1 files changed, 0 insertions, 47 deletions

diff --git a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
deleted file mode 100644
index 24e1c1b8b3..0000000000
--- a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 00:16:14 -0700
-Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes()
- [CVE-2013-2066]
-
-Each attribute returned in the reply includes the number of bytes
-to read for its marker.  We had been always trusting it, and never
-validating that it wouldn't cause us to write past the end of the
-buffer we allocated based on the reported text_size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Xv.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/Xv.c b/src/Xv.c
-index 3cbad35..f9813eb 100644
---- a/src/Xv.c
-+++ b/src/Xv.c
-@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
- 	  xvAttributeInfo Info;
- 	  int i;
- 
-+	  /* keep track of remaining room for text strings */
-+	  size = rep.text_size;
-+
- 	  for(i = 0; i < rep.num_attributes; i++) {
-              _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
- 	      ret[i].flags = (int)Info.flags;
- 	      ret[i].min_value = Info.min;
- 	      ret[i].max_value = Info.max;
- 	      ret[i].name = marker;
--	      _XRead(dpy, marker, Info.size);
--	      marker += Info.size;
-+	      if (Info.size <= size) {
-+		  _XRead(dpy, marker, Info.size);
-+		  marker += Info.size;
-+		  size -= Info.size;
-+	      }
- 	      (*num)++;
- 	  }
-       } else
--- 
-1.8.2.3
-