From a4ba1bf284e2819217245986792e226e284c4956 Mon Sep 17 00:00:00 2001 From: Filip Navara Date: Mon, 1 Aug 2005 08:55:22 +0000 Subject: [PATCH] Fix paramater validation and pointer manipulation in RtlAddAce. svn path=/trunk/; revision=16933 --- reactos/lib/rtl/acl.c | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/reactos/lib/rtl/acl.c b/reactos/lib/rtl/acl.c index 56dabbff54d..6465aa7cdfe 100644 --- a/reactos/lib/rtl/acl.c +++ b/reactos/lib/rtl/acl.c @@ -266,9 +266,9 @@ RtlAddAce(PACL Acl, ULONG AceListLength) { PACE Ace; - ULONG i; PACE Current; - ULONG j; + ULONG NewAceCount; + ULONG Index; PAGED_CODE_RTL(); @@ -289,41 +289,35 @@ RtlAddAce(PACL Acl, return(STATUS_INVALID_PARAMETER); } - i = 0; - Current = (PACE)(Acl + 1); - while ((ULONG_PTR)Current < ((ULONG_PTR)AceList + AceListLength)) + for (Current = AceList, NewAceCount = 0; + (ULONG_PTR)Current < ((ULONG_PTR)AceList + AceListLength); + Current = (PACE)((ULONG_PTR)Current + Current->Header.AceSize), + ++NewAceCount) { if (AceList->Header.AceType == ACCESS_ALLOWED_COMPOUND_ACE_TYPE && AclRevision < ACL_REVISION3) { return(STATUS_INVALID_PARAMETER); } - Current = (PACE)((ULONG_PTR)Current + Current->Header.AceSize); } if (Ace == NULL || - ((ULONG_PTR)Ace + AceListLength) >= ((ULONG_PTR)Acl + Acl->AclSize)) + ((ULONG_PTR)Ace + AceListLength) > ((ULONG_PTR)Acl + Acl->AclSize)) { return(STATUS_BUFFER_TOO_SMALL); } - if (StartingIndex != 0) + Current = (PACE)(Acl + 1); + for (Index = 0; Index < StartingIndex && Index < Acl->AceCount; Index++) { - if (Acl->AceCount > 0) - { - Current = (PACE)(Acl + 1); - for (j = 0; j < StartingIndex; j++) - { - Current = (PACE)((ULONG_PTR)Current + Current->Header.AceSize); - } - } + Current = (PACE)((ULONG_PTR)Current + Current->Header.AceSize); } RtlpAddData(AceList, AceListLength, Current, (ULONG)((ULONG_PTR)Ace - (ULONG_PTR)Current)); - Acl->AceCount = Acl->AceCount + i; + Acl->AceCount = Acl->AceCount + NewAceCount; Acl->AclRevision = AclRevision; return(STATUS_SUCCESS);