From 59245c6725a26452b9d5aba79387b539c66dfdc2 Mon Sep 17 00:00:00 2001
From: Gregor Schneider <grschneider@gmail.com>
Date: Tue, 20 Oct 2009 18:34:22 +0000
Subject: [PATCH] [gdi32] Prevent possible buffer overrun in
 TranslateCharsetInfo, see wine bug 19819 for more info

svn path=/trunk/; revision=43655
---
 reactos/dll/win32/gdi32/objects/font.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/reactos/dll/win32/gdi32/objects/font.c b/reactos/dll/win32/gdi32/objects/font.c
index a1533f78642..9bdbcd63158 100644
--- a/reactos/dll/win32/gdi32/objects/font.c
+++ b/reactos/dll/win32/gdi32/objects/font.c
@@ -1724,13 +1724,13 @@ TranslateCharsetInfo(
     int index = 0;
     switch (flags) {
     case TCI_SRCFONTSIG:
-	while (!(*lpSrc>>index & 0x0001) && index<MAXTCIINDEX) index++;
+      while (index < MAXTCIINDEX && !(*lpSrc>>index & 0x0001)) index++;
       break;
     case TCI_SRCCODEPAGE:
-      while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index < MAXTCIINDEX) index++;
+      while (index < MAXTCIINDEX && PtrToUlong(lpSrc) != FONT_tci[index].ciACP) index++;
       break;
     case TCI_SRCCHARSET:
-      while (PtrToUlong(lpSrc) != FONT_tci[index].ciCharset && index < MAXTCIINDEX) index++;
+      while (index < MAXTCIINDEX && PtrToUlong(lpSrc) != FONT_tci[index].ciCharset) index++;
       break;
     default:
       return FALSE;