From 1e9c10e4a5b34b5dcfe20df236cf96e59ee48c06 Mon Sep 17 00:00:00 2001
From: Thomas Bluemel <thomas@reactsoft.com>
Date: Tue, 11 Dec 2007 17:52:30 +0000
Subject: [PATCH] Fix a buffer overflow accessing the pKeepAce array in
 AccRewriteSetEntriesInAcl

svn path=/trunk/; revision=31157
---
 reactos/dll/win32/ntmarta/ntmarta.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/reactos/dll/win32/ntmarta/ntmarta.c b/reactos/dll/win32/ntmarta/ntmarta.c
index 368524b3430..ccc7d86a2b1 100644
--- a/reactos/dll/win32/ntmarta/ntmarta.c
+++ b/reactos/dll/win32/ntmarta/ntmarta.c
@@ -1020,7 +1020,7 @@ AccRewriteSetEntriesInAcl(ULONG cCountOfExplicitEntries,
     PACL pNew;
     ACL_SIZE_INFORMATION SizeInformation;
     PACE_HEADER pAce;
-    BOOL *pKeepAce = NULL;
+    BOOLEAN *pKeepAce = NULL;
     BOOL needToClean;
     PSID pSid1, pSid2;
     ULONG i;
@@ -1042,14 +1042,14 @@ AccRewriteSetEntriesInAcl(ULONG cCountOfExplicitEntries,
             goto Cleanup;
         }
 
-        pKeepAce = (BOOL *)LocalAlloc(LMEM_FIXED, SizeInformation.AceCount);
+        pKeepAce = (BOOLEAN *)LocalAlloc(LMEM_FIXED, SizeInformation.AceCount * sizeof(*pKeepAce));
         if (!pKeepAce)
         {
             Ret = ERROR_NOT_ENOUGH_MEMORY;
             goto Cleanup;
         }
 
-        memset(pKeepAce, TRUE, SizeInformation.AceCount);
+        memset(pKeepAce, TRUE, SizeInformation.AceCount * sizeof(*pKeepAce));
     }
     else
     {