diff -u vlc-1.0.6/debian/changelog vlc-1.0.6/debian/changelog
--- vlc-1.0.6/debian/changelog
+++ vlc-1.0.6/debian/changelog
@@ -1,3 +1,13 @@
+vlc (1.0.6-1ubuntu1.7) lucid-security; urgency=low
+
+  * SECURITY UPDATE: Integer overflow in XSPF playlist parser (LP: #795410)
+    - debian/patches/fix-xspf-integer-overflow.patch: Fix realloc() integer
+      overflow, thanks to Rémi Denis-Courmont
+    - CVE-2011-2194
+    - VideoLAN-SA-1104
+
+ -- Benjamin Drung <bdrung@ubuntu.com>  Sat, 11 Jun 2011 21:29:56 +0200
+
 vlc (1.0.6-1ubuntu1.6) lucid-security; urgency=low
 
   * SECURITY UPDATE: arbitrary code execution via crafted width
diff -u vlc-1.0.6/debian/patches/series vlc-1.0.6/debian/patches/series
--- vlc-1.0.6/debian/patches/series
+++ vlc-1.0.6/debian/patches/series
@@ -24,0 +25 @@
+fix-xspf-integer-overflow.patch
only in patch2:
unchanged:
--- vlc-1.0.6.orig/debian/patches/fix-xspf-integer-overflow.patch
+++ vlc-1.0.6/debian/patches/fix-xspf-integer-overflow.patch
@@ -0,0 +1,16 @@
+From: Rémi Denis-Courmont <remi@remlab.net>
+Subject: XSPF: fix realloc() integer overflow
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commit;h=74d34b63fdda947c4e92f19e43cac0c51aabc4d7
+
+--- a/modules/demux/playlist/xspf.c
++++ b/modules/demux/playlist/xspf.c
+@@ -517,7 +517,8 @@
+                     }
+                     free( psz_uri );
+ 
+-                    if( p_demux->p_sys->i_track_id < 0 )
++                    if( p_demux->p_sys->i_track_id < 0
++                     || p_demux->p_sys->i_track_id >= (SIZE_MAX / sizeof(p_new_input)) )
+                     {
+                         input_item_AddSubItem( p_input_item, p_new_input );
+                         vlc_gc_decref( p_new_input );