Added patch to fix possible integer overflow in VarR4FromDec.

README.md

@@ -39,11 +39,12 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 -----------------------------------
 
-**Bug fixes and features included in the next upcoming release [6]:**
+**Bug fixes and features included in the next upcoming release [7]:**
 
 * Add stub dlls required for MSVC 2015 runtime library (Windows 10)
 * Add stubs for additional wininet options in InternetSetOption
 * Fake success in IViewObject::Draw stub ([Wine Bug #30611](https://bugs.winehq.org/show_bug.cgi?id=30611))
+* Fix possible integer overflow in VarR4FromDec ([Wine Bug #38988](https://bugs.winehq.org/show_bug.cgi?id=38988))
 * Implement stub for vcomp._vcomp_flush ([Wine Bug #39058](https://bugs.winehq.org/show_bug.cgi?id=39058))
 * Improve stubs for dxgi MakeWindowAssociation and GetWindowAssociation
 * Move cookie initialization code from memory management to loader ([Wine Bug #39040](https://bugs.winehq.org/show_bug.cgi?id=39040))

debian/changelog

@@ -10,6 +10,7 @@ wine-staging (1.7.49) UNRELEASED; urgency=low
   * Added patch to move cookie initialization code from memory management to
     loader.
   * Added patch to fake success in IViewObject::Draw stub.
+  * Added patch to fix possible integer overflow in VarR4FromDec.
   * Removed patch to avoid race-conditions with long running threadpool tasks
     (accepted upstream).
   * Removed patch to add support for ThreadQuerySetWin32StartAddress info class

patches/oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch

@@ -0,0 +1,64 @@
+From eb9b31d9ea9b15d16e3e8bafa33592ae79789672 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sat, 8 Aug 2015 21:42:25 +0200
+Subject: oleaut32: Fix possible integer overflow in VarR4FromDec.
+
+---
+ dlls/oleaut32/tests/vartype.c | 3 ++-
+ dlls/oleaut32/vartype.c       | 8 ++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/dlls/oleaut32/tests/vartype.c b/dlls/oleaut32/tests/vartype.c
+index 4dd77a0..7cbb059 100644
+--- a/dlls/oleaut32/tests/vartype.c
++++ b/dlls/oleaut32/tests/vartype.c
+@@ -2890,7 +2890,8 @@ static void test_VarR4FromDec(void)
+ 
+   CONVERT_DEC(VarR4FromDec,2,0x80,0,3276800); EXPECT(-32768.0f);
+   CONVERT_DEC(VarR4FromDec,2,0,0,3276700);    EXPECT(32767.0f);
+-  
++  CONVERT_DEC(VarR4FromDec,10,0,0,3276700);   EXPECT(0.00032767f);
++
+   CONVERT_DEC(VarR4FromDec,0,0,1,0);        EXPECT(18446744073709551616.0f);
+ }
+ 
+diff --git a/dlls/oleaut32/vartype.c b/dlls/oleaut32/vartype.c
+index 607d1a2..bf7ebc6 100644
+--- a/dlls/oleaut32/vartype.c
++++ b/dlls/oleaut32/vartype.c
+@@ -2948,28 +2948,28 @@ HRESULT WINAPI VarR4FromUI4(ULONG ulIn, float *pFltOut)
+ HRESULT WINAPI VarR4FromDec(DECIMAL* pDecIn, float *pFltOut)
+ {
+   BYTE scale = DEC_SCALE(pDecIn);
+-  int divisor = 1;
++  double divisor = 1.0;
+   double highPart;
+ 
+   if (scale > DEC_MAX_SCALE || DEC_SIGN(pDecIn) & ~DECIMAL_NEG)
+     return E_INVALIDARG;
+ 
+   while (scale--)
+-    divisor *= 10;
++    divisor *= 10.0;
+ 
+   if (DEC_SIGN(pDecIn))
+     divisor = -divisor;
+ 
+   if (DEC_HI32(pDecIn))
+   {
+-    highPart = (double)DEC_HI32(pDecIn) / (double)divisor;
++    highPart = (double)DEC_HI32(pDecIn) / divisor;
+     highPart *= 4294967296.0F;
+     highPart *= 4294967296.0F;
+   }
+   else
+     highPart = 0.0;
+ 
+-  *pFltOut = (double)DEC_LO64(pDecIn) / (double)divisor + highPart;
++  *pFltOut = (double)DEC_LO64(pDecIn) / divisor + highPart;
+   return S_OK;
+ }
+ 
+-- 
+2.5.0
+

