diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog
--- spice-0.14.0/debian/changelog	2019-01-24 14:00:10.000000000 +0000
+++ spice-0.14.0/debian/changelog	2020-10-01 11:12:53.000000000 +0000
@@ -1,3 +1,18 @@
+spice (0.14.0-1ubuntu2.5) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: multiple buffer overflows in QUIC image decoding
+    - debian/patches/CVE-2020-14355-1.patch: check we have some data to
+      start decoding quic image in spice-common/common/quic.c.
+    - debian/patches/CVE-2020-14355-2.patch: check image size in
+      quic_decode_begin in spice-common/common/quic.c.
+    - debian/patches/CVE-2020-14355-3.patch: check RLE lengths in
+      spice-common/common/quic_tmpl.c.
+    - debian/patches/CVE-2020-14355-4.patch: avoid possible buffer overflow
+      in find_bucket in spice-common/common/quic_family_tmpl.c.
+    - CVE-2020-14355
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 01 Oct 2020 07:12:53 -0400
+
 spice (0.14.0-1ubuntu2.4) bionic-security; urgency=medium
 
   * SECURITY UPDATE: off-by-one error in memslot_get_virt
diff -Nru spice-0.14.0/debian/patches/CVE-2020-14355-1.patch spice-0.14.0/debian/patches/CVE-2020-14355-1.patch
--- spice-0.14.0/debian/patches/CVE-2020-14355-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ spice-0.14.0/debian/patches/CVE-2020-14355-1.patch	2020-10-01 11:04:45.000000000 +0000
@@ -0,0 +1,29 @@
+From 762e0abae36033ccde658fd52d3235887b60862d Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:09:13 +0100
+Subject: [PATCH spice-common 1/4] quic: Check we have some data to start
+ decoding quic image
+
+All paths already pass some data to quic_decode_begin but for the
+test check it, it's not that expensive test.
+Checking for not 0 is enough, all other words will potentially be
+read calling more_io_words but we need one to avoid a potential
+initial buffer overflow or deferencing an invalid pointer.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/spice-common/common/quic.c
++++ b/spice-common/common/quic.c
+@@ -1350,7 +1350,7 @@ int quic_decode_begin(QuicContext *quic,
+     int channels;
+     int bpc;
+ 
+-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+         return QUIC_ERROR;
+     }
+ 
diff -Nru spice-0.14.0/debian/patches/CVE-2020-14355-2.patch spice-0.14.0/debian/patches/CVE-2020-14355-2.patch
--- spice-0.14.0/debian/patches/CVE-2020-14355-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ spice-0.14.0/debian/patches/CVE-2020-14355-2.patch	2020-10-01 11:05:03.000000000 +0000
@@ -0,0 +1,43 @@
+From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:10:24 +0100
+Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
+
+Avoid some overflow in code due to images too big or
+negative numbers.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/spice-common/common/quic.c
++++ b/spice-common/common/quic.c
+@@ -68,6 +68,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 100000000
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
+                                                     unmodified GR codewords in the code */
+@@ -1379,6 +1382,16 @@ int quic_decode_begin(QuicContext *quic,
+     height = encoder->io_word;
+     decode_eat32bits(encoder);
+ 
++    if (width <= 0 || height <= 0) {
++        encoder->usr->warn(encoder->usr, "invalid size\n");
++        return QUIC_ERROR;
++    }
++
++    /* avoid too big images */
++    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++        encoder->usr->error(encoder->usr, "image too large\n");
++    }
++
+     quic_image_params(encoder, type, &channels, &bpc);
+ 
+     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
diff -Nru spice-0.14.0/debian/patches/CVE-2020-14355-3.patch spice-0.14.0/debian/patches/CVE-2020-14355-3.patch
--- spice-0.14.0/debian/patches/CVE-2020-14355-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ spice-0.14.0/debian/patches/CVE-2020-14355-3.patch	2020-10-01 11:10:57.000000000 +0000
@@ -0,0 +1,38 @@
+Backport of:
+
+From ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:11:38 +0100
+Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
+
+Avoid buffer overflows decoding images. On compression we compute
+lengths till end of line so it won't cause regressions.
+Proved by fuzzing the code.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic_tmpl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/spice-common/common/quic_tmpl.c
++++ b/spice-common/common/quic_tmpl.c
+@@ -563,11 +563,16 @@ do_run:
+         channel->state.waitcnt = stopidx - i;
+         run_index = i;
+ #ifdef RLE_STAT
+-        run_end = i + decode_channel_run(encoder, channel);
++        run_end = decode_channel_run(encoder, channel);
+ #else
+-        run_end = i + decode_run(encoder);
++        run_end = decode_run(encoder);
+ #endif
+ 
++        if (run_end < 0 || run_end > (end - i)) {
++            encoder->usr->error(encoder->usr, "wrong RLE\n");
++        }
++        run_end += i;
++
+         for (; i < run_end; i++) {
+             cur_row[i].a = cur_row[i - 1].a;
+         }
diff -Nru spice-0.14.0/debian/patches/CVE-2020-14355-4.patch spice-0.14.0/debian/patches/CVE-2020-14355-4.patch
--- spice-0.14.0/debian/patches/CVE-2020-14355-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ spice-0.14.0/debian/patches/CVE-2020-14355-4.patch	2020-10-01 11:12:20.000000000 +0000
@@ -0,0 +1,30 @@
+From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Thu, 30 Apr 2020 10:19:09 +0100
+Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in
+ find_bucket
+
+Proved by fuzzing the code.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic_family_tmpl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/spice-common/common/quic_family_tmpl.c
++++ b/spice-common/common/quic_family_tmpl.c
+@@ -107,7 +107,12 @@ static s_bucket *FNAME(find_bucket)(Chan
+ {
+     spice_assert(val < (0x1U << BPC));
+ 
+-    return channel->_buckets_ptrs[val];
++    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
++     * attempts. Is much faster then using comparisons and save us from such situations.
++     * Note that on normal build the check above won't be compiled as this code path
++     * is pretty hot and would cause speed regressions.
++     */
++    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME
diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series
--- spice-0.14.0/debian/patches/series	2019-01-24 14:00:07.000000000 +0000
+++ spice-0.14.0/debian/patches/series	2020-10-01 11:11:57.000000000 +0000
@@ -3,3 +3,7 @@
 CVE-2017-12194-3.patch
 CVE-2018-10873.patch
 CVE-2019-3813.patch
+CVE-2020-14355-1.patch
+CVE-2020-14355-2.patch
+CVE-2020-14355-3.patch
+CVE-2020-14355-4.patch