[NTOS]

Fix buffer overrun in ExFreePoolWithTag when dealing with a PoolType other than NonPagedPool and PagedPool. Spotted by Amine Khaldi.

svn path=/trunk/; revision=45134

diff --git a/reactos/ntoskrnl/mm/ARM3/expool.c b/reactos/ntoskrnl/mm/ARM3/expool.c
index 4c5f46b..c10d8c8 100644 (file)
--- a/reactos/ntoskrnl/mm/ARM3/expool.c
+++ b/reactos/ntoskrnl/mm/ARM3/expool.c
@@ -520,7 +520,7 @@ ExFreePoolWithTag(IN PVOID P,
     // for this pool type
     //
     BlockSize = Entry->BlockSize;
-    PoolType = (Entry->PoolType & 3) - 1;
+    PoolType = (Entry->PoolType - 1) & BASE_POOL_TYPE_MASK;
     PoolDesc = PoolVector[PoolType];
 
     //