diff --git a/src/dll/posix.c b/src/dll/posix.c
index 1da8822b..76507b50 100644
--- a/src/dll/posix.c
+++ b/src/dll/posix.c
@@ -432,15 +432,15 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
 
     *PSecurityDescriptor = 0;
 
-    Result = FspPosixMapUidToSid(Uid, OwnerSid);
+    Result = FspPosixMapUidToSid(Uid, &OwnerSid);
     if (!NT_SUCCESS(Result))
         goto exit;
 
-    Result = FspPosixMapUidToSid(Gid, GroupSid);
+    Result = FspPosixMapUidToSid(Gid, &GroupSid);
     if (!NT_SUCCESS(Result))
         goto exit;
 
-    Result = FspPosixMapUidToSid(0x10100, WorldSid);
+    Result = FspPosixMapUidToSid(0x10100, &WorldSid);
     if (!NT_SUCCESS(Result))
         goto exit;
 
@@ -488,7 +488,7 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
     if (GroupDeny)
         Size += GetLengthSid(GroupSid) - sizeof(DWORD);
     Size += sizeof(DWORD) - 1;
-    Size &= ~sizeof(DWORD);
+    Size &= ~(sizeof(DWORD) - 1);
 
     Acl = MemAlloc(Size);
     if (0 == Acl)
@@ -636,11 +636,11 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
 
     if (0 != Acl)
     {
-        Result = FspPosixMapUidToSid(0x10100, WorldSid);
+        Result = FspPosixMapUidToSid(0x10100, &WorldSid);
         if (!NT_SUCCESS(Result))
             goto exit;
 
-        Result = FspPosixMapUidToSid(11, AuthUsersSid);
+        Result = FspPosixMapUidToSid(11, &AuthUsersSid);
         if (!NT_SUCCESS(Result))
             goto exit;
 
@@ -690,15 +690,15 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
                  */
                 if (ACCESS_ALLOWED_ACE_TYPE == Ace->AceType)
                 {
-                    WorldAllow |= AceAccessMask & WorldDeny;
-                    GroupAllow |= AceAccessMask & GroupDeny;
-                    OwnerAllow |= AceAccessMask & OwnerDeny;
+                    WorldAllow |= AceAccessMask & ~WorldDeny;
+                    GroupAllow |= AceAccessMask & ~GroupDeny;
+                    OwnerAllow |= AceAccessMask & ~OwnerDeny;
                 }
                 else //if (ACCESS_DENIED_ACE_TYPE == Ace->AceType)
                 {
-                    WorldDeny |= AceAccessMask & WorldAllow;
-                    GroupDeny |= AceAccessMask & GroupAllow;
-                    OwnerDeny |= AceAccessMask & OwnerAllow;
+                    WorldDeny |= AceAccessMask & ~WorldAllow;
+                    GroupDeny |= AceAccessMask & ~GroupAllow;
+                    OwnerDeny |= AceAccessMask & ~OwnerAllow;
                 }
             }
             else
@@ -717,9 +717,9 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
                 if (EqualSid(GroupSid, AceSid))
                 {
                     if (ACCESS_ALLOWED_ACE_TYPE == Ace->AceType)
-                        GroupAllow |= AceAccessMask & GroupDeny;
+                        GroupAllow |= AceAccessMask & ~GroupDeny;
                     else //if (ACCESS_DENIED_ACE_TYPE == Ace->AceType)
-                        GroupDeny |= AceAccessMask & GroupAllow;
+                        GroupDeny |= AceAccessMask & ~GroupAllow;
                 }
 
                 /* [PERMS]
@@ -730,9 +730,9 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
                 if (EqualSid(OwnerSid, AceSid))
                 {
                     if (ACCESS_ALLOWED_ACE_TYPE == Ace->AceType)
-                        OwnerAllow |= AceAccessMask & OwnerDeny;
+                        OwnerAllow |= AceAccessMask & ~OwnerDeny;
                     else //if (ACCESS_DENIED_ACE_TYPE == Ace->AceType)
-                        OwnerDeny |= AceAccessMask & OwnerAllow;
+                        OwnerDeny |= AceAccessMask & ~OwnerAllow;
                 }
             }
         }
diff --git a/tst/winfsp-tests/posix-test.c b/tst/winfsp-tests/posix-test.c
index 2067f4c1..44df830d 100644
--- a/tst/winfsp-tests/posix-test.c
+++ b/tst/winfsp-tests/posix-test.c
@@ -147,7 +147,50 @@ void posix_map_sid_test(void)
     LocalFree(map[sizeof map / sizeof map[0] - 1].SidStr);
 }
 
+void posix_map_sd_test(void)
+{
+    struct
+    {
+        PWSTR Sddl;
+        UINT32 Uid, Gid, Mode;
+    } map[] =
+    {
+        { L"O:SYG:BAD:P(A;;0x1f0199;;;SY)(A;;0x120088;;;BA)(A;;0x120088;;;WD)", 18, 544, 00400 },
+    };
+    NTSTATUS Result;
+    BOOL Success;
+    PSECURITY_DESCRIPTOR SecurityDescriptor;
+    PWSTR Sddl;
+    UINT32 Uid, Gid, Mode;
+
+    for (size_t i = 0; sizeof map / sizeof map[0] > i; i++)
+    {
+        Result = FspPosixMapPermissionsToSecurityDescriptor(
+            map[i].Uid, map[i].Gid, map[i].Mode, &SecurityDescriptor);
+        ASSERT(NT_SUCCESS(Result));
+
+        Success = ConvertSecurityDescriptorToStringSecurityDescriptorW(
+            SecurityDescriptor, SDDL_REVISION_1,
+            OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+            &Sddl, 0);
+        ASSERT(Success);
+        ASSERT(0 == wcscmp(map[i].Sddl, Sddl));
+        LocalFree(Sddl);
+
+        Result = FspPosixMapSecurityDescriptorToPermissions(
+            SecurityDescriptor, &Uid, &Gid, &Mode);
+        ASSERT(NT_SUCCESS(Result));
+        ASSERT(map[i].Uid == Uid);
+        ASSERT(map[i].Gid == Gid);
+        ASSERT((map[i].Mode & 01777) == Mode);
+
+        FspDeleteSecurityDescriptor(SecurityDescriptor,
+            FspPosixMapPermissionsToSecurityDescriptor);
+    }
+}
+
 void posix_tests(void)
 {
     TEST(posix_map_sid_test);
+    TEST(posix_map_sd_test);
 }