main/libxv: fix CVE-2013-1989,CVE-2013-2066

ref #1931
fixes #1975

(cherry picked from commit a04d1c8ff925273f3caf3a46393cf73ac2b96ab5)
(cherry picked from commit 116a8d9ca2f4a57fd5c27dc32f9d393d7ed3b48e)

Conflicts:

	main/libxv/APKBUILD

6 files changed, 284 insertions, 7 deletions

diff --git a/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 0000000000..0e33952a60
--- /dev/null
+++ b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,93 @@
+From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:28:34 -0700
+Subject: [PATCH 1/5] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac |  6 ++++++
+ src/Xv.c     | 22 +++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5494b5d..6a335db 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XV_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+ XORG_LINT_LIBRARY([Xv])
+diff --git a/src/Xv.c b/src/Xv.c
+index b081e8a..5be1d95 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -49,11 +49,27 @@ SOFTWARE.
+ **
+ */
+ 
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
+ #include <stdio.h>
+ #include "Xvlibint.h"
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/XShm.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _xv_info_data;
+ static XExtensionInfo *xv_info = &_xv_info_data;
+@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+ 	      (*num)++;
+ 	  }
+       } else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+   }
+ 
+   UnlockDisplay(dpy);
+@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
+ 	      (*num)++;
+ 	  }
+       } else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+   }
+ 
+   UnlockDisplay(dpy);
+@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
+   	_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
+ 	_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
+    } else
+-	_XEatData(dpy, rep.length << 2);
++       _XEatDataWords(dpy, rep.length);
+ 
+    UnlockDisplay(dpy);
+    SyncHandle();
+-- 
+1.8.2.3
+
diff --git a/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch b/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
new file mode 100644
index 0000000000..707f99b02b
--- /dev/null
+++ b/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
@@ -0,0 +1,43 @@
+From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH 2/5] integer overflow in XvQueryPortAttributes()
+ [CVE-2013-1989 1/3]
+
+The num_attributes & text_size members of the reply are both CARD32s
+and need to be bounds checked before multiplying & adding them together
+to come up with the total size to allocate, to avoid integer overflow
+leading to underallocation and writing data from the network past the
+end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index 5be1d95..3cbad35 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+   }
+ 
+   if(rep.num_attributes) {
+-      int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
++      unsigned long size;
++      /* limit each part to no more than one half the max size */
++      if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
++	  (rep.text_size < (INT_MAX / 2))) {
++	  size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
++	  ret = Xmalloc(size);
++      }
+ 
+-      if((ret = Xmalloc(size))) {
++      if (ret != NULL) {
+ 	  char* marker = (char*)(&ret[rep.num_attributes]);
+ 	  xvAttributeInfo Info;
+ 	  int i;
+-- 
+1.8.2.3
+
diff --git a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
new file mode 100644
index 0000000000..24e1c1b8b3
--- /dev/null
+++ b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
@@ -0,0 +1,47 @@
+From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:16:14 -0700
+Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes()
+ [CVE-2013-2066]
+
+Each attribute returned in the reply includes the number of bytes
+to read for its marker.  We had been always trusting it, and never
+validating that it wouldn't cause us to write past the end of the
+buffer we allocated based on the reported text_size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index 3cbad35..f9813eb 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+ 	  xvAttributeInfo Info;
+ 	  int i;
+ 
++	  /* keep track of remaining room for text strings */
++	  size = rep.text_size;
++
+ 	  for(i = 0; i < rep.num_attributes; i++) {
+              _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
+ 	      ret[i].flags = (int)Info.flags;
+ 	      ret[i].min_value = Info.min;
+ 	      ret[i].max_value = Info.max;
+ 	      ret[i].name = marker;
+-	      _XRead(dpy, marker, Info.size);
+-	      marker += Info.size;
++	      if (Info.size <= size) {
++		  _XRead(dpy, marker, Info.size);
++		  marker += Info.size;
++		  size -= Info.size;
++	      }
+ 	      (*num)++;
+ 	  }
+       } else
+-- 
+1.8.2.3
+
diff --git a/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
new file mode 100644
index 0000000000..b80f47a1d7
--- /dev/null
+++ b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
@@ -0,0 +1,37 @@
+From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989
+ 2/3]
+
+num_formats is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(XvImageFormatValues) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index f9813eb..0a07d9d 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
+   }
+ 
+   if(rep.num_formats) {
+-      int size = (rep.num_formats * sizeof(XvImageFormatValues));
++      if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
++	  ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
+ 
+-      if((ret = Xmalloc(size))) {
++      if (ret != NULL) {
+ 	  xvImageFormatInfo Info;
+ 	  int i;
+ 
+-- 
+1.8.2.3
+
diff --git a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch
new file mode 100644
index 0000000000..2be6900c33
--- /dev/null
+++ b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch
@@ -0,0 +1,35 @@
+From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
+
+num_planes is a CARD32 and needs to be bounds checked before bit shifting
+and adding to sizeof(XvImage) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index 0a07d9d..f268f8e 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
+       return NULL;
+    }
+ 
+-   if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
++   if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
++       ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
++
++   if (ret != NULL) {
+ 	ret->id = id;
+ 	ret->width = rep.width;
+ 	ret->height = rep.height;
+-- 
+1.8.2.3
+
diff --git a/main/libxv/APKBUILD b/main/libxv/APKBUILD
index a75f8d7cb1..c7911a9287 100644
--- a/main/libxv/APKBUILD
+++ b/main/libxv/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxv
-pkgver=1.0.6
+pkgver=1.0.7
 pkgrel=1
 pkgdesc="X11 Video extension library"
 url="http://xorg.freedesktop.org/"
@@ -8,21 +8,43 @@ arch="all"
 license="custom"
 subpackages="$pkgname-dev $pkgname-doc"
 depends=
-makedepends="pkgconfig libxext-dev libx11-dev videoproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2"
-
 depends_dev="xproto videoproto libx11-dev libxext-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2
+	0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+	0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
+	0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
+	0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
+	0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch
+	"
+
+_builddir="$srcdir"/libXv-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	libtoolize --force && aclocal && autoheader && autoconf \
+		&& automake --add-missing
+}
 
 build() {
-	cd "$srcdir"/libXv-$pkgver
+	cd "$_builddir"
 	./configure --prefix=/usr
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXv-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
 }
-md5sums="e292445a64b63e918bbc8b6aae6391dd  libXv-1.0.6.tar.bz2"
+md5sums="5e1ac203ccd3ce3e89755ed1fbe75b0b  libXv-1.0.7.tar.bz2
+cbd5367f2b5717cab78b819aaaacd7d9  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+ff8da08c2883bdc98cbac78e448e81e6  0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
+108ba64a9d7d5f3763cfbb00ffe53eb2  0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
+53dbcb31cb08325b3a5329f16ddab3dd  0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
+0844dd0e117d36a70f603019af580f13  0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch"