 +1,37 @@ +$NetBSD: patch-src_extra_gd_gd_png.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2004-0941 - Multiple buffer overflows in the gd graphics library +CVE-2007-2756 - Denial of service (CPU consumption) via a crafted PNG image with +truncated data + +--- src/extra/gd/gd_png.c.orig 2015-07-16 23:29:21.000000000 +0000 ++++ src/extra/gd/gd_png.c +@@ -78,8 +78,11 @@ static void + gdPngReadData (png_structp png_ptr, + png_bytep data, png_size_t length) + { +- gdGetBuf (data, length, (gdIOCtx *) +- png_get_io_ptr (png_ptr)); ++ int check; ++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); ++ if (check != length) { ++ png_error(png_ptr, "Read Error: truncated data"); ++ } + } + + static void +@@ -181,6 +184,14 @@ gdImageCreateFromPngCtx (gdIOCtx * infil + + png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); ++ if (overflow2(sizeof (int), width)) ++ { ++ return NULL; ++ } ++ if (overflow2(sizeof (int) * width, height)) ++ { ++ return NULL; ++ } + if ((color_type == PNG_COLOR_TYPE_RGB) || + (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) + { diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdft.c b/graphics/libwmf/patches/patch-src_extra_gd_gdft.c new file mode 100644 index 00000000000..19b7f1796ce --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gdft.c @@ -0,0 +1,15 @@ +$NetBSD: patch-src_extra_gd_gdft.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2007-0455 - Buffer overflow in the gdImageStringFTEx + +--- src/extra/gd/gdft.c.orig 2005-07-27 20:35:05.000000000 +0000 ++++ src/extra/gd/gdft.c +@@ -809,7 +809,7 @@ gdImageStringFT (gdImage * im, int *brec + { + ch = c & 0xFF; /* don't extend sign */ + } +- next++; ++ if (*next) next++; + } + else + { diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c new file mode 100644 index 00000000000..c6d56834dc4 --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c @@ -0,0 +1,33 @@ +$NetBSD: patch-src_extra_gd_gdhelpers.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function. + +--- src/extra/gd/gdhelpers.c.orig 2015-07-16 23:34:21.000000000 +0000 ++++ src/extra/gd/gdhelpers.c +@@ -2,6 +2,7 @@ + #include "gdhelpers.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + /* TBB: gd_strtok_r is not portable; provide an implementation */ + +@@ -94,3 +95,18 @@ gdFree (void *ptr) + { + free (ptr); + } ++ ++int overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) { ++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); ++ return 1; ++ } ++ if(b == 0) ++ return 0; ++ if(a > INT_MAX / b) { ++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); ++ return 1; ++ } ++ return 0; ++} diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h new file mode 100644 index 00000000000..648260a3122 --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h @@ -0,0 +1,14 @@ +$NetBSD: patch-src_extra_gd_gdhelpers.h,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function. + +--- src/extra/gd/gdhelpers.h.orig 2001-03-28 09:37:31.000000000 +0000 ++++ src/extra/gd/gdhelpers.h +@@ -13,5 +13,7 @@ void *gdCalloc(size_t nmemb, size_t size + void *gdMalloc(size_t size); + void *gdRealloc(void *ptr, size_t size); + ++int overflow2(int a, int b); ++ + #endif /* GDHELPERS_H */ + diff --git a/graphics/libwmf/patches/patch-src_ipa_ipa.h b/graphics/libwmf/patches/patch-src_ipa_ipa.h new file mode 100644 index 00000000000..94b14d2bad4 --- /dev/null +++ b/graphics/libwmf/patches/patch-src_ipa_ipa.h @@ -0,0 +1,18 @@ +$NetBSD: patch-src_ipa_ipa.h,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf +0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly +execute arbitrary code via a crafted "run-length count" in an image in a WMF +file. + +--- src/ipa/ipa.h.orig 2015-07-17 00:40:28.000000000 +0000 ++++ src/ipa/ipa.h +@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPS + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); diff --git a/graphics/libwmf/patches/patch-src_player_meta.h b/graphics/libwmf/patches/patch-src_player_meta.h new file mode 100644 index 00000000000..9c66549bb3d --- /dev/null +++ b/graphics/libwmf/patches/patch-src_player_meta.h @@ -0,0 +1,85 @@ +$NetBSD: patch-src_player_meta.h,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2015-4695 - meta.h in libwmf 0.2.8.4 allows remote attackers to cause a +denial of service (out-of-bounds read) via a crafted WMF file. +CVE-2015-4696 - Use-after-free vulnerability in libwmf 0.2.8.4 allows remote +attackers to cause a denial of service (crash) via a crafted WMF file to the (1) +wmf2gd or (2) wmf2eps command. + +--- src/player/meta.h.orig 2005-07-27 20:35:06.000000000 +0000 ++++ src/player/meta.h +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2585,6 +2585,8 @@ static int meta_dc_restore (wmfAPI* API, + polyrect.BR[i] = clip->rects[i].BR; + } + ++ if (FR->region_clip) FR->region_clip (API,&polyrect); ++ + wmf_free (API,polyrect.TL); + wmf_free (API,polyrect.BR); + } +@@ -2593,9 +2595,9 @@ static int meta_dc_restore (wmfAPI* API, + polyrect.BR = 0; + + polyrect.count = 0; +- } + +- if (FR->region_clip) FR->region_clip (API,&polyrect); ++ if (FR->region_clip) FR->region_clip (API,&polyrect); ++ } + + return (changed); + } +@@ -3067,7 +3069,7 @@ static int meta_pen_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3181,7 +3183,7 @@ static int meta_brush_create (wmfAPI* AP + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3288,7 +3290,7 @@ static int meta_font_create (wmfAPI* API + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3396,7 +3398,7 @@ static int meta_palette_create (wmfAPI* + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); |