From fac8e957c53b5ffeed690c782cc0bd34e07c8438 Mon Sep 17 00:00:00 2001
From: Dylan Smith <dylan.ah.smith@gmail.com>
Date: Tue, 30 Sep 2008 17:11:29 -0400
Subject: [PATCH] richedit: Prevent font or colour buffer overflow on stream
 out.

Static sized buffers are used for storing the colours and fonts, so
there needs to be a check to prevent these buffer from overflowing.
---
 dlls/riched20/writer.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dlls/riched20/writer.c b/dlls/riched20/writer.c
index 912cae3f48e..6a6ad540c4c 100644
--- a/dlls/riched20/writer.c
+++ b/dlls/riched20/writer.c
@@ -214,7 +214,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun,
         if (table[i].bCharSet == bCharSet
             && (table[i].szFaceName == face || !lstrcmpW(table[i].szFaceName, face)))
           break;
-      if (i == pStream->nFontTblLen) {
+      if (i == pStream->nFontTblLen && i < STREAMOUT_FONTTBL_SIZE) {
         table[i].bCharSet = bCharSet;
         table[i].szFaceName = face;
         pStream->nFontTblLen++;
@@ -226,7 +226,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun,
       for (i = 1; i < pStream->nColorTblLen; i++)
         if (pStream->colortbl[i] == crColor)
           break;
-      if (i == pStream->nColorTblLen) {
+      if (i == pStream->nColorTblLen && i < STREAMOUT_COLORTBL_SIZE) {
         pStream->colortbl[i] = crColor;
         pStream->nColorTblLen++;
       }
@@ -236,7 +236,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun,
       for (i = 1; i < pStream->nColorTblLen; i++)
         if (pStream->colortbl[i] == crColor)
           break;
-      if (i == pStream->nColorTblLen) {
+      if (i == pStream->nColorTblLen && i < STREAMOUT_COLORTBL_SIZE) {
         pStream->colortbl[i] = crColor;
         pStream->nColorTblLen++;
       }