Release 2.10-3 (macOS preloader fixes).

For wine64-preloader we already do that, but apparently there are also kernel
versions which enforce a PAGEZERO section for 32-bit executables.

(cherry picked from commit 907dc4eae6)

CONTRIBUTING.md

@@ -1,30 +0,0 @@
-Contributing to Wine Staging
-----------------------------
-
-First of all, thank you for taking the time to contribute to this project.
-
-### Reporting bugs
-
-Since WineConf 2015 Wine Staging is an official part of WineHQ, which means you
-can report problems directly at [bugs.winehq.org](https://bugs.winehq.org/).
-Most of the time bugs found in Wine Staging also turn out to be present in the
-development branch, so its recommended to open your bug in the "Wine" product,
-unless you are sure its really "Wine Staging" specific. For bugs related to our
-binary packages, please open a bug report in the "Packaging" product.
-
-### Submitting patches
-
-**IMPORTANT:** Please use [dev.wine-staging.com](https://dev.wine-staging.com/patches)
-for patch submissions, we currently do not accept Pull requests on GitHub.
-
-Wine Staging mainly concentrates on experimental features and patches which are
-difficult to get into the development branch. If you have a very simple bug fix
-including tests, there is usually no need to send it to Wine Staging. You can
-directly contribute it to the
-[development branch](http://wiki.winehq.org/SubmittingPatches). However, if you
-already tried that without success, or are working on such a complex area that
-you do not really think its ready for inclusion, you might want to submit it to
-our Staging tree. Please open a patch submission request on
-[dev.wine-staging.com](https://dev.wine-staging.com/patches) including the patch.
-More information is also available in our
-[Wiki](https://wiki.winehq.org/Wine-Staging_Patches).

README.md

@@ -24,6 +24,16 @@ other wine-specific programs like `winecfg`. To learn more about how to use
 Wine Staging, please take a look at the
 [usage instructions](https://github.com/wine-compholio/wine-staging/wiki/Usage).
 
+Reporting bugs
+--------------
+
+Since WineConf 2015 Wine Staging is an official part of WineHQ, which means you
+can report problems directly at https://bugs.winehq.org/. Most of the time bugs
+found in Wine Staging also turn out to be present in the development branch, so
+its recommended to open your bug in the "Wine" product, unless you are sure its
+really "Wine Staging" specific. For problems with our binary packages, please
+also open a bug report there.
+
 Building
 --------
 
@@ -78,5 +88,14 @@ in our [Wiki](https://github.com/wine-compholio/wine-staging/wiki/Packaging).
 Contributing
 ------------
 
-Please see CONTRIBUTING.md for more information about contributing to Wine
-Staging.
+Wine Staging mainly concentrates on experimental features and patches which are
+difficult to get into the development branch. If you have a very simple bug fix
+including tests, there is usually no need to send it to Wine Staging. You can
+directly contribute it to the
+[development branch](http://wiki.winehq.org/SubmittingPatches). However, if you
+already tried that without success, or are working on such a complex area that
+you do not really think its ready for inclusion, you might want to submit it to
+our Staging tree. Please open a patch submission request on
+[bugs.wine-staging.com](https://bugs.wine-staging.com/) including the patch.
+More information is also available in our
+[Wiki](https://github.com/wine-compholio/wine-staging/wiki/Contributing).

patches/Compiler_Warnings/0001-ole32-Fix-compilation-with-recent-versions-of-gcc.patch

@@ -0,0 +1,26 @@
+From 43628d9b1905396ff6442e4f1e07c9dd48739b19 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Fri, 14 Apr 2017 15:57:18 +0200
+Subject: ole32: Fix compilation with recent versions of gcc.
+
+---
+ dlls/ole32/storage32.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dlls/ole32/storage32.h b/dlls/ole32/storage32.h
+index 4fcfd9c362..2b23ab8eb8 100644
+--- a/dlls/ole32/storage32.h
++++ b/dlls/ole32/storage32.h
+@@ -526,6 +526,9 @@ StgStreamImpl* StgStreamImpl_Construct(
+ /******************************************************************************
+  * Endian conversion macros
+  */
++#undef htole32
++#undef htole16
++
+ #ifdef WORDS_BIGENDIAN
+ 
+ #define htole32(x) RtlUlongByteSwap(x)
+-- 
+2.12.2
+

patches/Compiler_Warnings/0003-shell32-Fix-length-parameter-for-ZeroMemory.patch

@@ -0,0 +1,25 @@
+From 33717bde9e702520e23ae014c398bd7076902d43 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:56:47 +0200
+Subject: shell32: Fix length parameter for ZeroMemory.
+
+---
+ dlls/shell32/shfldr_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dlls/shell32/shfldr_fs.c b/dlls/shell32/shfldr_fs.c
+index c7259276d1d..10653f92b52 100644
+--- a/dlls/shell32/shfldr_fs.c
++++ b/dlls/shell32/shfldr_fs.c
+@@ -1315,7 +1315,7 @@ ISFHelper_fnCopyItems (ISFHelper * iface, IShellFolder * pSFFrom, UINT cidl,
+ 
+         if (SUCCEEDED (IPersistFolder2_GetCurFolder (ppf2, &pidl))) {
+             SHGetPathFromIDListW (pidl, wszSrcPathRoot);
+-            ZeroMemory(wszDstPath, MAX_PATH+1);
++            ZeroMemory(wszDstPath, sizeof(wszDstPath));
+             if (This->sPathTarget)
+                 lstrcpynW(wszDstPath, This->sPathTarget, MAX_PATH);
+             PathAddBackslashW(wszSrcPathRoot);
+-- 
+2.13.0
+

patches/Compiler_Warnings/0004-fusion-Fix-length-parameter-for-ZeroMemory.patch

@@ -0,0 +1,25 @@
+From 2b5e9f330770221eee2eda2aab251eba8d370a60 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 13:17:54 +0200
+Subject: fusion: Fix length parameter for ZeroMemory.
+
+---
+ dlls/fusion/tests/asmname.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dlls/fusion/tests/asmname.c b/dlls/fusion/tests/asmname.c
+index 5fb14a48291..21cd4874edc 100644
+--- a/dlls/fusion/tests/asmname.c
++++ b/dlls/fusion/tests/asmname.c
+@@ -358,7 +358,7 @@ static void test_assembly_name_props_line(IAssemblyName *name,
+         to_widechar(expect, vals[i].val);
+ 
+         size = MAX_PATH;
+-        ZeroMemory(str, MAX_PATH);
++        ZeroMemory(str, sizeof(str));
+         hr = IAssemblyName_GetProperty(name, i, str, &size);
+         to_multibyte(val, str);
+ 
+-- 
+2.13.0
+

patches/Compiler_Warnings/0005-fusion-tests-Avoid-compiler-warnings-with-GCC-7.patch

@@ -0,0 +1,34 @@
+From 3e59710a3091a4a61b7cce00606ed23b7b66dfda Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:55:31 +0200
+Subject: fusion/tests: Avoid compiler warnings with GCC 7.
+
+---
+ dlls/fusion/tests/asmenum.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dlls/fusion/tests/asmenum.c b/dlls/fusion/tests/asmenum.c
+index 1dc34a286e5..8b95f2a6bd5 100644
+--- a/dlls/fusion/tests/asmenum.c
++++ b/dlls/fusion/tests/asmenum.c
+@@ -223,7 +223,7 @@ typedef struct _tagASMNAME
+ static BOOL enum_gac_assemblies(struct list *assemblies, int depth, LPSTR path)
+ {
+     WIN32_FIND_DATAA ffd;
+-    CHAR buf[MAX_PATH];
++    CHAR buf[MAX_PATH + 37];
+     CHAR disp[MAX_PATH];
+     ASMNAME *name;
+     HANDLE hfind;
+@@ -248,7 +248,7 @@ static BOOL enum_gac_assemblies(struct list *assemblies, int depth, LPSTR path)
+         else if (depth == 1)
+         {
+             char culture[MAX_PATH];
+-            char dll[MAX_PATH], exe[MAX_PATH];
++            char dll[MAX_PATH + 6], exe[MAX_PATH + 6];
+ 
+             /* Directories with no dll or exe will not be enumerated */
+             sprintf(dll, "%s\\%s\\%s.dll", path, ffd.cFileName, parent);
+-- 
+2.13.0
+

patches/Compiler_Warnings/0006-kernel32-tests-Avoid-compiler-warnings-with-GCC-7.patch

@@ -0,0 +1,34 @@
+From d1eafd34d4c0619f956afd365ddbde79680a18dc Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:56:10 +0200
+Subject: kernel32/tests: Avoid compiler warnings with GCC 7.
+
+---
+ dlls/kernel32/tests/heap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dlls/kernel32/tests/heap.c b/dlls/kernel32/tests/heap.c
+index 0acf109dff0..70ba674bc91 100644
+--- a/dlls/kernel32/tests/heap.c
++++ b/dlls/kernel32/tests/heap.c
+@@ -109,6 +109,9 @@ static void test_heap(void)
+     }
+ 
+     /* test some border cases of HeapAlloc and HeapReAlloc */
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Walloc-size-larger-than="
+     mem = HeapAlloc(GetProcessHeap(), 0, 0);
+     ok(mem != NULL, "memory not allocated for size 0\n");
+     msecond = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, mem, ~(SIZE_T)0 - 7);
+@@ -125,6 +128,7 @@ static void test_heap(void)
+     ok(size == 0 || broken(size == 1) /* some vista and win7 */,
+        "HeapSize should have returned 0 instead of %lu\n", size);
+     HeapFree(GetProcessHeap(), 0, msecond);
++#pragma GCC diagnostic pop
+ 
+     /* large blocks must be 16-byte aligned */
+     mem = HeapAlloc(GetProcessHeap(), 0, 512 * 1024);
+-- 
+2.13.1
+

patches/Compiler_Warnings/0007-rsaenh-tests-Avoid-compiler-warnings-with-GCC-7.patch

@@ -0,0 +1,25 @@
+From 61ceddca38f26c2df2acc6361c35ced52fe9b098 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:58:31 +0200
+Subject: rsaenh/tests: Avoid compiler warnings with GCC 7.
+
+---
+ dlls/rsaenh/rsaenh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dlls/rsaenh/rsaenh.c b/dlls/rsaenh/rsaenh.c
+index 9af770dfc6e..6978c860278 100644
+--- a/dlls/rsaenh/rsaenh.c
++++ b/dlls/rsaenh/rsaenh.c
+@@ -1097,7 +1097,7 @@ static void store_key_permissions(HCRYPTKEY hCryptKey, HKEY hKey, DWORD dwKeySpe
+  */
+ static BOOL create_container_key(KEYCONTAINER *pKeyContainer, REGSAM sam, HKEY *phKey)
+ {
+-    CHAR szRSABase[MAX_PATH];
++    CHAR szRSABase[MAX_PATH + 25];
+     HKEY hRootKey;
+ 
+     sprintf(szRSABase, RSAENH_REGKEY, pKeyContainer->szName);
+-- 
+2.13.0
+

patches/Compiler_Warnings/0008-kernel32-Avoid-compiler-warnings-with-GCC-7.patch

@@ -0,0 +1,46 @@
+From 67ed53ca67214d7dbdea7f342b9f2ff0356a220b Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:59:10 +0200
+Subject: kernel32: Avoid compiler warnings with GCC 7.
+
+---
+ dlls/kernel32/oldconfig.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/dlls/kernel32/oldconfig.c b/dlls/kernel32/oldconfig.c
+index 6c80dc614f0..3e628757283 100644
+--- a/dlls/kernel32/oldconfig.c
++++ b/dlls/kernel32/oldconfig.c
+@@ -290,7 +290,8 @@ static void create_hardware_branch(void)
+         {
+             if (strncmp(dent->d_name, "hd", 2) == 0)
+             {
+-                sprintf(cStr, procname_ide_media, dent->d_name);
++                result = snprintf(cStr, sizeof(cStr), procname_ide_media, dent->d_name);
++                if (result < 0 || result >= sizeof(cStr)) continue;
+                 procfile = fopen(cStr, "r");
+                 if (!procfile)
+                 {
+@@ -306,7 +307,8 @@ static void create_hardware_branch(void)
+                     if (nType == DRIVE_UNKNOWN) continue;
+                 }
+ 
+-                sprintf(cStr, procname_ide_model, dent->d_name);
++                result = snprintf(cStr, sizeof(cStr), procname_ide_model, dent->d_name);
++                if (result < 0 || result >= sizeof(cStr)) continue;
+                 procfile = fopen(cStr, "r");
+                 if (!procfile)
+                 {
+@@ -322,7 +324,8 @@ static void create_hardware_branch(void)
+                     cDevModel[strlen(cDevModel) - 1] = 0;
+                 }
+ 
+-                sprintf(cUnixDeviceName, "/dev/%s", dent->d_name);
++                result = snprintf(cUnixDeviceName, sizeof(cUnixDeviceName), "/dev/%s", dent->d_name);
++                if (result < 0 || result >= sizeof(cUnixDeviceName)) continue;
+                 scsi_addr.PortNumber = (dent->d_name[2] - 'a') / 2;
+                 scsi_addr.PathId = 0;
+                 scsi_addr.TargetId = (dent->d_name[2] - 'a') % 2;
+-- 
+2.13.0
+

patches/Compiler_Warnings/0010-oleaut32-typelib.c-fix-cursor2-having-the-wrong-type.patch

@@ -0,0 +1,37 @@
+From 9d0f651d9cb5c3ae68810e37dd6030373c7aeab6 Mon Sep 17 00:00:00 2001
+From: Nils Kuhnhenn <kuhnhenn.nils@gmail.com>
+Date: Wed, 24 Aug 2016 19:56:00 +0200
+Subject: oleaut32: Use variable with the correct type in LIST_FOR_EACH_ENTRY_SAFE macro.
+
+---
+ dlls/oleaut32/typelib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/dlls/oleaut32/typelib.c b/dlls/oleaut32/typelib.c
+index b9318fba423..5a6dad496ed 100644
+--- a/dlls/oleaut32/typelib.c
++++ b/dlls/oleaut32/typelib.c
+@@ -4830,10 +4830,9 @@ static ULONG WINAPI ITypeLib2_fnRelease( ITypeLib2 *iface)
+     if (!ref)
+     {
+       TLBImpLib *pImpLib, *pImpLibNext;
+-      TLBRefType *ref_type;
++      TLBRefType *ref_type, *ref_type_next;
+       TLBString *tlbstr, *tlbstr_next;
+       TLBGuid *tlbguid, *tlbguid_next;
+-      void *cursor2;
+       int i;
+ 
+       /* remove cache entry */
+@@ -4883,7 +4882,7 @@ static ULONG WINAPI ITypeLib2_fnRelease( ITypeLib2 *iface)
+           heap_free(pImpLib);
+       }
+ 
+-      LIST_FOR_EACH_ENTRY_SAFE(ref_type, cursor2, &This->ref_list, TLBRefType, entry)
++      LIST_FOR_EACH_ENTRY_SAFE(ref_type, ref_type_next, &This->ref_list, TLBRefType, entry)
+       {
+           list_remove(&ref_type->entry);
+           heap_free(ref_type);
+-- 
+2.13.1
+

patches/Compiler_Warnings/0011-gdiplus-Initialize-containers-list-in-GdipCloneImage.patch

@@ -0,0 +1,24 @@
+From 380543910f8912374a13b9773738e018bd638341 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 11 Jun 2017 02:42:47 +0200
+Subject: gdiplus: Initialize containers list in GdipCloneImage.
+
+---
+ dlls/gdiplus/image.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dlls/gdiplus/image.c b/dlls/gdiplus/image.c
+index ce2194317ff..b28606e916c 100644
+--- a/dlls/gdiplus/image.c
++++ b/dlls/gdiplus/image.c
+@@ -1339,6 +1339,7 @@ GpStatus WINGDIPAPI GdipCloneImage(GpImage *image, GpImage **cloneImage)
+         result->unit = metafile->unit;
+         result->metafile_type = metafile->metafile_type;
+         result->hemf = CopyEnhMetaFileW(metafile->hemf, NULL);
++        list_init(&result->containers);
+ 
+         if (!result->hemf)
+         {
+-- 
+2.13.1
+

patches/Compiler_Warnings/0018-Appease-the-blessed-version-of-gcc-4.5-when-Werror-i.patch

@@ -1,14 +1,15 @@
-From cd34de81164087b3593d0ec9416e2f157a5df40d Mon Sep 17 00:00:00 2001
+From b6b1e5da04ed867251253410e37d412109a4cec2 Mon Sep 17 00:00:00 2001
 From: "Erich E. Hoover" <erich.e.hoover@gmail.com>
 Date: Fri, 8 Aug 2014 19:33:14 -0600
 Subject: Appease the blessed version of gcc (4.5) when -Werror is enabled.
 
 ---
- dlls/d3d9/tests/visual.c   | 2 +-
- dlls/netapi32/netapi32.c   | 2 +-
- dlls/wined3d/glsl_shader.c | 2 +-
- tools/makedep.c            | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
+ dlls/d3d9/tests/visual.c     | 2 +-
+ dlls/netapi32/netapi32.c     | 2 +-
+ dlls/winealsa.drv/mmdevdrv.c | 2 +-
+ dlls/wined3d/glsl_shader.c   | 2 +-
+ tools/makedep.c              | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/dlls/d3d9/tests/visual.c b/dlls/d3d9/tests/visual.c
 index c8a6a1fa5a8..0261d3708e6 100644
@@ -36,11 +37,24 @@ index 278d4528b01..1c5f110b828 100644
      NET_API_STATUS status;
  
      if (servername && !(server = strdup_unixcp( servername ))) return ERROR_OUTOFMEMORY;
+diff --git a/dlls/winealsa.drv/mmdevdrv.c b/dlls/winealsa.drv/mmdevdrv.c
+index 2ecb111e218..b285705509c 100644
+--- a/dlls/winealsa.drv/mmdevdrv.c
++++ b/dlls/winealsa.drv/mmdevdrv.c
+@@ -359,7 +359,7 @@ static WCHAR *construct_device_id(EDataFlow flow, const WCHAR *chunk1, const cha
+ {
+     WCHAR *ret;
+     const WCHAR *prefix;
+-    DWORD len_wchars = 0, chunk1_len, copied = 0, prefix_len;
++    DWORD len_wchars = 0, chunk1_len = 0, copied = 0, prefix_len;
+ 
+     static const WCHAR dashW[] = {' ','-',' ',0};
+     static const size_t dashW_len = (sizeof(dashW) / sizeof(*dashW)) - 1;
 diff --git a/dlls/wined3d/glsl_shader.c b/dlls/wined3d/glsl_shader.c
-index f96f48d97d1..8fe3318cd78 100644
+index ce960853362..f4275d8dd48 100644
 --- a/dlls/wined3d/glsl_shader.c
 +++ b/dlls/wined3d/glsl_shader.c
-@@ -9721,7 +9721,7 @@ static void set_glsl_shader_program(const struct wined3d_context *context, const
+@@ -9316,7 +9316,7 @@ static void set_glsl_shader_program(const struct wined3d_context *context, const
      GLuint ds_id = 0;
      GLuint gs_id = 0;
      GLuint ps_id = 0;
@@ -50,7 +64,7 @@ index f96f48d97d1..8fe3318cd78 100644
      struct wined3d_string_buffer *tmp_name;
  
 diff --git a/tools/makedep.c b/tools/makedep.c
-index 296356b0a57..5a2873b56f1 100644
+index add722f80a9..24b06bbfcb2 100644
 --- a/tools/makedep.c
 +++ b/tools/makedep.c
 @@ -1608,7 +1608,7 @@ static const char *get_make_variable( const struct makefile *make, const char *n
@@ -63,5 +77,5 @@ index 296356b0a57..5a2873b56f1 100644
      var = get_make_variable( make, name );
      if (!var) return NULL;
 -- 
-2.13.1
+2.12.2
 

patches/Compiler_Warnings/0021-d2d1-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,18 +1,18 @@
-From 79ff79dba6d5c8008c53e4bcf5e38c3a54271091 Mon Sep 17 00:00:00 2001
+From 929eaf5dcdca040cd82141ad5ddfdcbc6c5f4a03 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Tue, 22 Mar 2016 21:54:26 +0100
 Subject: d2d1: Avoid implicit cast of interface pointer.
 
 ---
- dlls/d2d1/brush.c    | 8 ++++----
+ dlls/d2d1/brush.c    | 6 +++---
  dlls/d2d1/geometry.c | 6 +++---
- 2 files changed, 7 insertions(+), 7 deletions(-)
+ 2 files changed, 6 insertions(+), 6 deletions(-)
 
 diff --git a/dlls/d2d1/brush.c b/dlls/d2d1/brush.c
-index 7f4c7bbb763..30d25fec4b4 100644
+index aa92318..19b0993 100644
 --- a/dlls/d2d1/brush.c
 +++ b/dlls/d2d1/brush.c
-@@ -251,7 +251,7 @@ static void d2d_brush_init(struct d2d_brush *brush, ID2D1Factory *factory,
+@@ -181,7 +181,7 @@ static void d2d_brush_init(struct d2d_brush *brush, ID2D1Factory *factory,
  
  static inline struct d2d_brush *impl_from_ID2D1SolidColorBrush(ID2D1SolidColorBrush *iface)
  {
@@ -21,7 +21,7 @@ index 7f4c7bbb763..30d25fec4b4 100644
  }
  
  static HRESULT STDMETHODCALLTYPE d2d_solid_color_brush_QueryInterface(ID2D1SolidColorBrush *iface,
-@@ -394,7 +394,7 @@ HRESULT d2d_solid_color_brush_create(ID2D1Factory *factory, const D2D1_COLOR_F *
+@@ -318,7 +318,7 @@ void d2d_solid_color_brush_init(struct d2d_brush *brush, ID2D1Factory *factory,
  
  static inline struct d2d_brush *impl_from_ID2D1LinearGradientBrush(ID2D1LinearGradientBrush *iface)
  {
@@ -30,16 +30,7 @@ index 7f4c7bbb763..30d25fec4b4 100644
  }
  
  static HRESULT STDMETHODCALLTYPE d2d_linear_gradient_brush_QueryInterface(ID2D1LinearGradientBrush *iface,
-@@ -580,7 +580,7 @@ HRESULT d2d_linear_gradient_brush_create(ID2D1Factory *factory, const D2D1_LINEA
- 
- static inline struct d2d_brush *impl_from_ID2D1RadialGradientBrush(ID2D1RadialGradientBrush *iface)
- {
--    return CONTAINING_RECORD(iface, struct d2d_brush, ID2D1Brush_iface);
-+    return CONTAINING_RECORD((ID2D1Brush *)iface, struct d2d_brush, ID2D1Brush_iface);
- }
- 
- static HRESULT STDMETHODCALLTYPE d2d_radial_gradient_brush_QueryInterface(ID2D1RadialGradientBrush *iface,
-@@ -776,7 +776,7 @@ HRESULT d2d_radial_gradient_brush_create(ID2D1Factory *factory, const D2D1_BRUSH
+@@ -476,7 +476,7 @@ void d2d_linear_gradient_brush_init(struct d2d_brush *brush, ID2D1Factory *facto
  
  static inline struct d2d_brush *impl_from_ID2D1BitmapBrush(ID2D1BitmapBrush *iface)
  {
@@ -49,10 +40,10 @@ index 7f4c7bbb763..30d25fec4b4 100644
  
  static HRESULT STDMETHODCALLTYPE d2d_bitmap_brush_QueryInterface(ID2D1BitmapBrush *iface,
 diff --git a/dlls/d2d1/geometry.c b/dlls/d2d1/geometry.c
-index a9588985642..b8457a9e1ea 100644
+index 9fa1783..125c610 100644
 --- a/dlls/d2d1/geometry.c
 +++ b/dlls/d2d1/geometry.c
-@@ -3024,7 +3024,7 @@ static const struct ID2D1GeometrySinkVtbl d2d_geometry_sink_vtbl =
+@@ -2022,7 +2022,7 @@ static const struct ID2D1GeometrySinkVtbl d2d_geometry_sink_vtbl =
  
  static inline struct d2d_geometry *impl_from_ID2D1PathGeometry(ID2D1PathGeometry *iface)
  {
@@ -61,7 +52,7 @@ index a9588985642..b8457a9e1ea 100644
  }
  
  static HRESULT STDMETHODCALLTYPE d2d_path_geometry_QueryInterface(ID2D1PathGeometry *iface, REFIID iid, void **out)
-@@ -3540,7 +3540,7 @@ void d2d_path_geometry_init(struct d2d_geometry *geometry, ID2D1Factory *factory
+@@ -2283,7 +2283,7 @@ void d2d_path_geometry_init(struct d2d_geometry *geometry, ID2D1Factory *factory
  
  static inline struct d2d_geometry *impl_from_ID2D1RectangleGeometry(ID2D1RectangleGeometry *iface)
  {
@@ -70,7 +61,7 @@ index a9588985642..b8457a9e1ea 100644
  }
  
  static HRESULT STDMETHODCALLTYPE d2d_rectangle_geometry_QueryInterface(ID2D1RectangleGeometry *iface,
-@@ -3876,7 +3876,7 @@ fail:
+@@ -2531,7 +2531,7 @@ HRESULT d2d_rectangle_geometry_init(struct d2d_geometry *geometry, ID2D1Factory
  
  static inline struct d2d_geometry *impl_from_ID2D1TransformedGeometry(ID2D1TransformedGeometry *iface)
  {
@@ -80,5 +71,5 @@ index a9588985642..b8457a9e1ea 100644
  
  static HRESULT STDMETHODCALLTYPE d2d_transformed_geometry_QueryInterface(ID2D1TransformedGeometry *iface,
 -- 
-2.14.1
+2.7.1
 

patches/Compiler_Warnings/0032-wsdapi-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,25 +0,0 @@
-From 814a4e7a4cad942e284a4828927dd0b67938af33 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 2 Jul 2017 22:32:45 +0200
-Subject: wsdapi: Avoid implicit cast of interface pointer.
-
----
- dlls/wsdapi/msgparams.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dlls/wsdapi/msgparams.c b/dlls/wsdapi/msgparams.c
-index a7a2f0a73b3..47a77138709 100644
---- a/dlls/wsdapi/msgparams.c
-+++ b/dlls/wsdapi/msgparams.c
-@@ -45,7 +45,7 @@ static inline IWSDMessageParametersImpl *impl_from_IWSDMessageParameters(IWSDMes
- 
- static inline IWSDUdpMessageParametersImpl *impl_from_IWSDUdpMessageParameters(IWSDUdpMessageParameters *iface)
- {
--    return CONTAINING_RECORD(iface, IWSDUdpMessageParametersImpl, base.IWSDMessageParameters_iface);
-+    return CONTAINING_RECORD((IWSDMessageParameters *)iface, IWSDUdpMessageParametersImpl, base.IWSDMessageParameters_iface);
- }
- 
- /* IWSDMessageParameters implementation */
--- 
-2.13.1
-

patches/Compiler_Warnings/0033-evr-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,25 +0,0 @@
-From b4586e37df817f205c8bebe319b4765dea5c62d5 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 24 Sep 2017 19:21:06 +0200
-Subject: evr: Avoid implicit cast of interface pointer.
-
----
- dlls/evr/evr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dlls/evr/evr.c b/dlls/evr/evr.c
-index c2d2933211e..5533f38a649 100644
---- a/dlls/evr/evr.c
-+++ b/dlls/evr/evr.c
-@@ -136,7 +136,7 @@ static const IUnknownVtbl evr_inner_vtbl =
- 
- static inline evr_filter *impl_from_IBaseFilter(IBaseFilter *iface)
- {
--    return CONTAINING_RECORD(iface, evr_filter, filter);
-+    return CONTAINING_RECORD(iface, evr_filter, filter.IBaseFilter_iface);
- }
- 
- static HRESULT WINAPI filter_QueryInterface(IBaseFilter *iface, REFIID riid, void **ppv)
--- 
-2.14.1
-

patches/advapi-LsaLookupPrivilegeName/0003-advapi32-Implement-LsaLookupPrivilegeName.patch

@@ -1,17 +1,31 @@
-From ca415799729a5330fc9def2df8fb9c4ffef80448 Mon Sep 17 00:00:00 2001
+From bee5e0baac722c66ad8c1034a65a2cecfe74716e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sun, 5 Mar 2017 23:50:06 +0100
 Subject: advapi32: Implement LsaLookupPrivilegeName.
 
 ---
+ dlls/advapi32/advapi32.spec   |  2 +-
  dlls/advapi32/advapi32_misc.h |  2 ++
- dlls/advapi32/lsa.c           | 30 ++++++++++++++++++++++++++++--
+ dlls/advapi32/lsa.c           | 38 ++++++++++++++++++++++++++++++++++++++
  dlls/advapi32/security.c      | 27 ++++++++++++++++++---------
  include/ntsecapi.h            |  1 +
- 4 files changed, 49 insertions(+), 11 deletions(-)
+ 5 files changed, 60 insertions(+), 10 deletions(-)
 
+diff --git a/dlls/advapi32/advapi32.spec b/dlls/advapi32/advapi32.spec
+index 078bb8fc25..124f527282 100644
+--- a/dlls/advapi32/advapi32.spec
++++ b/dlls/advapi32/advapi32.spec
+@@ -469,7 +469,7 @@
+ @ stdcall LsaLookupNames(long long ptr ptr ptr)
+ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
+ @ stub LsaLookupPrivilegeDisplayName
+-# @ stub LsaLookupPrivilegeName
++@ stdcall LsaLookupPrivilegeName(long ptr ptr)
+ # @ stub LsaLookupPrivilegeValue
+ @ stdcall LsaLookupSids(ptr long ptr ptr ptr)
+ # @ stub LsaLookupSids2
 diff --git a/dlls/advapi32/advapi32_misc.h b/dlls/advapi32/advapi32_misc.h
-index d116ecb836e..ecb07f635a6 100644
+index d116ecb836..ecb07f635a 100644
 --- a/dlls/advapi32/advapi32_misc.h
 +++ b/dlls/advapi32/advapi32_misc.h
 @@ -68,4 +68,6 @@ static inline WCHAR *strdupAW( const char *src )
@@ -22,20 +36,28 @@ index d116ecb836e..ecb07f635a6 100644
 +
  #endif /* __WINE_ADVAPI32MISC_H */
 diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
-index 61c91f497eb..e6f88d2fa73 100644
+index 479201bfc1..ceb3b05c05 100644
 --- a/dlls/advapi32/lsa.c
 +++ b/dlls/advapi32/lsa.c
-@@ -983,6 +983,32 @@ NTSTATUS WINAPI LsaLookupPrivilegeName(
-     LUID *luid,
-     UNICODE_STRING **name)
- {
--    FIXME("(%p,%p,%p) stub\n", handle, luid, name);
--    return STATUS_NO_SUCH_PRIVILEGE;
+@@ -973,3 +973,41 @@ NTSTATUS WINAPI LsaUnregisterPolicyChangeNotification(
+     FIXME("(%d,%p) stub\n", class, event);
+     return STATUS_SUCCESS;
+ }
++
++/******************************************************************************
++ * LsaLookupPrivilegeName [ADVAPI32.@]
++ *
++ */
++NTSTATUS WINAPI LsaLookupPrivilegeName(
++    LSA_HANDLE handle,
++    PLUID lpLuid,
++    PUNICODE_STRING *name)
++{
 +    UNICODE_STRING *priv_unicode;
 +    size_t priv_size;
 +    WCHAR *strW;
 +
-+    TRACE("(%p, %p, %p)\n", handle, luid, name);
++    TRACE("(%p, %p, %p)\n", handle, lpLuid, name);
 +
 +    if (!handle)
 +        return STATUS_INVALID_HANDLE;
@@ -43,25 +65,24 @@ index 61c91f497eb..e6f88d2fa73 100644
 +    if (!name)
 +        return STATUS_INVALID_PARAMETER;
 +
-+    if (luid->HighPart ||
-+        (luid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
-+         luid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE ||
-+         !WellKnownPrivNames[luid->LowPart]))
++    if (lpLuid->HighPart ||
++        (lpLuid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
++         lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
 +        return STATUS_NO_SUCH_PRIVILEGE;
 +
-+    priv_size = (strlenW(WellKnownPrivNames[luid->LowPart]) + 1) * sizeof(WCHAR);
++    priv_size = (strlenW(WellKnownPrivNames[lpLuid->LowPart]) + 1) * sizeof(WCHAR);
 +    priv_unicode = heap_alloc(sizeof(*priv_unicode) + priv_size);
 +    if (!priv_unicode) return STATUS_NO_MEMORY;
 +
 +    strW = (WCHAR *)(priv_unicode + 1);
-+    strcpyW(strW, WellKnownPrivNames[luid->LowPart]);
++    strcpyW(strW, WellKnownPrivNames[lpLuid->LowPart]);
 +    RtlInitUnicodeString(priv_unicode, strW);
 +
 +    *name = priv_unicode;
 +    return STATUS_SUCCESS;
- }
++}
 diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
-index e36792cff4b..3bc8f48b19c 100644
+index e36792cff4..3bc8f48b19 100644
 --- a/dlls/advapi32/security.c
 +++ b/dlls/advapi32/security.c
 @@ -1840,7 +1840,7 @@ static const WCHAR SE_IMPERSONATE_NAME_W[] =
@@ -125,7 +146,7 @@ index e36792cff4b..3bc8f48b19c 100644
      }
  }
 diff --git a/include/ntsecapi.h b/include/ntsecapi.h
-index 2bb3d312e43..0bf0eca43ed 100644
+index 2bb3d312e4..0bf0eca43e 100644
 --- a/include/ntsecapi.h
 +++ b/include/ntsecapi.h
 @@ -370,6 +370,7 @@ NTSTATUS WINAPI LsaLookupNames(LSA_HANDLE,ULONG,PLSA_UNICODE_STRING,PLSA_REFEREN
@@ -137,5 +158,5 @@ index 2bb3d312e43..0bf0eca43ed 100644
  ULONG WINAPI LsaNtStatusToWinError(NTSTATUS);
  NTSTATUS WINAPI LsaOpenPolicy(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
 -- 
-2.14.1
+2.11.0
 

