Index: dll/win32/msafd/misc/dllmain.c
===================================================================
--- dll/win32/msafd/misc/dllmain.c	(revision 73197)
+++ dll/win32/msafd/misc/dllmain.c	(working copy)
@@ -1050,8 +1050,8 @@
      * to be */
 
     HandleCount = ( readfds ? readfds->fd_count : 0 ) +
-                  ( writefds ? writefds->fd_count : 0 ) +
-                  ( exceptfds ? exceptfds->fd_count : 0 );
+                  ( writefds && writefds != readfds ? writefds->fd_count : 0 ) +
+                  ( exceptfds && exceptfds != readfds && exceptfds != writefds ? exceptfds->fd_count : 0 );
 
     if ( HandleCount == 0 )
     {
@@ -1126,6 +1126,14 @@
     if (readfds != NULL) {
         for (i = 0; i < readfds->fd_count; i++, j++)
         {
+            if (j > HandleCount)
+            {
+                ERR("Error while counting readfds %ld > %ld\n", j, HandleCount);
+                if (lpErrno) *lpErrno = WSAEFAULT;
+                HeapFree(GlobalHeap, 0, PollBuffer);
+                NtClose(SockEvent);
+                return SOCKET_ERROR;
+            }
             Socket = GetSocketStructure(readfds->fd_array[i]);
             if (!Socket)
             {
@@ -1145,10 +1153,18 @@
                 PollInfo->Handles[j].Events |= AFD_EVENT_OOB_RECEIVE;
         }
     }
-    if (writefds != NULL)
+    if (writefds != NULL && writefds != readfds)
     {
         for (i = 0; i < writefds->fd_count; i++, j++)
         {
+            if (j > HandleCount)
+            {
+                ERR("Error while counting writefds %ld > %ld\n", j, HandleCount);
+                if (lpErrno) *lpErrno = WSAEFAULT;
+                HeapFree(GlobalHeap, 0, PollBuffer);
+                NtClose(SockEvent);
+                return SOCKET_ERROR;
+            }
             Socket = GetSocketStructure(writefds->fd_array[i]);
             if (!Socket)
             {
@@ -1164,10 +1180,18 @@
                 PollInfo->Handles[j].Events |= AFD_EVENT_CONNECT;
         }
     }
-    if (exceptfds != NULL)
+    if (exceptfds != NULL && exceptfds != readfds && exceptfds != writefds)
     {
         for (i = 0; i < exceptfds->fd_count; i++, j++)
         {
+            if (j > HandleCount)
+            {
+                ERR("Error while counting exceptfds %ld > %ld\n", j, HandleCount);
+                if (lpErrno) *lpErrno = WSAEFAULT;
+                HeapFree(GlobalHeap, 0, PollBuffer);
+                NtClose(SockEvent);
+                return SOCKET_ERROR;
+            }
             Socket = GetSocketStructure(exceptfds->fd_array[i]);
             if (!Socket)
             {
@@ -1191,6 +1215,15 @@
         }
     }
 
+    if (j > HandleCount)
+    {
+        ERR("Error while counting fds %ld > %ld\n", j, HandleCount);
+        if (lpErrno) *lpErrno = WSAEFAULT;
+        HeapFree(GlobalHeap, 0, PollBuffer);
+        NtClose(SockEvent);
+        return SOCKET_ERROR;
+    }
+
     PollInfo->HandleCount = j;
     PollBufferSize = FIELD_OFFSET(AFD_POLL_INFO, Handles) + PollInfo->HandleCount * sizeof(AFD_HANDLE);
 
@@ -1215,12 +1248,14 @@
         Status = IOSB.Status;
     }
 
+    NtClose(SockEvent);
+
     /* Clear the Structures */
     if( readfds )
         FD_ZERO(readfds);
-    if( writefds )
+    if( writefds && writefds != readfds )
         FD_ZERO(writefds);
-    if( exceptfds )
+    if( exceptfds && exceptfds != readfds && exceptfds != writefds )
         FD_ZERO(exceptfds);
 
     /* Loop through return structure */
@@ -1294,7 +1329,6 @@
     }
 
     HeapFree( GlobalHeap, 0, PollBuffer );
-    NtClose( SockEvent );
 
     if( lpErrno )
     {