diff -u libxxf86dga-1.1.2/debian/control libxxf86dga-1.1.2/debian/control
--- libxxf86dga-1.1.2/debian/control
+++ libxxf86dga-1.1.2/debian/control
@@ -1,7 +1,8 @@
 Source: libxxf86dga
 Section: x11
 Priority: optional
-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
 Uploaders: David Nusinow <dnusinow@debian.org>, Andres Salomon <dilinger@debian.org>, Cyril Brulebois <kibi@debian.org>
 Build-Depends:
  debhelper (>= 5.0.0),
diff -u libxxf86dga-1.1.2/debian/changelog libxxf86dga-1.1.2/debian/changelog
--- libxxf86dga-1.1.2/debian/changelog
+++ libxxf86dga-1.1.2/debian/changelog
@@ -1,3 +1,20 @@
+libxxf86dga (2:1.1.2-1ubuntu0.1) precise-security; urgency=low
+
+  * SECURITY UPDATE: denial of service and possible code execution via
+    incorrect memory size calculations
+    - 6fa471be7a005bde97bcb5ca5a17662ea8d32587
+    - f4a8dd63af518640468d82948f450aad4b2b1e6a
+    - f89cf306a60facdf102696840bc05acebd7d1772
+    - a8dc6be3213bc91dec5e25535ef4bad5a9456af0
+    - CVE-2013-1991
+  * SECURITY UPDATE: denial of service and possible code execution via
+    incorrect length and bounds checking
+    - 5dcfa6a8cf2df39828da733e5945e730518c27b3
+    - b69d6d51a82b1d1e8c68a233360acb742c879375
+    - CVE-2013-2000
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 29 May 2013 09:47:49 -0400
+
 libxxf86dga (2:1.1.2-1) unstable; urgency=low
 
   [ Julien Cristau ]
only in patch2:
unchanged:
--- libxxf86dga-1.1.2.orig/configure.ac
+++ libxxf86dga-1.1.2/configure.ac
@@ -22,6 +22,12 @@
 
 XORG_CHECK_MALLOC_ZERO
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86DGA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 AC_OUTPUT([Makefile
 	   src/Makefile
 	   man/Makefile
only in patch2:
unchanged:
--- libxxf86dga-1.1.2.orig/src/XF86DGA2.c
+++ libxxf86dga-1.1.2/src/XF86DGA2.c
@@ -6,6 +6,9 @@
 */
 
 /* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
 
 #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
 #define INCL_DOS
@@ -20,7 +23,18 @@
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include <stdio.h>
+#include <limits.h>
 
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif
 
 /* If you change this, change the Bases[] array below as well */
 #define MAX_HEADS 16
@@ -234,9 +248,14 @@
 	return False;
     }
 
-    if(rep.length) {
-	deviceName = Xmalloc(rep.length << 2);
-	_XRead(dpy, deviceName, rep.length << 2);
+    if (rep.length) {
+	if (rep.length < (INT_MAX >> 2)) {
+	    unsigned long size = rep.length << 2;
+	    deviceName = Xmalloc(size);
+	    _XRead(dpy, deviceName, size);
+	    deviceName[size - 1] = '\0';
+	} else
+	    _XEatDataWords(dpy, rep.length);
     }
 
     ret = XDGAMapFramebuffer(screen, deviceName,
@@ -296,16 +315,21 @@
     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
 	if(rep.length) {
 	   xXDGAModeInfo info;
-	   int i, size;
+	   unsigned long size = 0;
 	   char *offset;
 
-	   size = rep.length << 2;
-	   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-	   modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-	   offset = (char*)(&modes[rep.number]); /* start of text */
-
+	   if ((rep.length < (INT_MAX >> 2)) &&
+	       (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+	       size = rep.length << 2;
+	       if (size > (rep.number * sz_xXDGAModeInfo)) {
+		   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+		   modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+		   offset = (char*)(&modes[rep.number]);  /* start of text */
+	       }
+	   }
 
-	   if(modes) {	
+	   if (modes != NULL) {
+	      unsigned int i;
 	      for(i = 0; i < rep.number; i++) {
 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
 
@@ -335,13 +359,20 @@
 		modes[i].reserved1 = info.reserved1;
 		modes[i].reserved2 = info.reserved2;	
 
-		_XRead(dpy, offset, info.name_size);
-		modes[i].name = offset;
-		offset += info.name_size;
+		if (info.name_size > 0 && info.name_size <= size) {
+		    _XRead(dpy, offset, info.name_size);
+		    modes[i].name = offset;
+		    modes[i].name[info.name_size - 1] = '\0';
+		    offset += info.name_size;
+		    size -= info.name_size;
+		} else {
+		    _XEatData(dpy, info.name_size);
+		    modes[i].name = NULL;
+		}
 	      }
 	      *num = rep.number;
 	   } else
-		_XEatData(dpy, rep.length << 2);
+		_XEatDataWords(dpy, rep.length);
 	}
     }
 
@@ -377,12 +408,15 @@
     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
 	if(rep.length) {
 	   xXDGAModeInfo info;
-	   int size;
+	   unsigned long size;
 
-	   size = rep.length << 2;
-	   size -= sz_xXDGAModeInfo; /* get text size */
+	   if ((rep.length < (INT_MAX >> 2)) &&
+	       (rep.length > (sz_xXDGAModeInfo >> 2))) {
+	       size = rep.length << 2;
+	       size -= sz_xXDGAModeInfo; /* get text size */
 
-	   dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+	       dev = Xmalloc(sizeof(XDGADevice) + size);
+	   }
 	    
 	   if(dev) {
 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -413,8 +447,14 @@
 		dev->mode.reserved1 = info.reserved1;
 		dev->mode.reserved2 = info.reserved2;
 
-		dev->mode.name = (char*)(&dev[1]);	
-		_XRead(dpy, dev->mode.name, info.name_size);
+		if (info.name_size > 0 && info.name_size <= size) {
+		    dev->mode.name = (char*)(&dev[1]);
+		    _XRead(dpy, dev->mode.name, info.name_size);
+		    dev->mode.name[info.name_size - 1] = '\0';
+		} else {
+		    dev->mode.name = NULL;
+		    _XEatDataWords(dpy, rep.length);
+		}
 
 		dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
 		dev->data = XDGAGetMappedMemory(screen);
@@ -423,6 +463,8 @@
 		    dev->data += rep.offset;
 	   } 
 	   /* not sure what to do if the allocation fails */
+	   else
+	       _XEatDataWords(dpy, rep.length);
 	}
     }