It was found that when receiving a response from the server protocol data is not validated sufficiently. If an empty string is received from an x-server, the buffer might underrun by accessing "rep.nameLen - 1" unconditionally, which could end up being -1. Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html CVE assignment: http://seclists.org/oss-sec/2016/q4/17
Created libXvMC tracking bugs for this issue: Affects: fedora-all [bug 1381934]