libxvmc: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit d0d9659ca22e2520dd959df69a5faf717006d7ff
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 21:58:50 2013 +0200
Upload to wheezy-security
commit 5f7118b9c5263a82b06d6dd54b70c440d9a75789
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 01:20:08 2013 -0700
Multiple unvalidated assumptions in XvMCGetDRInfo() [CVE-2013-1999]
The individual string sizes is assumed to not be more than the amount of
data read from the network, and could cause buffer overflow if they are.
The strings returned from the X server are assumed to be null terminated,
and could cause callers to read past the end of the buffer if they are not.
Also be sure to set the returned pointers to NULL, so callers don't try
accessing bad pointers on failure cases.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit b3ebaa6e6c0e20774c8ed9f393a1c1269708ca96
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 78bf6afb1fb192b3a51dec31d213b27238a55bec
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit ccbd10619d293d022c1fe731fbd904236ef127e2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit eebc781613ce9c0ad7b6cd9d0d94432a4bfc7ee9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:47:57 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: