libxv: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit 772a7a1c4dc28505a60608a35bc54f0ada676dc2
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 23:11:35 2013 +0200
Upload to wheezy-security
commit e2a6d8ff910ac012dc7cd3b6456ec3ad658f6a1e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit e02fba7ae99169326a48461785be9e534c9deea3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 3219a1eee1342ac34ea6363abc31499cd47cce3f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:16:14 2013 -0700
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 6458d0928a359d48fde4f3ef011c6fbfc7925ab7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit a658f6de385c910764dd778b240d44f0c4225c6d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:28:34 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: