Fix CVE-2016-7953: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953 Patch copied from upstream source repository: https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 25 Sep 2016 22:34:27 +0200 Subject: [PATCH] Avoid buffer underflow on empty strings. If an empty string is received from an x-server, do not underrun the buffer by accessing "rep.nameLen - 1" unconditionally, which could end up being -1. Signed-off-by: Tobias Stoeckmann Reviewed-by: Matthieu Herrb --- src/XvMC.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/XvMC.c b/src/XvMC.c index 7336760..3ee4212 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, if (*name && *busID && tmpBuf) { _XRead(dpy, tmpBuf, realSize); strncpy(*name,tmpBuf,rep.nameLen); - (*name)[rep.nameLen - 1] = '\0'; + (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0'; strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); - (*busID)[rep.busIDLen - 1] = '\0'; + (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0'; XFree(tmpBuf); } else { XFree(*name); -- 2.10.1