ntdll: Fix heap corruption in RtlDeleteAce.

0154704f · Mike Hearn · Alexandre Julliard · aea0b5d0 · 0154704f
Commit 0154704f authored May 01, 2006 by Mike Hearn Committed by Alexandre Julliard May 08, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

sec.c dlls/ntdll/sec.c +7 -2

No files found.
--- a/dlls/ntdll/sec.c
+++ b/dlls/ntdll/sec.c
@@ -1132,15 +1132,20 @@ NTSTATUS  WINAPI RtlDeleteAce(PACL pAcl, DWORD dwAceIndex)
 		PACE_HEADER pcAce;
 		DWORD len = 0;

+		/* skip over the ACE we are deleting */
 		pcAce = (PACE_HEADER)(((BYTE*)pAce)+pAce->AceSize);
+		dwAceIndex++;
+
+		/* calculate the length of the rest */
 		for (; dwAceIndex < pAcl->AceCount; dwAceIndex++)
 		{
 			len += pcAce->AceSize;
 			pcAce = (PACE_HEADER)(((BYTE*)pcAce) + pcAce->AceSize);
 		}

-		memcpy(pAce, ((BYTE*)pAce)+pAce->AceSize, len);
-                pAcl->AceCount--;
+		/* slide them all backwards */
+		memmove(pAce, ((BYTE*)pAce)+pAce->AceSize, len);
+		pAcl->AceCount--;
 	}

 	TRACE("pAcl=%p dwAceIndex=%ld status=0x%08lx\n", pAcl, dwAceIndex, status);