Processed: Re: Bug#852961: jessie-pu: package libxv/2:1.0.10-1+deb8u1

2017-11-16 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #852961 [release.debian.org] jessie-pu: package libxv/2:1.0.10-1+deb8u1
Added tag(s) pending.

-- 
852961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#852961: jessie-pu: package libxv/2:1.0.10-1+deb8u1

2017-11-16 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2017-01-28 at 15:22 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-01-28 at 16:05 +0100, Julien Cristau wrote:
> > We're getting used to this by now aren't we.
> 
> Heh.
> 
> > +libxv (2:1.0.10-1+deb8u1) jessie; urgency=high
> > +
> > +  * Protocol handling issues in libXv (CVE-2016-5407)
> 
> Please go ahead.
> 

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#852961: jessie-pu: package libxv/2:1.0.10-1+deb8u1

2017-01-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2017-01-28 at 16:05 +0100, Julien Cristau wrote:
> We're getting used to this by now aren't we.

Heh.

> +libxv (2:1.0.10-1+deb8u1) jessie; urgency=high
> +
> +  * Protocol handling issues in libXv (CVE-2016-5407)

Please go ahead.

Regards,

Adam

Processed: Re: Bug#852961: jessie-pu: package libxv/2:1.0.10-1+deb8u1

2017-01-28 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #852961 [release.debian.org] jessie-pu: package libxv/2:1.0.10-1+deb8u1
Added tag(s) confirmed.

-- 
852961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#852961: jessie-pu: package libxv/2:1.0.10-1+deb8u1

2017-01-28 Thread Julien Cristau 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

We're getting used to this by now aren't we.

Cheers,
Julien

diff -u libxv-1.0.10/debian/changelog libxv-1.0.10/debian/changelog
--- libxv-1.0.10/debian/changelog
+++ libxv-1.0.10/debian/changelog
@@ -1,3 +1,9 @@
+libxv (2:1.0.10-1+deb8u1) jessie; urgency=high
+
+  * Protocol handling issues in libXv (CVE-2016-5407)
+
+ -- Julien Cristau   Sat, 07 Jan 2017 16:38:45 +0100
+
 libxv (2:1.0.10-1) unstable; urgency=medium
 
   * New upstream release.
only in patch2:
unchanged:
--- libxv-1.0.10.orig/src/Xv.c
+++ libxv-1.0.10/src/Xv.c
@@ -158,6 +158,7 @@
 size_t size;
 unsigned int ii, jj;
 char *name;
+char *end;
 XvAdaptorInfo *pas = NULL, *pa;
 XvFormat *pfs, *pf;
 char *buffer = NULL;
@@ -197,17 +198,13 @@
 /* GET INPUT ADAPTORS */
 
 if (rep.num_adaptors == 0) {
-/* If there's no adaptors, there's nothing more to do. */
+/* If there are no adaptors, there's nothing more to do. */
 status = Success;
 goto out;
 }
 
-if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
-/* If there's not enough data for the number of adaptors,
-   then we have a problem. */
-status = XvBadReply;
-goto out;
-}
+u.buffer = buffer;
+end = buffer + size;
 
 size = rep.num_adaptors * sizeof(XvAdaptorInfo);
 if ((pas = Xmalloc(size)) == NULL) {
@@ -225,9 +222,12 @@
 pa++;
 }
 
-u.buffer = buffer;
 pa = pas;
 for (ii = 0; ii < rep.num_adaptors; ii++) {
+if (u.buffer + sz_xvAdaptorInfo > end) {
+status = XvBadReply;
+goto out;
+}
 pa->type = u.pa->type;
 pa->base_id = u.pa->base_id;
 pa->num_ports = u.pa->num_ports;
@@ -239,6 +239,10 @@
 size = u.pa->name_size;
 u.buffer += pad_to_int32(sz_xvAdaptorInfo);
 
+if (u.buffer + size > end) {
+status = XvBadReply;
+goto out;
+}
 if ((name = Xmalloc(size + 1)) == NULL) {
 status = XvBadAlloc;
 goto out;
@@ -259,6 +263,11 @@
 
 pf = pfs;
 for (jj = 0; jj < pa->num_formats; jj++) {
+if (u.buffer + sz_xvFormat > end) {
+Xfree(pfs);
+status = XvBadReply;
+goto out;
+}
 pf->depth = u.pf->depth;
 pf->visual_id = u.pf->visual;
 pf++;
@@ -327,6 +336,7 @@
 size_t size;
 unsigned int jj;
 char *name;
+char *end;
 XvEncodingInfo *pes = NULL, *pe;
 char *buffer = NULL;
 union {
@@ -364,17 +374,13 @@
 /* GET ENCODINGS */
 
 if (rep.num_encodings == 0) {
-/* If there's no encodings, there's nothing more to do. */
+/* If there are no encodings, there's nothing more to do. */
 status = Success;
 goto out;
 }
 
-if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
-/* If there's not enough data for the number of adaptors,
-   then we have a problem. */
-status = XvBadReply;
-goto out;
-}
+u.buffer = buffer;
+end = buffer + size;
 
 size = rep.num_encodings * sizeof(XvEncodingInfo);
 if ((pes = Xmalloc(size)) == NULL) {
@@ -391,10 +397,12 @@
 pe++;
 }
 
-u.buffer = buffer;
-
 pe = pes;
 for (jj = 0; jj < rep.num_encodings; jj++) {
+if (u.buffer + sz_xvEncodingInfo > end) {
+status = XvBadReply;
+goto out;
+}
 pe->encoding_id = u.pe->encoding;
 pe->width = u.pe->width;
 pe->height = u.pe->height;
@@ -405,6 +413,10 @@
 size = u.pe->name_size;
 u.buffer += pad_to_int32(sz_xvEncodingInfo);
 
+if (u.buffer + size > end) {
+status = XvBadReply;
+goto out;
+}
 if ((name = Xmalloc(size + 1)) == NULL) {
 status = XvBadAlloc;
 goto out;


signature.asc
Description: PGP signature