Mike Hearn : ntdll: Fix heap corruption in RtlDeleteAce. - wine-commits

8 May 2006

Module: wine
Branch: refs/heads/master
Commit: 0154704f9f8a2f13d2e654c074391ab008c7573f
URL:    http://source.winehq.org/git/?p=wine.git;a=commit;h=0154704f9f8a2f13d2e654c0...
Author: Mike Hearn mike@plan99.net
Date:   Mon May  1 09:08:58 2006 +0100
ntdll: Fix heap corruption in RtlDeleteAce.
---
dlls/ntdll/sec.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c
index 8fd21f7..620588b 100644
--- a/dlls/ntdll/sec.c
+++ b/dlls/ntdll/sec.c
@@ -1132,15 +1132,20 @@ NTSTATUS  WINAPI RtlDeleteAce(PACL pAcl,
    	PACE_HEADER pcAce;
    	DWORD len = 0;
+		/* skip over the ACE we are deleting */
    	pcAce = (PACE_HEADER)(((BYTE*)pAce)+pAce->AceSize);
+		dwAceIndex++;
+
+		/* calculate the length of the rest */
    	for (; dwAceIndex < pAcl->AceCount; dwAceIndex++)
    	{
    		len += pcAce->AceSize;
    		pcAce = (PACE_HEADER)(((BYTE*)pcAce) + pcAce->AceSize);
    	}
-		memcpy(pAce, ((BYTE*)pAce)+pAce->AceSize, len);
-                pAcl->AceCount--;
+		/* slide them all backwards */
+		memmove(pAce, ((BYTE*)pAce)+pAce->AceSize, len);
+		pAcl->AceCount--;
    }
TRACE("pAcl=%p dwAceIndex=%ld status=0x%08lx\n", pAcl, dwAceIndex, status);

    