Module: wine Branch: refs/heads/master Commit: 0154704f9f8a2f13d2e654c074391ab008c7573f URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=0154704f9f8a2f13d2e654c0... Author: Mike Hearn <mike(a)plan99.net> Date: Mon May 1 09:08:58 2006 +0100 ntdll: Fix heap corruption in RtlDeleteAce. --- dlls/ntdll/sec.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c index 8fd21f7..620588b 100644 --- a/dlls/ntdll/sec.c +++ b/dlls/ntdll/sec.c @@ -1132,15 +1132,20 @@ NTSTATUS WINAPI RtlDeleteAce(PACL pAcl, PACE_HEADER pcAce; DWORD len = 0; + /* skip over the ACE we are deleting */ pcAce = (PACE_HEADER)(((BYTE*)pAce)+pAce->AceSize); + dwAceIndex++; + + /* calculate the length of the rest */ for (; dwAceIndex < pAcl->AceCount; dwAceIndex++) { len += pcAce->AceSize; pcAce = (PACE_HEADER)(((BYTE*)pcAce) + pcAce->AceSize); } - memcpy(pAce, ((BYTE*)pAce)+pAce->AceSize, len); - pAcl->AceCount--; + /* slide them all backwards */ + memmove(pAce, ((BYTE*)pAce)+pAce->AceSize, len); + pAcl->AceCount--; } TRACE("pAcl=%p dwAceIndex=%ld status=0x%08lx\n", pAcl, dwAceIndex, status);