diff -u vlc-1.0.6/debian/changelog vlc-1.0.6/debian/changelog
--- vlc-1.0.6/debian/changelog
+++ vlc-1.0.6/debian/changelog
@@ -1,3 +1,14 @@
+vlc (1.0.6-1ubuntu1.4) lucid-security; urgency=low
+
+  * SECURITY UPDATE: heap overflow in CDG decoder (LP: #707154)
+    - debian/patches/cdg-heap-overflow.diff: Fix heap overflow in CDG
+      decoder, thanks to Dan Rosenberg
+  * SECURITY UPDATE: heap corruption in some XML based subtitles decoder
+    - debian/patches/xml-heap-corruption.diff: Handle early termination
+      properly in StripTags, thanks to Harry Sintonen
+
+ -- Benjamin Drung <bdrung@ubuntu.com>  Mon, 24 Jan 2011 22:59:31 +0100
+
 vlc (1.0.6-1ubuntu1.3) lucid-security; urgency=low
 
   * SECURITY UPDATE: Buffer overflow in Real demuxer (LP: #690173)
diff -u vlc-1.0.6/debian/patches/series vlc-1.0.6/debian/patches/series
--- vlc-1.0.6/debian/patches/series
+++ vlc-1.0.6/debian/patches/series
@@ -19,0 +20,2 @@
+cdg-heap-overflow.diff
+xml-heap-corruption.diff
only in patch2:
unchanged:
--- vlc-1.0.6.orig/debian/patches/cdg-heap-overflow.diff
+++ vlc-1.0.6/debian/patches/cdg-heap-overflow.diff
@@ -0,0 +1,42 @@
+Author: Dan Rosenberg <drosenberg@vsecurity.com>
+Subject: Fix heap overflows in CDG decoder
+ This patch resolves two heap corruption vulnerabilities in the CDG
+ decoder for VLC media player.  In both cases, a failure to properly
+ validate indexes into statically-sized arrays on the heap could allow a
+ maliciously crafted CDG video to corrupt the heap in a controlled
+ manner, potentially leading to code execution.
+ .
+ The patch is against v1.1.5 from vlc git, but this decoder hasn't been
+ touched in awhile, so I'd expect it to cleanly apply to older versions.
+ I've tested it and confirmed it resolves the heap corruption issues and
+ does not break functionality.
+Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=d11fca8bf9dc058bcdf67d81c04f84f8905ad8b4
+
+--- a/modules/codec/cdg.c
++++ b/modules/codec/cdg.c
+@@ -255,7 +255,13 @@
+         for( x = 0; x < 6; x++ )
+         {
+             const int idx = ( p_data[4+y] >> (5-x) ) & 0x01;
+-            uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)];
++
++            int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x);
++            if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT )
++                return 0;
++
++            uint8_t *p = &p_cdg->p_screen[index];
++
+             if( doXor )
+                 *p ^= p_color[idx];
+             else
+@@ -320,8 +326,8 @@
+ 
+             if( b_copy )
+             {
+-                dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT;
+-                dy = ( dy + CDG_SCREEN_WIDTH  ) % CDG_SCREEN_WIDTH;
++                dy %= CDG_SCREEN_HEIGHT;
++                dx %= CDG_SCREEN_WIDTH;
+             }
+             else
+             {
only in patch2:
unchanged:
--- vlc-1.0.6.orig/debian/patches/xml-heap-corruption.diff
+++ vlc-1.0.6/debian/patches/xml-heap-corruption.diff
@@ -0,0 +1,28 @@
+Author: Harry Sintonen <sintonen@iki.fi>
+Subject: Handle early termination properly in StripTags
+Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=dc14617f39c03bbe80c3cc4f92799dca840966eb
+
+--- a/modules/codec/subtitles/subsdec.c
++++ b/modules/codec/subtitles/subsdec.c
+@@ -618,6 +618,9 @@
+             *psz_text++ = *psz_subtitle;
+         }
+ 
++        /* Security fix: Account for the case where input ends early */
++        if( *psz_subtitle == '\0' ) break;
++
+         psz_subtitle++;
+     }
+     *psz_text = '\0';
+--- a/modules/codec/subtitles/subsusf.c
++++ b/modules/codec/subtitles/subsusf.c
+@@ -1084,6 +1084,9 @@
+             *psz_text++ = *psz_subtitle;
+         }
+ 
++        /* Security fix: Account for the case where input ends early */
++        if( *psz_subtitle == '\0' ) break;
++
+         psz_subtitle++;
+     }
+     *psz_text = '\0';