diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
index 70e2da40e7a..5c4ddde1129 100644
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -5964,6 +5964,48 @@ BOOL WINAPI FileEncryptionStatusA(LPCSTR lpFileName, LPDWORD lpStatus)
     return TRUE;
 }
 
+static NTSTATUS combine_dacls(ACL *parent, ACL *child, ACL **result)
+{
+    ACL *combined;
+    int i;
+
+    /* initialize a combined DACL containing both inherited and new ACEs */
+    combined = heap_alloc_zero(child->AclSize+parent->AclSize);
+    if (!combined)
+        return STATUS_NO_MEMORY;
+
+    memcpy(combined, child, child->AclSize);
+    combined->AclSize = child->AclSize+parent->AclSize;
+
+    /* copy the inherited ACEs */
+    for (i=0; i<parent->AceCount; i++)
+    {
+        ACE_HEADER *ace;
+
+        if (!GetAce(parent, i, (void*)&ace))
+            continue;
+        if (!(ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)))
+            continue;
+        if ((ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) !=
+                (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE))
+        {
+            FIXME("unsupported flags: %x\n", ace->AceFlags);
+            continue;
+        }
+
+        if (ace->AceFlags & NO_PROPAGATE_INHERIT_ACE)
+            ace->AceFlags &= ~(OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE|NO_PROPAGATE_INHERIT_ACE);
+        ace->AceFlags &= ~INHERIT_ONLY_ACE;
+        ace->AceFlags |= INHERITED_ACE;
+
+        if (!AddAce(combined, ACL_REVISION, MAXDWORD, ace, ace->AceSize))
+            WARN("error adding inherited ACE\n");
+    }
+
+    *result = combined;
+    return STATUS_SUCCESS;
+}
+
 /******************************************************************************
  * SetSecurityInfo [ADVAPI32.@]
  */
@@ -6063,41 +6105,10 @@ DWORD WINAPI SetSecurityInfo(HANDLE handle, SE_OBJECT_TYPE ObjectType,
 
                     if (!err)
                     {
-                        int i;
-
-                        dacl = heap_alloc_zero(pDacl->AclSize+parent_dacl->AclSize);
-                        if (!dacl)
-                        {
-                            LocalFree(parent_sd);
-                            return ERROR_NOT_ENOUGH_MEMORY;
-                        }
-                        memcpy(dacl, pDacl, pDacl->AclSize);
-                        dacl->AclSize = pDacl->AclSize+parent_dacl->AclSize;
-
-                        for (i=0; i<parent_dacl->AceCount; i++)
-                        {
-                            ACE_HEADER *ace;
-
-                            if (!GetAce(parent_dacl, i, (void*)&ace))
-                                continue;
-                            if (!(ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)))
-                                continue;
-                            if ((ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) !=
-                                    (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE))
-                            {
-                                FIXME("unsupported flags: %x\n", ace->AceFlags);
-                                continue;
-                            }
-
-                            if (ace->AceFlags & NO_PROPAGATE_INHERIT_ACE)
-                                ace->AceFlags &= ~(OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE|NO_PROPAGATE_INHERIT_ACE);
-                            ace->AceFlags &= ~INHERIT_ONLY_ACE;
-                            ace->AceFlags |= INHERITED_ACE;
-
-                            if(!AddAce(dacl, ACL_REVISION, MAXDWORD, ace, ace->AceSize))
-                                WARN("error adding inherited ACE\n");
-                        }
+                        status = combine_dacls(parent_dacl, pDacl, &dacl);
                         LocalFree(parent_sd);
+                        if (status != STATUS_SUCCESS)
+                            return RtlNtStatusToDosError(status);
                     }
                 }
                 else