patches/oleaut32-VarR4FromDec/definition

@@ -0,0 +1 @@
+Fixes: [38988] Fix possible integer overflow in VarR4FromDec

patches/patchinstall.sh

@@ -190,6 +190,7 @@ patch_enable_all ()
 	enable_nvcuda_CUDA_Support="$1"
 	enable_nvcuvid_CUDA_Video_Support="$1"
 	enable_nvencodeapi_Video_Encoder="$1"
+	enable_oleaut32_VarR4FromDec="$1"
 	enable_openal32_EFX_Extension="$1"
 	enable_opengl32_Revert_Disable_Ext="$1"
 	enable_quartz_MediaSeeking_Positions="$1"
@@ -650,6 +651,9 @@ patch_enable ()
 		nvencodeapi-Video_Encoder)
 			enable_nvencodeapi_Video_Encoder="$2"
 			;;
+		oleaut32-VarR4FromDec)
+			enable_oleaut32_VarR4FromDec="$2"
+			;;
 		openal32-EFX_Extension)
 			enable_openal32_EFX_Extension="$2"
 			;;
@@ -4038,6 +4042,21 @@ if test "$enable_nvencodeapi_Video_Encoder" -eq 1; then
 	) >> "$patchlist"
 fi
 
+# Patchset oleaut32-VarR4FromDec
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#38988] Fix possible integer overflow in VarR4FromDec
+# |
+# | Modified files:
+# |   *	dlls/oleaut32/tests/vartype.c, dlls/oleaut32/vartype.c
+# |
+if test "$enable_oleaut32_VarR4FromDec" -eq 1; then
+	patch_apply oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch
+	(
+		echo '+    { "Sebastian Lackner", "oleaut32: Fix possible integer overflow in VarR4FromDec.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset openal32-EFX_Extension
 # |
 # | This patchset fixes the following Wine bugs:
@@ -4975,18 +4994,27 @@ if test "$enable_wined3d_CSMT_Helper" -eq 1; then
 	) >> "$patchlist"
 fi
 
-# Patchset wined3d-Multisampling
-# |
-# | This patchset fixes the following Wine bugs:
-# |   *	[#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE.
+# Patchset wined3d-MESA_GPU_Info
 # |
 # | Modified files:
-# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h
+# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_gl.h, dlls/winex11.drv/opengl.c, include/wine/wgl_driver.h
 # |
-if test "$enable_wined3d_Multisampling" -eq 1; then
-	patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch
+if test "$enable_wined3d_MESA_GPU_Info" -eq 1; then
+	patch_apply wined3d-MESA_GPU_Info/0001-wined3d-Use-pci-and-memory-information-from-MESA-if-.patch
 	(
-		echo '+    { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },';
+		echo '+    { "Michael Müller", "wined3d: Use pci and memory information from MESA if possible.", 2 },';
+	) >> "$patchlist"
+fi
+
+# Patchset wined3d-UnhandledBlendFactor
+# |
+# | Modified files:
+# |   *	dlls/wined3d/state.c
+# |
+if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then
+	patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch
+	(
+		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },';
 	) >> "$patchlist"
 fi
 
@@ -5014,6 +5042,21 @@ if test "$enable_wined3d_wined3d_swapchain_present" -eq 1; then
 	) >> "$patchlist"
 fi
 
+# Patchset wined3d-Multisampling
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE.
+# |
+# | Modified files:
+# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h
+# |
+if test "$enable_wined3d_Multisampling" -eq 1; then
+	patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch
+	(
+		echo '+    { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset wined3d-Revert_PixelFormat
 # |
 # | This patchset fixes the following Wine bugs:
@@ -5047,18 +5090,6 @@ if test "$enable_wined3d_Revert_PixelFormat" -eq 1; then
 	) >> "$patchlist"
 fi
 
-# Patchset wined3d-UnhandledBlendFactor
-# |
-# | Modified files:
-# |   *	dlls/wined3d/state.c
-# |
-if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then
-	patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch
-	(
-		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },';
-	) >> "$patchlist"
-fi
-
 # Patchset wined3d-Geforce_425M
 # |
 # | This patchset fixes the following Wine bugs:
@@ -5074,18 +5105,6 @@ if test "$enable_wined3d_Geforce_425M" -eq 1; then
 	) >> "$patchlist"
 fi
 
-# Patchset wined3d-MESA_GPU_Info
-# |
-# | Modified files:
-# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_gl.h, dlls/winex11.drv/opengl.c, include/wine/wgl_driver.h
-# |
-if test "$enable_wined3d_MESA_GPU_Info" -eq 1; then
-	patch_apply wined3d-MESA_GPU_Info/0001-wined3d-Use-pci-and-memory-information-from-MESA-if-.patch
-	(
-		echo '+    { "Michael Müller", "wined3d: Use pci and memory information from MESA if possible.", 2 },';
-	) >> "$patchlist"
-fi
-
 # Patchset wined3d-CSMT_Main
 # |
 # | This patchset fixes the following Wine bugs: