rpcrt4: Fix ARM64 stack corruption in call_server_func.

calls with stack_size > 16 pop argument values into x3, overwriting
the number of 16-byte stack octwords. This breaks the checks for popping
x4..x7 and potentially unbalances sp (based on the vaue of args[16..23]).

Use a scratch register (x9) for this count so its lifetime does not
conflict with preparing the parameter/result registers.

Signed-off-by: Kevin Puetz <PuetzKevinA@JohnDeere.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>

dlls/rpcrt4/ndr_stubless.c

@@ -1180,24 +1180,24 @@ LONG_PTR __cdecl call_server_func(SERVER_ROUTINE func, unsigned char *args, unsi
 __ASM_GLOBAL_FUNC( call_server_func,
                    "stp x29, x30, [sp, #-16]!\n\t"
                    "mov x29, sp\n\t"
-                   "add x3, x2, #15\n\t"
+                   "add x9, x2, #15\n\t"
-                   "lsr x3, x3, #4\n\t"
+                   "lsr x9, x9, #4\n\t"
-                   "sub sp, sp, x3, lsl #4\n\t"
+                   "sub sp, sp, x9, lsl #4\n\t"
                    "cbz x2, 2f\n"
                    "1:\tsub x2, x2, #8\n\t"
                    "ldr x4, [x1, x2]\n\t"
                    "str x4, [sp, x2]\n\t"
                    "cbnz x2, 1b\n"
                    "2:\tmov x8, x0\n\t"
-                   "cbz x3, 3f\n\t"
+                   "cbz x9, 3f\n\t"
                    "ldp x0, x1, [sp], #16\n\t"
-                   "cmp x3, #1\n\t"
+                   "cmp x9, #1\n\t"
                    "b.le 3f\n\t"
                    "ldp x2, x3, [sp], #16\n\t"
-                   "cmp x3, #2\n\t"
+                   "cmp x9, #2\n\t"
                    "b.le 3f\n\t"
                    "ldp x4, x5, [sp], #16\n\t"
-                   "cmp x3, #3\n\t"
+                   "cmp x9, #3\n\t"
                    "b.le 3f\n\t"
                    "ldp x6, x7, [sp], #16\n"
                    "3:\tblr x8\n\t"