From a04d1c8ff925273f3caf3a46393cf73ac2b96ab5 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 24 May 2013 09:28:38 +0000
Subject: main/libxv: fix CVE-2013-1989,CVE-2013-2066

ref #1931
---
 ...taWords-to-avoid-overflow-of-rep.length-s.patch | 93 ++++++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch

(limited to 'main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch')

diff --git a/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 000000000..0e33952a6
--- /dev/null
+++ b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,93 @@
+From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:28:34 -0700
+Subject: [PATCH 1/5] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac |  6 ++++++
+ src/Xv.c     | 22 +++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5494b5d..6a335db 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XV_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+ XORG_LINT_LIBRARY([Xv])
+diff --git a/src/Xv.c b/src/Xv.c
+index b081e8a..5be1d95 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -49,11 +49,27 @@ SOFTWARE.
+ **
+ */
+ 
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
+ #include <stdio.h>
+ #include "Xvlibint.h"
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/XShm.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _xv_info_data;
+ static XExtensionInfo *xv_info = &_xv_info_data;
+@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+ 	      (*num)++;
+ 	  }
+       } else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+   }
+ 
+   UnlockDisplay(dpy);
+@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
+ 	      (*num)++;
+ 	  }
+       } else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+   }
+ 
+   UnlockDisplay(dpy);
+@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
+   	_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
+ 	_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
+    } else
+-	_XEatData(dpy, rep.length << 2);
++       _XEatDataWords(dpy, rep.length);
+ 
+    UnlockDisplay(dpy);
+    SyncHandle();
+-- 
+1.8.2.3
+
-- 
cgit v1.2.3