patches/advapi-LsaLookupPrivilegeName/definition

@@ -1 +1 @@
-Fixes: [43316] Add LsaLookupPrivilege[Display]Name stubs
+Fixes: Add LsaLookupPrivilege[Display]Name stubs

patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch

@@ -1,4 +1,4 @@
-From 09d62cfc4fa999eacc89af2ad414810e22c910a9 Mon Sep 17 00:00:00 2001
+From 63082c3863d8be466ed14f532653ddf35e40328a Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Fri, 5 May 2017 00:18:50 +0200
 Subject: advapi32/tests: Add basic tests for BuildSecurityDescriptor.
@@ -8,11 +8,11 @@ Subject: advapi32/tests: Add basic tests for BuildSecurityDescriptor.
  1 file changed, 39 insertions(+)
 
 diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index ca5edffae5..db5a0f934c 100644
+index d6ea3a19fad..c591f7b6e5f 100644
 --- a/dlls/advapi32/tests/security.c
 +++ b/dlls/advapi32/tests/security.c
-@@ -7217,6 +7217,44 @@ static void test_GetExplicitEntriesFromAclW(void)
-     HeapFree(GetProcessHeap(), 0, old_acl);
+@@ -7489,6 +7489,44 @@ static void test_child_token_sd(void)
+     HeapFree(GetProcessHeap(), 0, sd);
  }
  
 +static void test_BuildSecurityDescriptorW(void)
@@ -56,14 +56,14 @@ index ca5edffae5..db5a0f934c 100644
  START_TEST(security)
  {
      init();
-@@ -7271,6 +7309,7 @@ START_TEST(security)
+@@ -7542,6 +7580,7 @@ START_TEST(security)
+     test_pseudo_tokens();
      test_maximum_allowed();
-     test_token_label();
      test_GetExplicitEntriesFromAclW();
 +    test_BuildSecurityDescriptorW();
  
-     /* Must be the last test, modifies process token */
+     /* must be the last test, modifies process token */
      test_token_security_descriptor();
 -- 
-2.13.1
+2.12.2
 

patches/advapi32-BuildSecurityDescriptor/definition

@@ -1,2 +1,2 @@
 Fixes: Initial implementation of advapi32.BuildSecurityDescriptorW
-Depends: advapi32-GetExplicitEntriesFromAclW
+Depends: server-LABEL_SECURITY_INFORMATION

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -1,315 +0,0 @@
-From 3f314cc8251f62f592013abe7b1c3b977de0699a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:33:14 +0200
-Subject: ntdll: Implement NtFilterToken.
-
----
- dlls/ntdll/nt.c       | 59 ++++++++++++++++++++++++++++++++++++
- dlls/ntdll/ntdll.spec |  2 +-
- include/winnt.h       |  5 +++
- include/winternl.h    |  1 +
- server/process.c      |  2 +-
- server/protocol.def   | 10 ++++++
- server/security.h     |  4 ++-
- server/token.c        | 84 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 8 files changed, 162 insertions(+), 5 deletions(-)
-
-diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
-index 93554e929be..5822dec9b15 100644
---- a/dlls/ntdll/nt.c
-+++ b/dlls/ntdll/nt.c
-@@ -136,6 +136,65 @@ NTSTATUS WINAPI NtDuplicateToken(
- }
- 
- /******************************************************************************
-+ *  NtFilterToken        [NTDLL.@]
-+ *  ZwFilterToken        [NTDLL.@]
-+ */
-+NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
-+                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
-+                               HANDLE *new_token )
-+{
-+    data_size_t privileges_len = 0;
-+    data_size_t sids_len = 0;
-+    SID *sids = NULL;
-+    NTSTATUS status;
-+
-+    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
-+           restrict_sids, new_token );
-+
-+    if (flags)
-+        FIXME( "flags %x unsupported\n", flags );
-+
-+    if (restrict_sids)
-+        FIXME( "support for restricting sids not yet implemented\n" );
-+
-+    if (privileges)
-+        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
-+
-+    if (disable_sids)
-+    {
-+        DWORD len, i;
-+        BYTE *tmp;
-+
-+        for (i = 0; i < disable_sids->GroupCount; i++)
-+            sids_len += RtlLengthSid( disable_sids->Groups[i].Sid );
-+
-+        sids = RtlAllocateHeap( GetProcessHeap(), 0, sids_len );
-+        if (!sids) return STATUS_NO_MEMORY;
-+
-+        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
-+        {
-+            len = RtlLengthSid( disable_sids->Groups[i].Sid );
-+            memcpy( tmp, disable_sids->Groups[i].Sid, len );
-+        }
-+    }
-+
-+    SERVER_START_REQ( filter_token )
-+    {
-+        req->handle          = wine_server_obj_handle( token );
-+        req->flags           = flags;
-+        req->privileges_size = privileges_len;
-+        wine_server_add_data( req, privileges->Privileges, privileges_len );
-+        wine_server_add_data( req, sids, sids_len );
-+        status = wine_server_call( req );
-+        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
-+    }
-+    SERVER_END_REQ;
-+
-+    RtlFreeHeap( GetProcessHeap(), 0, sids );
-+    return status;
-+}
-+
-+/******************************************************************************
-  *  NtOpenProcessToken		[NTDLL.@]
-  *  ZwOpenProcessToken		[NTDLL.@]
-  */
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index 4f7ee496437..275fda57970 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -179,7 +179,7 @@
- # @ stub NtEnumerateSystemEnvironmentValuesEx
- @ stdcall NtEnumerateValueKey(long long long ptr long ptr)
- @ stub NtExtendSection
--# @ stub NtFilterToken
-+@ stdcall NtFilterToken(long long ptr ptr ptr ptr)
- @ stdcall NtFindAtom(ptr long ptr)
- @ stdcall NtFlushBuffersFile(long ptr)
- @ stdcall NtFlushInstructionCache(long ptr long)
-diff --git a/include/winnt.h b/include/winnt.h
-index f91f81eb559..891c9b6d4bb 100644
---- a/include/winnt.h
-+++ b/include/winnt.h
-@@ -3844,6 +3844,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
- 					TOKEN_ADJUST_SESSIONID | \
- 					TOKEN_ADJUST_DEFAULT )
- 
-+#define DISABLE_MAX_PRIVILEGE 0x1
-+#define SANDBOX_INERT         0x2
-+#define LUA_TOKEN             0x4
-+#define WRITE_RESTRICTED      0x8
-+
- #ifndef _SECURITY_DEFINED
- #define _SECURITY_DEFINED
- 
-diff --git a/include/winternl.h b/include/winternl.h
-index 140669b0105..899e8324d67 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2348,6 +2348,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
-+NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
- NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
-diff --git a/server/process.c b/server/process.c
-index cbe726afe81..f0f60edcd3f 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -571,7 +571,7 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
-+        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-diff --git a/server/protocol.def b/server/protocol.def
-index fc6e343af52..b3dce66eb9c 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3391,6 +3391,16 @@ enum caret_state
-     obj_handle_t  new_handle; /* duplicated handle */
- @END
- 
-+@REQ(filter_token)
-+    obj_handle_t  handle;          /* handle to the token to duplicate */
-+    unsigned int  flags;           /* flags */
-+    data_size_t   privileges_size; /* size of privileges */
-+    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
-+    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
-+@REPLY
-+    obj_handle_t  new_handle;      /* filtered handle */
-+@END
-+
- @REQ(access_check)
-     obj_handle_t    handle; /* handle to the token */
-     unsigned int    desired_access; /* desired access to the object */
-diff --git a/server/security.h b/server/security.h
-index 606dbb2ab2c..6c337143c3d 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -56,7 +56,9 @@ extern const PSID security_high_label_sid;
- extern struct token *token_create_admin(void);
- extern int token_assign_label( struct token *token, PSID label );
- extern struct token *token_duplicate( struct token *src_token, unsigned primary,
--                                      int impersonation_level, const struct security_descriptor *sd );
-+                                      int impersonation_level, const struct security_descriptor *sd,
-+                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                                      const SID *filter_groups, unsigned int group_count );
- extern int token_check_privileges( struct token *token, int all_required,
-                                    const LUID_AND_ATTRIBUTES *reqprivs,
-                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
-diff --git a/server/token.c b/server/token.c
-index 74db66e1e24..acd7a4dedb5 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -299,6 +299,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
-     return TRUE;
- }
- 
-+static unsigned int get_sid_count( const SID *sid, data_size_t size )
-+{
-+    unsigned int count;
-+
-+    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
-+    {
-+        size -= security_sid_len( sid );
-+        sid = (const SID *)((char *)sid + security_sid_len( sid ));
-+    }
-+
-+    return count;
-+}
-+
- /* checks whether all members of a security descriptor fit inside the size
-  * of memory specified */
- int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
-@@ -639,8 +652,36 @@ static struct token *create_token( unsigned primary, const SID *user,
-     return token;
- }
- 
-+static int filter_group( struct group *group, const SID *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (security_equal_sid( &group->sid, filter )) return 1;
-+        filter = (const SID *)((char *)filter + security_sid_len( filter ));
-+    }
-+
-+    return 0;
-+}
-+
-+static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
-+            return 1;
-+    }
-+
-+    return 0;
-+}
-+
- struct token *token_duplicate( struct token *src_token, unsigned primary,
--                               int impersonation_level, const struct security_descriptor *sd )
-+                               int impersonation_level, const struct security_descriptor *sd,
-+                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                               const SID *filter_groups, unsigned int group_count)
- {
-     const luid_t *modified_id =
-         primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -676,6 +717,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-             return NULL;
-         }
-         memcpy( newgroup, group, size );
-+        if (filter_group( group, filter_groups, group_count ))
-+        {
-+            newgroup->enabled = 0;
-+            newgroup->def = 0;
-+            newgroup->deny_only = 1;
-+        }
-         list_add_tail( &token->groups, &newgroup->entry );
-         if (src_token->primary_group == &group->sid)
-             token->primary_group = &newgroup->sid;
-@@ -684,11 +731,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
- 
-     /* copy privileges */
-     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-+    {
-+        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
-         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
-         {
-             release_object( token );
-             return NULL;
-         }
-+    }
- 
-     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
-                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
-@@ -1322,7 +1372,7 @@ DECL_HANDLER(duplicate_token)
-                                                      TOKEN_DUPLICATE,
-                                                      &token_ops )))
-     {
--        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
-+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
-             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-@@ -1332,6 +1382,36 @@ DECL_HANDLER(duplicate_token)
-     }
- }
- 
-+/* creates a restricted version of a token */
-+DECL_HANDLER(filter_token)
-+{
-+    struct token *src_token;
-+
-+    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                     TOKEN_DUPLICATE,
-+                                                     &token_ops )))
-+    {
-+        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
-+        unsigned int priv_count, group_count;
-+        const SID *filter_groups;
-+        struct token *token;
-+
-+        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
-+        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
-+        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
-+
-+        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
-+                                 filter_privileges, priv_count, filter_groups, group_count );
-+        if (token)
-+        {
-+            unsigned int access = get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
-+            release_object( token );
-+        }
-+        release_object( src_token );
-+    }
-+}
-+
- /* checks the specified privileges are held by the token */
- DECL_HANDLER(check_token_privileges)
- {
--- 
-2.13.1
-