From 677e8e3ca75e25163bfd5c217d9d4c1de09bd242 Mon Sep 17 00:00:00 2001
From: Oleg Oshmyan <chortos@inbox.lv>
Date: Thu, 17 Jun 2021 15:45:57 +0300
Subject: fontconfig: fix misplaced overflow check

This allowed writes to one past the end of `families` and `fullnames`.
---
 libass/ass_fontconfig.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libass/ass_fontconfig.c b/libass/ass_fontconfig.c
index e5065b5..fd6ea33 100644
--- a/libass/ass_fontconfig.c
+++ b/libass/ass_fontconfig.c
@@ -166,17 +166,17 @@ static void scan_fonts(FcConfig *config, ASS_FontProvider *provider)
 
         // read family names
         meta.n_family = 0;
-        while (FcPatternGetString(pat, FC_FAMILY, meta.n_family,
-                    (FcChar8 **)&families[meta.n_family]) == FcResultMatch
-                    && meta.n_family < MAX_NAME)
+        while (meta.n_family < MAX_NAME &&
+                FcPatternGetString(pat, FC_FAMILY, meta.n_family,
+                    (FcChar8 **)&families[meta.n_family]) == FcResultMatch)
             meta.n_family++;
         meta.families = families;
 
         // read fullnames
         meta.n_fullname = 0;
-        while (FcPatternGetString(pat, FC_FULLNAME, meta.n_fullname,
-                    (FcChar8 **)&fullnames[meta.n_fullname]) == FcResultMatch
-                    && meta.n_fullname < MAX_NAME)
+        while (meta.n_fullname < MAX_NAME &&
+                FcPatternGetString(pat, FC_FULLNAME, meta.n_fullname,
+                    (FcChar8 **)&fullnames[meta.n_fullname]) == FcResultMatch)
             meta.n_fullname++;
         meta.fullnames = fullnames;
 
-- 
cgit v1.2.3