From fea0ca15e526eceb7a53e6e7dd5efccd8a3a3cf9 Mon Sep 17 00:00:00 2001
From: Aleksey Bragin <aleksey@reactos.org>
Date: Wed, 24 Dec 2008 06:04:25 +0400
Subject: Don't calculate remaining bits if there are none. Fixes out-of-bounds read of a buffer.

---
 dlls/ntdll/rtlbitmap.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c
index 3656d24..26e80d8 100644
--- a/dlls/ntdll/rtlbitmap.c
+++ b/dlls/ntdll/rtlbitmap.c
@@ -554,9 +554,12 @@ ULONG WINAPI RtlNumberOfSetBits(PCRTL_BITMAP lpBits)
       lpOut++;
     }
 
-    bMasked = *lpOut & NTDLL_maskBits[ulRemainder];
-    ulSet += NTDLL_nibbleBitCount[bMasked >> 4];
-    ulSet += NTDLL_nibbleBitCount[bMasked & 0xf];
+    if (ulRemainder)
+    {
+      bMasked = *lpOut & NTDLL_maskBits[ulRemainder];
+      ulSet += NTDLL_nibbleBitCount[bMasked >> 4];
+      ulSet += NTDLL_nibbleBitCount[bMasked & 0xf];
+    }
   }
   return ulSet;
 }
-- 
1.4.4.4