43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
Fix CVE-2016-7953:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb
|
|
|
|
From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001
|
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Date: Sun, 25 Sep 2016 22:34:27 +0200
|
|
Subject: [PATCH] Avoid buffer underflow on empty strings.
|
|
|
|
If an empty string is received from an x-server, do not underrun the
|
|
buffer by accessing "rep.nameLen - 1" unconditionally, which could end
|
|
up being -1.
|
|
|
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
---
|
|
src/XvMC.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/XvMC.c b/src/XvMC.c
|
|
index 7336760..3ee4212 100644
|
|
--- a/src/XvMC.c
|
|
+++ b/src/XvMC.c
|
|
@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
|
|
if (*name && *busID && tmpBuf) {
|
|
_XRead(dpy, tmpBuf, realSize);
|
|
strncpy(*name,tmpBuf,rep.nameLen);
|
|
- (*name)[rep.nameLen - 1] = '\0';
|
|
+ (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
|
|
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
|
|
- (*busID)[rep.busIDLen - 1] = '\0';
|
|
+ (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
|
|
XFree(tmpBuf);
|
|
} else {
|
|
XFree(*name);
|
|
--
|
|
2.10.1
|
|
|