1 files changed, 47 insertions, 0 deletions

diff --git a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
new file mode 100644
index 000000000..24e1c1b8b
--- /dev/null
+++ b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
@@ -0,0 +1,47 @@
+From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:16:14 -0700
+Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes()
+ [CVE-2013-2066]
+
+Each attribute returned in the reply includes the number of bytes
+to read for its marker.  We had been always trusting it, and never
+validating that it wouldn't cause us to write past the end of the
+buffer we allocated based on the reported text_size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index 3cbad35..f9813eb 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+ 	  xvAttributeInfo Info;
+ 	  int i;
+ 
++	  /* keep track of remaining room for text strings */
++	  size = rep.text_size;
++
+ 	  for(i = 0; i < rep.num_attributes; i++) {
+              _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
+ 	      ret[i].flags = (int)Info.flags;
+ 	      ret[i].min_value = Info.min;
+ 	      ret[i].max_value = Info.max;
+ 	      ret[i].name = marker;
+-	      _XRead(dpy, marker, Info.size);
+-	      marker += Info.size;
++	      if (Info.size <= size) {
++		  _XRead(dpy, marker, Info.size);
++		  marker += Info.size;
++		  size -= Info.size;
++	      }
+ 	      (*num)++;
+ 	  }
+       } else
+-- 
+1.8.2.3
+