Author: gschneider Date: Tue Oct 20 20:34:22 2009 New Revision: 43655 URL: http://svn.reactos.org/svn/reactos?rev=43655&view=rev Log: [gdi32] Prevent possible buffer overrun in TranslateCharsetInfo, see wine bug 19819 for more info Modified: trunk/reactos/dll/win32/gdi32/objects/font.c Modified: trunk/reactos/dll/win32/gdi32/objects/font.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/gdi32/objects/fo… ============================================================================== --- trunk/reactos/dll/win32/gdi32/objects/font.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/gdi32/objects/font.c [iso-8859-1] Tue Oct 20 20:34:22 2009 @@ -1724,13 +1724,13 @@ int index = 0; switch (flags) { case TCI_SRCFONTSIG: - while (!(*lpSrc>>index & 0x0001) && index<MAXTCIINDEX) index++; + while (index < MAXTCIINDEX && !(*lpSrc>>index & 0x0001)) index++; break; case TCI_SRCCODEPAGE: - while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index < MAXTCIINDEX) index++; + while (index < MAXTCIINDEX && PtrToUlong(lpSrc) != FONT_tci[index].ciACP) index++; break; case TCI_SRCCHARSET: - while (PtrToUlong(lpSrc) != FONT_tci[index].ciCharset && index < MAXTCIINDEX) index++; + while (index < MAXTCIINDEX && PtrToUlong(lpSrc) != FONT_tci[index].ciCharset) index++; break; default: return FALSE;