libxv: Changes to 'debian-jessie'
New branch 'debian-jessie' available with the following commits:
commit e168a1f090cde69fe93d378abc5cebd9412c49d8
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jan 7 16:38:57 2017 +0100
Upload to jessie
commit ef38afdfe0cfc499596301667654f38881c16dd4
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun Sep 25 21:30:03 2016 +0200
Protocol handling issues in libXv - CVE-2016-5407
The Xv query functions for adaptors and encodings suffer from out of
boundary accesses if a hostile X server sends a maliciously crafted
response.
A previous fix already checks the received length against fixed values
but ignores additional length specifications which are stored inside
the received data.
These lengths are accessed in a for-loop. The easiest way to guarantee
a correct processing is by validating all lengths against the
remaining size left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed
it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit d9da580b46a28ab497de2e94fdc7b9ff953dab17)
Reply to: