From 84f5a647d01956d99073a062d40efae13ac39cb2 Mon Sep 17 00:00:00 2001 From: Sebastian Lackner Date: Sat, 8 Aug 2015 21:46:09 +0200 Subject: [PATCH] Added patch to fix possible integer overflow in VarR4FromDec. --- README.md | 3 +- debian/changelog | 1 + ...sible-integer-overflow-in-VarR4FromD.patch | 64 ++++++++++++++ patches/oleaut32-VarR4FromDec/definition | 1 + patches/patchinstall.sh | 83 ++++++++++++------- 5 files changed, 119 insertions(+), 33 deletions(-) create mode 100644 patches/oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch create mode 100644 patches/oleaut32-VarR4FromDec/definition diff --git a/README.md b/README.md index 338971c3..ab463abd 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,12 @@ Wine. All those differences are also documented on the Included bug fixes and improvements ----------------------------------- -**Bug fixes and features included in the next upcoming release [6]:** +**Bug fixes and features included in the next upcoming release [7]:** * Add stub dlls required for MSVC 2015 runtime library (Windows 10) * Add stubs for additional wininet options in InternetSetOption * Fake success in IViewObject::Draw stub ([Wine Bug #30611](https://bugs.winehq.org/show_bug.cgi?id=30611)) +* Fix possible integer overflow in VarR4FromDec ([Wine Bug #38988](https://bugs.winehq.org/show_bug.cgi?id=38988)) * Implement stub for vcomp._vcomp_flush ([Wine Bug #39058](https://bugs.winehq.org/show_bug.cgi?id=39058)) * Improve stubs for dxgi MakeWindowAssociation and GetWindowAssociation * Move cookie initialization code from memory management to loader ([Wine Bug #39040](https://bugs.winehq.org/show_bug.cgi?id=39040)) diff --git a/debian/changelog b/debian/changelog index 2d46312d..fc33f447 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,7 @@ wine-staging (1.7.49) UNRELEASED; urgency=low * Added patch to move cookie initialization code from memory management to loader. * Added patch to fake success in IViewObject::Draw stub. + * Added patch to fix possible integer overflow in VarR4FromDec. * Removed patch to avoid race-conditions with long running threadpool tasks (accepted upstream). * Removed patch to add support for ThreadQuerySetWin32StartAddress info class diff --git a/patches/oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch b/patches/oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch new file mode 100644 index 00000000..f7225401 --- /dev/null +++ b/patches/oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch @@ -0,0 +1,64 @@ +From eb9b31d9ea9b15d16e3e8bafa33592ae79789672 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Sat, 8 Aug 2015 21:42:25 +0200 +Subject: oleaut32: Fix possible integer overflow in VarR4FromDec. + +--- + dlls/oleaut32/tests/vartype.c | 3 ++- + dlls/oleaut32/vartype.c | 8 ++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/dlls/oleaut32/tests/vartype.c b/dlls/oleaut32/tests/vartype.c +index 4dd77a0..7cbb059 100644 +--- a/dlls/oleaut32/tests/vartype.c ++++ b/dlls/oleaut32/tests/vartype.c +@@ -2890,7 +2890,8 @@ static void test_VarR4FromDec(void) + + CONVERT_DEC(VarR4FromDec,2,0x80,0,3276800); EXPECT(-32768.0f); + CONVERT_DEC(VarR4FromDec,2,0,0,3276700); EXPECT(32767.0f); +- ++ CONVERT_DEC(VarR4FromDec,10,0,0,3276700); EXPECT(0.00032767f); ++ + CONVERT_DEC(VarR4FromDec,0,0,1,0); EXPECT(18446744073709551616.0f); + } + +diff --git a/dlls/oleaut32/vartype.c b/dlls/oleaut32/vartype.c +index 607d1a2..bf7ebc6 100644 +--- a/dlls/oleaut32/vartype.c ++++ b/dlls/oleaut32/vartype.c +@@ -2948,28 +2948,28 @@ HRESULT WINAPI VarR4FromUI4(ULONG ulIn, float *pFltOut) + HRESULT WINAPI VarR4FromDec(DECIMAL* pDecIn, float *pFltOut) + { + BYTE scale = DEC_SCALE(pDecIn); +- int divisor = 1; ++ double divisor = 1.0; + double highPart; + + if (scale > DEC_MAX_SCALE || DEC_SIGN(pDecIn) & ~DECIMAL_NEG) + return E_INVALIDARG; + + while (scale--) +- divisor *= 10; ++ divisor *= 10.0; + + if (DEC_SIGN(pDecIn)) + divisor = -divisor; + + if (DEC_HI32(pDecIn)) + { +- highPart = (double)DEC_HI32(pDecIn) / (double)divisor; ++ highPart = (double)DEC_HI32(pDecIn) / divisor; + highPart *= 4294967296.0F; + highPart *= 4294967296.0F; + } + else + highPart = 0.0; + +- *pFltOut = (double)DEC_LO64(pDecIn) / (double)divisor + highPart; ++ *pFltOut = (double)DEC_LO64(pDecIn) / divisor + highPart; + return S_OK; + } + +-- +2.5.0 + diff --git a/patches/oleaut32-VarR4FromDec/definition b/patches/oleaut32-VarR4FromDec/definition new file mode 100644 index 00000000..793576c4 --- /dev/null +++ b/patches/oleaut32-VarR4FromDec/definition @@ -0,0 +1 @@ +Fixes: [38988] Fix possible integer overflow in VarR4FromDec diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 574e166d..5f2b870d 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -190,6 +190,7 @@ patch_enable_all () enable_nvcuda_CUDA_Support="$1" enable_nvcuvid_CUDA_Video_Support="$1" enable_nvencodeapi_Video_Encoder="$1" + enable_oleaut32_VarR4FromDec="$1" enable_openal32_EFX_Extension="$1" enable_opengl32_Revert_Disable_Ext="$1" enable_quartz_MediaSeeking_Positions="$1" @@ -650,6 +651,9 @@ patch_enable () nvencodeapi-Video_Encoder) enable_nvencodeapi_Video_Encoder="$2" ;; + oleaut32-VarR4FromDec) + enable_oleaut32_VarR4FromDec="$2" + ;; openal32-EFX_Extension) enable_openal32_EFX_Extension="$2" ;; @@ -4038,6 +4042,21 @@ if test "$enable_nvencodeapi_Video_Encoder" -eq 1; then ) >> "$patchlist" fi +# Patchset oleaut32-VarR4FromDec +# | +# | This patchset fixes the following Wine bugs: +# | * [#38988] Fix possible integer overflow in VarR4FromDec +# | +# | Modified files: +# | * dlls/oleaut32/tests/vartype.c, dlls/oleaut32/vartype.c +# | +if test "$enable_oleaut32_VarR4FromDec" -eq 1; then + patch_apply oleaut32-VarR4FromDec/0001-oleaut32-Fix-possible-integer-overflow-in-VarR4FromD.patch + ( + echo '+ { "Sebastian Lackner", "oleaut32: Fix possible integer overflow in VarR4FromDec.", 1 },'; + ) >> "$patchlist" +fi + # Patchset openal32-EFX_Extension # | # | This patchset fixes the following Wine bugs: @@ -4975,18 +4994,27 @@ if test "$enable_wined3d_CSMT_Helper" -eq 1; then ) >> "$patchlist" fi -# Patchset wined3d-Multisampling -# | -# | This patchset fixes the following Wine bugs: -# | * [#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE. +# Patchset wined3d-MESA_GPU_Info # | # | Modified files: -# | * dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h +# | * dlls/wined3d/directx.c, dlls/wined3d/wined3d_gl.h, dlls/winex11.drv/opengl.c, include/wine/wgl_driver.h # | -if test "$enable_wined3d_Multisampling" -eq 1; then - patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch +if test "$enable_wined3d_MESA_GPU_Info" -eq 1; then + patch_apply wined3d-MESA_GPU_Info/0001-wined3d-Use-pci-and-memory-information-from-MESA-if-.patch ( - echo '+ { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },'; + echo '+ { "Michael Müller", "wined3d: Use pci and memory information from MESA if possible.", 2 },'; + ) >> "$patchlist" +fi + +# Patchset wined3d-UnhandledBlendFactor +# | +# | Modified files: +# | * dlls/wined3d/state.c +# | +if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then + patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch + ( + echo '+ { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },'; ) >> "$patchlist" fi @@ -5014,6 +5042,21 @@ if test "$enable_wined3d_wined3d_swapchain_present" -eq 1; then ) >> "$patchlist" fi +# Patchset wined3d-Multisampling +# | +# | This patchset fixes the following Wine bugs: +# | * [#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE. +# | +# | Modified files: +# | * dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h +# | +if test "$enable_wined3d_Multisampling" -eq 1; then + patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch + ( + echo '+ { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },'; + ) >> "$patchlist" +fi + # Patchset wined3d-Revert_PixelFormat # | # | This patchset fixes the following Wine bugs: @@ -5047,18 +5090,6 @@ if test "$enable_wined3d_Revert_PixelFormat" -eq 1; then ) >> "$patchlist" fi -# Patchset wined3d-UnhandledBlendFactor -# | -# | Modified files: -# | * dlls/wined3d/state.c -# | -if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then - patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch - ( - echo '+ { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },'; - ) >> "$patchlist" -fi - # Patchset wined3d-Geforce_425M # | # | This patchset fixes the following Wine bugs: @@ -5074,18 +5105,6 @@ if test "$enable_wined3d_Geforce_425M" -eq 1; then ) >> "$patchlist" fi -# Patchset wined3d-MESA_GPU_Info -# | -# | Modified files: -# | * dlls/wined3d/directx.c, dlls/wined3d/wined3d_gl.h, dlls/winex11.drv/opengl.c, include/wine/wgl_driver.h -# | -if test "$enable_wined3d_MESA_GPU_Info" -eq 1; then - patch_apply wined3d-MESA_GPU_Info/0001-wined3d-Use-pci-and-memory-information-from-MESA-if-.patch - ( - echo '+ { "Michael Müller", "wined3d: Use pci and memory information from MESA if possible.", 2 },'; - ) >> "$patchlist" -fi - # Patchset wined3d-CSMT_Main # | # | This patchset fixes the following Wine bugs: