main/libxvmc: fix CVE-2013-1990,CVE-2013-1999

ref #1931

7 files changed, 413 insertions, 7 deletions

diff --git a/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 0000000000..bba7803645
--- /dev/null
+++ b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,111 @@
+From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:47:57 -0700
+Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac |  6 ++++++
+ src/XvMC.c   | 24 ++++++++++++++++++------
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b44f80d..f9d59a1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto)
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XVMC_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Checks for library functions.
+ AC_CHECK_FUNCS([shmat])
+ 
+diff --git a/src/XvMC.c b/src/XvMC.c
+index 5a4cf0d..b3e97ec 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -16,6 +16,18 @@
+ #include <sys/time.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _xvmc_info_data;
+ static XExtensionInfo *xvmc_info = &_xvmc_info_data;
+@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
+ 	       surface_info[i].flags = sinfo.flags;
+ 	    }
+ 	} else
+-	   _XEatData(dpy, rep.length << 2);
++	   _XEatDataWords(dpy, rep.length);
+     }
+ 
+     UnlockDisplay (dpy);
+@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes (
+               ret[i].scanline_order = Info.scanline_order;
+             }
+         } else
+-	   _XEatData(dpy, rep.length << 2);
++	   _XEatDataWords(dpy, rep.length);
+     }
+ 
+     UnlockDisplay (dpy);
+@@ -278,7 +290,7 @@ Status _xvmc_create_context (
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+ 	    *priv_count = rep.length;
+ 	} else
+-	    _XEatData(dpy, rep.length << 2);
++	    _XEatDataWords(dpy, rep.length);
+     }
+ 
+     UnlockDisplay (dpy);
+@@ -359,7 +371,7 @@ Status _xvmc_create_surface (
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+             *priv_count = rep.length;
+         } else
+-            _XEatData(dpy, rep.length << 2);
++            _XEatDataWords(dpy, rep.length);
+     }
+ 
+     UnlockDisplay (dpy);
+@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture (
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+             *priv_count = rep.length;
+         } else
+-            _XEatData(dpy, rep.length << 2);
++            _XEatDataWords(dpy, rep.length);
+     }
+ 
+     UnlockDisplay (dpy);
+@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+ 
+ 	} else {
+ 
+-	    _XEatData(dpy, realSize);
++	    _XEatDataWords(dpy, rep.length);
+ 	    UnlockDisplay (dpy);
+ 	    SyncHandle ();
+ 	    return -1;
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch b/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
new file mode 100644
index 0000000000..7cc7d0631e
--- /dev/null
+++ b/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
@@ -0,0 +1,35 @@
+From 2712383813b26475dc6713888414d842be57f8ca Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:50:02 -0700
+Subject: [PATCH 2/6] integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990
+ 1/2]
+
+rep.num is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XvMC.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index b3e97ec..5d8c2cf 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
+     }
+ 
+     if(rep.num > 0) {
+-	surface_info =
+-	    (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
++        if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
++            surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+ 
+         if(surface_info) {
+ 	    xvmcSurfaceInfo sinfo;
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch b/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
new file mode 100644
index 0000000000..e6ffa44ecb
--- /dev/null
+++ b/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
@@ -0,0 +1,35 @@
+From 478d4e5873eeee2ebdce6673e4e3469816ab63b8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:50:02 -0700
+Subject: [PATCH 3/6] integer overflow in XvMCListSubpictureTypes()
+ [CVE-2013-1990 2/2]
+
+rep.num is a CARD32 and needs to be bounds checked before multiplying by
+sizeof(XvImageFormatValues) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XvMC.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index 5d8c2cf..8d602ec 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes (
+     }
+ 
+     if(rep.num > 0) {
+-        ret =
+-	   (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
++        if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
++            ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
+ 
+         if(ret) {
+             xvImageFormatInfo Info;
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch b/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch
new file mode 100644
index 0000000000..70298e45a4
--- /dev/null
+++ b/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch
@@ -0,0 +1,54 @@
+From 5fd871e5f878810f8f8837725d548e07e89577ab Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:50:02 -0700
+Subject: [PATCH 4/6] integer overflow in _xvmc_create_*()
+
+rep.length is a CARD32 and should be bounds checked before left-shifting
+by 2 bits to come up with the total size to allocate, though in these
+cases, no buffer overflow should occur here, since the XRead call is passed
+the same rep.length << 2 length argument, but the *priv_count returned to
+the caller could be interpreted or used to calculate a larger buffer size
+than was actually allocated, leading them to go out of bounds.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XvMC.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index 8d602ec..d8bc59d 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -285,7 +285,8 @@ Status _xvmc_create_context (
+     context->flags = rep.flags_return;
+ 
+     if(rep.length) {
+-	*priv_data = Xmalloc(rep.length << 2);
++	if (rep.length < (INT_MAX >> 2))
++	    *priv_data = Xmalloc(rep.length << 2);
+ 	if(*priv_data) {
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+ 	    *priv_count = rep.length;
+@@ -366,7 +367,8 @@ Status _xvmc_create_surface (
+     }
+ 
+     if(rep.length) {
+-        *priv_data = Xmalloc(rep.length << 2);
++        if (rep.length < (INT_MAX >> 2))
++            *priv_data = Xmalloc(rep.length << 2);
+         if(*priv_data) {
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+             *priv_count = rep.length;
+@@ -456,7 +458,8 @@ Status _xvmc_create_subpicture (
+     subpicture->component_order[3] = rep.component_order[3];
+ 
+     if(rep.length) {
+-        *priv_data = Xmalloc(rep.length << 2);
++        if (rep.length < (INT_MAX >> 2))
++            *priv_data = Xmalloc(rep.length << 2);
+         if(*priv_data) {
+             _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+             *priv_count = rep.length;
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch b/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
new file mode 100644
index 0000000000..fcefc106ee
--- /dev/null
+++ b/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
@@ -0,0 +1,94 @@
+From e9415ddef2ac81d4139bd32d5e9cda9394a60051 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 01:20:08 -0700
+Subject: [PATCH 5/6] Multiple unvalidated assumptions in XvMCGetDRInfo()
+ [CVE-2013-1999]
+
+The individual string sizes is assumed to not be more than the amount of
+data read from the network, and could cause buffer overflow if they are.
+
+The strings returned from the X server are assumed to be null terminated,
+and could cause callers to read past the end of the buffer if they are not.
+
+Also be sure to set the returned pointers to NULL, so callers don't try
+accessing bad pointers on failure cases.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XvMC.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index d8bc59d..cb42487 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+     XExtDisplayInfo *info = xvmc_find_display(dpy);
+     xvmcGetDRInfoReply rep;
+     xvmcGetDRInfoReq  *req;
+-    char *tmpBuf = NULL;
+     CARD32 magic;
+ 
+ #ifdef HAVE_SHMAT
+@@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+     here.tz_dsttime = 0;
+ #endif
+ 
++    *name = NULL;
++    *busID = NULL;
++
+     XvMCCheckExtension (dpy, info, BadImplementation);
+ 
+     LockDisplay (dpy);
+@@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+ #endif
+ 
+     if (rep.length > 0) {
+-
+-        int realSize = rep.length << 2;
+-
+-	tmpBuf = (char *) Xmalloc(realSize);
+-	if (tmpBuf) {
+-	    *name = (char *) Xmalloc(rep.nameLen);
+-	    if (*name) {
+-		*busID = (char *) Xmalloc(rep.busIDLen);
+-		if (! *busID) {
+-		    XFree(*name);
+-		    XFree(tmpBuf);
+-		}
+-	    } else {
+-		XFree(tmpBuf);
++	unsigned long realSize = 0;
++	char *tmpBuf = NULL;
++
++	if (rep.length < (INT_MAX >> 2)) {
++	    realSize = rep.length << 2;
++	    if (realSize >= (rep.nameLen + rep.busIDLen)) {
++		tmpBuf = Xmalloc(realSize);
++		*name = Xmalloc(rep.nameLen);
++		*busID = Xmalloc(rep.busIDLen);
+ 	    }
+ 	}
+ 
+ 	if (*name && *busID && tmpBuf) {
+-
+ 	    _XRead(dpy, tmpBuf, realSize);
+ 	    strncpy(*name,tmpBuf,rep.nameLen);
++	    name[rep.nameLen - 1] = '\0';
+ 	    strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
++	    busID[rep.busIDLen - 1] = '\0';
+ 	    XFree(tmpBuf);
+-
+ 	} else {
++	    XFree(*name);
++	    *name = NULL;
++	    XFree(*busID);
++	    *name = NULL;
++	    XFree(tmpBuf);
+ 
+ 	    _XEatDataWords(dpy, rep.length);
+ 	    UnlockDisplay (dpy);
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch b/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch
new file mode 100644
index 0000000000..725c99339d
--- /dev/null
+++ b/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch
@@ -0,0 +1,39 @@
+From 8c164524d229adb6141fdac8336b3823e7fe1a5d Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 24 May 2013 14:47:30 +1000
+Subject: [PATCH 6/6] Multiple unvalidated patches in CVE-2013-1999
+
+Al Viro pointed out that Debian started segfaulting in Xine for him,
+
+Reported-by: Al Viro
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+ src/XvMC.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index cb42487..74c8b85 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+ 	if (*name && *busID && tmpBuf) {
+ 	    _XRead(dpy, tmpBuf, realSize);
+ 	    strncpy(*name,tmpBuf,rep.nameLen);
+-	    name[rep.nameLen - 1] = '\0';
++	    (*name)[rep.nameLen - 1] = '\0';
+ 	    strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+-	    busID[rep.busIDLen - 1] = '\0';
++	    (*busID)[rep.busIDLen - 1] = '\0';
+ 	    XFree(tmpBuf);
+ 	} else {
+ 	    XFree(*name);
+ 	    *name = NULL;
+ 	    XFree(*busID);
+-	    *name = NULL;
++	    *busID = NULL;
+ 	    XFree(tmpBuf);
+ 
+ 	    _XEatDataWords(dpy, rep.length);
+-- 
+1.8.2.3
+
diff --git a/main/libxvmc/APKBUILD b/main/libxvmc/APKBUILD
index 22eb462ddf..61c9dc6b8e 100644
--- a/main/libxvmc/APKBUILD
+++ b/main/libxvmc/APKBUILD
@@ -1,27 +1,65 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxvmc
 pkgver=1.0.7
-pkgrel=0
+pkgrel=1
 pkgdesc="X11 Video Motion Compensation extension library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 subpackages="$pkgname-dev"
 depends=
-makedepends="pkgconfig libxv-dev libxext-dev libx11-dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2"
-
 depends_dev="xproto videoproto libxv-dev libx11-dev libxext-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2
+	0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+	0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
+	0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
+	0004-integer-overflow-in-_xvmc_create_.patch
+	0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
+	0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch
+	"
+
+_builddir="$srcdir"/libXvMC-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	libtoolize --force && aclocal && autoheader && autoconf \
+		&& automake --add-missing
+}
 
 build() {
-	cd "$srcdir"/libXvMC-$pkgver
+	cd "$_builddir"
 	./configure --prefix=/usr --sysconfdir=/etc
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXvMC-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la
 }
-md5sums="3340c99ff556ea2457b4be47f5cb96fa  libXvMC-1.0.7.tar.bz2"
+md5sums="3340c99ff556ea2457b4be47f5cb96fa  libXvMC-1.0.7.tar.bz2
+839450035994be7232f049c3256967fd  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+c02e3cc2530cd053a2ce47b0627bfdff  0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
+6a87be93e8e173fb132eb2607abea6eb  0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
+4eb70517ff9e5d14ddd676de60a72fd4  0004-integer-overflow-in-_xvmc_create_.patch
+0aedb6b617afe07376c243e401b1f417  0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
+cbd25dbf846b42f2a5ba9a60f32005f3  0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch"
+sha256sums="28f085fc8518a3dadfe355360705d50153051f09898093e69af806c0b437cea3  libXvMC-1.0.7.tar.bz2
+87f764bdb3a36c370f8f5e16ca29b9ed8ee7f57dc1f5470d3c9c2a320ec3329d  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+475e39742256f1e09f0b84a640ab1a43c88ed6a05498978fdebb5d727a7ecab3  0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
+dc08b02502ca6620d7db4d60868bbf0bac7537a1e2ee3007b1107071b106f82e  0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
+98eb319ef77103b823af9ea0a33396797f2f63e0160c90efa1159d811b6496b7  0004-integer-overflow-in-_xvmc_create_.patch
+f40ac752770cf248b182c4074dde59a46b8cbab1cf48252ac4dac4d35f7a5309  0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
+e7d2d21f5ed2109f3d62e6509bb85c020ba988d32667158bb1c4a7a16e561780  0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch"
+sha512sums="c52175990062a2fb1636b7db589565e61d2e056e56a0954a8b98c1ccf8d72bf3182cd6f482762bf5ee4137fc24553a4d1b9c1e588671499b3b69b390f31c81e9  libXvMC-1.0.7.tar.bz2
+abd782276434449c2691eb4255e5b51625272191b38d7b3454c2dd3b958b24db1ac4fa1c93dfec060b9eacb3921542ee007b6848c94f299b6491f9a02dec23e8  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+5cec81d9649a70eedd87ffb961030612271830cf9d45686614d54698a331a09c49fbb1a1d0d60266e5b649dcbe8d6ab766422655fe623e0d4db8b393c7912721  0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
+e9f9f7bbff45f34b53b11c50a130135a594e49c1e95e2e3b75a74c951cde374a6c74542ccb3a25ff17d0b1fdf97d6ea41d59e7c56fd9565aa38ecd0e1bf0ec8b  0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
+eda4d1a3710f6237c827485fdc93b302aa49a7293f509719f8f17a5250f20505c995323089d713ba5f9142d9deb3c158d54ed31515c416dd00b1fbbb4c77ac6a  0004-integer-overflow-in-_xvmc_create_.patch
+688efc3d0185af471e6829444f49f39204eb41c46a51cb861c78135b88b44b9a237d6e48c1524f13cc07615ada3945bf30f3374c582d496ed502bb61773c8eb1  0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
+3c390b9c804c1a2d4b3a5c38ecdaa35770bc78e4e2dcd7ce10c2bcf80db41fb9ecbe135c1136635b35062fadcb122857047f59f53529282e5379969554fe18a6  0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch"