1 files changed, 37 insertions, 0 deletions

diff --git a/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
new file mode 100644
index 0000000000..b80f47a1d7
--- /dev/null
+++ b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
@@ -0,0 +1,37 @@
+From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989
+ 2/3]
+
+num_formats is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(XvImageFormatValues) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index f9813eb..0a07d9d 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
+   }
+ 
+   if(rep.num_formats) {
+-      int size = (rep.num_formats * sizeof(XvImageFormatValues));
++      if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
++	  ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
+ 
+-      if((ret = Xmalloc(size))) {
++      if (ret != NULL) {
+ 	  xvImageFormatInfo Info;
+ 	  int i;
+ 
+-- 
+1.8.2.3
+