7 files changed, 82 insertions, 23 deletions

diff --git a/.hgsigs b/.hgsigs
index 4a6a1294f..528d1e655 100644
--- a/.hgsigs
+++ b/.hgsigs
@@ -1,3 +1,4 @@
 5e6d0656ac4efdc1a89ed0fc32f11050f4a22970 0 iD8DBQBGZ207sBKtjPGfWZ8RAhdEAKCrkwiBT6bTof7ro5QQwewRfF/dMACffsvfK42+ahQrjpSfQxEp6k7RpCI=
 42358e16442fe54fa554006e0b0bafd51e065c32 0 iD8DBQBG0xz0zbwfTn7RbcARAoD3AJ4012pabmpQvCKKDokZNyZzfPIbWgCfRk5FRly/Eei/xXnSaT54XHAT5KM=
 1dbf784bebc791266fcca02e917ee63034ac2e0b 0 iD8DBQBHgQ2mzbwfTn7RbcARArl9AKCslqZDrrm0GiU3IbBvcQVbOdSXlwCgyEMuHY2y/+T6WEeB2CXvCTs5ulI=
+b591d00fcd386cdd3779378c34b2d42b7504afc4 0 iD8DBQBHh5UfsBKtjPGfWZ8RAgvMAJ9xwnDNifmaobFYe2nR7+rJlLTkEQCgguGMqwqRZY68HWQXhEx918hp4Yg=
diff --git a/.hgtags b/.hgtags
index b483eab8c..8b9b6199b 100644
--- a/.hgtags
+++ b/.hgtags
@@ -63,3 +63,4 @@ fd12068ebd3fab2438f77b06e312c4244e97950a DXR3_095
 ab1531337553ad5eac24a69ac665eae33916b423 xine-lib-1_1_7-release
 e0a332b9d3e8bb3fad4d7feac1e519292b062056 xine-lib-1_1_8-release
 b6be674453e922114b55d4613cb197c77d19f094 xine-lib-1_1_9-release
+9438947f88ad2bed1832385301c6b4e62709625a xine-lib-1_1_9_1-release
diff --git a/ChangeLog b/ChangeLog
index 34696653e..aa626d700 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -53,9 +53,13 @@ xine-lib (1.1.90) (Unreleased)
   * Check for supported extensions before opening the plugin and remove
     redundant core from plugins.
 
-xine-lib (1.1.9.1) (unreleased)
+xine-lib (1.1.9.1)
+  * Security fixes:
+    - Fix a buffer overflow in RTSP header-handling code. (CVE-2008-0225)
+      (Fix ported from mplayer changeset 22821)
   * Fix a read-past-end bug in xine-lib's internal strtok_r replacement.
     (Only affects systems without strtok_r.) [Bug #19]
+  * Fix a bug which causes video playback display errors on PPC/Darwin.
 
 xine-lib (1.1.9)
   * Fix dvd://.../title[.chapter] handling (somewhat broken in 1.1.8).
@@ -1673,3 +1677,4 @@ xine (0.3.0+older) unstable; urgency=low
   
  -- Siggi Langauf <siggi@users.sourceforge.net>  Sun,  7 Jan 2001 23:59:12 +0100
 
+
diff --git a/src/input/libreal/rmff.c b/src/input/libreal/rmff.c
index c12fff1d6..0e803e4d4 100644
--- a/src/input/libreal/rmff.c
+++ b/src/input/libreal/rmff.c
@@ -35,9 +35,13 @@
  * writes header data to a buffer
  */
 
-static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer) {
+static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) {
+
+  if (!fileheader) return 0;
+
+  if (bufsize < RMFF_FILEHEADER_SIZE)
+    return -1;
 
-  if (!fileheader) return;
   fileheader->object_id=_X_BE_32(&fileheader->object_id);
   fileheader->size=_X_BE_32(&fileheader->size);
   fileheader->object_version=_X_BE_16(&fileheader->object_version);
@@ -53,11 +57,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer)
   fileheader->file_version=_X_BE_32(&fileheader->file_version);
   fileheader->num_headers=_X_BE_32(&fileheader->num_headers);
   fileheader->object_id=_X_BE_32(&fileheader->object_id);
+
+  return RMFF_FILEHEADER_SIZE;
 }
 
-static void rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer) {
+static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) {
+
+  if (!prop) return 0;
+
+  if (bufsize < RMFF_PROPHEADER_SIZE)
+    return -1;
 
-  if (!prop) return;
   prop->object_id=_X_BE_32(&prop->object_id);
   prop->size=_X_BE_32(&prop->size);
   prop->object_version=_X_BE_16(&prop->object_version);
@@ -93,13 +103,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer) {
   prop->num_streams=_X_BE_16(&prop->num_streams);
   prop->flags=_X_BE_16(&prop->flags);
   prop->object_id=_X_BE_32(&prop->object_id);
+
+  return RMFF_PROPHEADER_SIZE;
 }
 
-static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer) {
+static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) {
 
   int s1, s2, s3;
 
-  if (!mdpr) return;
+  if (!mdpr) return 0;
+
+  if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + mdpr->stream_name_size + mdpr->mime_type_size)
+    return -1;
+
   mdpr->object_id=_X_BE_32(&mdpr->object_id);
   mdpr->size=_X_BE_32(&mdpr->size);
   mdpr->object_version=_X_BE_16(&mdpr->object_version);
@@ -141,13 +157,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer) {
   mdpr->duration=_X_BE_32(&mdpr->duration);
   mdpr->object_id=_X_BE_32(&mdpr->object_id);
 
+  return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3;
 }
 
-static void rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer) {
+static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) {
 
   int p;
 
-  if (!cont) return;
+  if (!cont) return 0;
+
+  if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+      cont->copyright_len + cont->comment_len)
+    return -1;
+
   cont->object_id=_X_BE_32(&cont->object_id);
   cont->size=_X_BE_32(&cont->size);
   cont->object_version=_X_BE_16(&cont->object_version);
@@ -181,11 +203,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer) {
   cont->size=_X_BE_32(&cont->size);
   cont->object_version=_X_BE_16(&cont->object_version);
   cont->object_id=_X_BE_32(&cont->object_id);
+
+  return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+         cont->copyright_len + cont->comment_len;
 }
 
-static void rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer) {
+static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) {
+
+  if (!data) return 0;
+
+  if (bufsize < RMFF_DATAHEADER_SIZE)
+    return -1;
 
-  if (!data) return;
   data->object_id=_X_BE_32(&data->object_id);
   data->size=_X_BE_32(&data->size);
   data->object_version=_X_BE_16(&data->object_version);
@@ -201,32 +230,43 @@ static void rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer) {
   data->size=_X_BE_32(&data->size);
   data->object_version=_X_BE_16(&data->object_version);
   data->object_id=_X_BE_32(&data->object_id);
+
+  return RMFF_DATAHEADER_SIZE;
 }
 
 int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) {
   uint8_t *buffer = buf_gen;
 
-  int written=0;
+  int written=0, size;
   rmff_mdpr_t **stream=h->streams;
 
-  rmff_dump_fileheader(h->fileheader, &buffer[written]);
-  written+=h->fileheader->size;
-  rmff_dump_prop(h->prop, &buffer[written]);
-  written+=h->prop->size;
-  rmff_dump_cont(h->cont, &buffer[written]);
-  written+=h->cont->size;
+  if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
+  if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
+  if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
   if (stream)
   {
     while(*stream)
     {
-      rmff_dump_mdpr(*stream, &buffer[written]);
-      written+=(*stream)->size;
+      if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0)
+        return -1;
+      written+=size;
+      max -= size;
       stream++;
     }
   }
     
-  rmff_dump_dataheader(h->data, &buffer[written]);
-  written+=18;
+  if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
 
   return written;
 }
diff --git a/src/input/libreal/rmff.h b/src/input/libreal/rmff.h
index 010ee5154..2521ebda6 100644
--- a/src/input/libreal/rmff.h
+++ b/src/input/libreal/rmff.h
@@ -39,6 +39,12 @@
 
 #define RMFF_HEADER_SIZE 0x12
 
+#define RMFF_FILEHEADER_SIZE 18
+#define RMFF_PROPHEADER_SIZE 50
+#define RMFF_MDPRHEADER_SIZE 46
+#define RMFF_CONTHEADER_SIZE 18
+#define RMFF_DATAHEADER_SIZE 18
+
 #define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
         (((long)(unsigned char)(ch3)       ) | \
         ( (long)(unsigned char)(ch2) << 8  ) | \
diff --git a/src/input/librtsp/rtsp_session.c b/src/input/librtsp/rtsp_session.c
index 5cb0dfb63..d8f7ae583 100644
--- a/src/input/librtsp/rtsp_session.c
+++ b/src/input/librtsp/rtsp_session.c
@@ -148,6 +148,11 @@ connect:
 	
 	  rtsp_session->header_left = 
     rtsp_session->header_len  = rmff_dump_header(h,rtsp_session->header,HEADER_SIZE);
+    if (rtsp_session->header_len < 0) {
+      xprintf (stream->xine, XINE_VERBOSITY_LOG,
+	       _("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n"));
+      goto session_abort;
+    }
 
     xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len);
     rtsp_session->recv_size = rtsp_session->header_len;
@@ -157,6 +162,7 @@ connect:
   {
     xprintf(stream->xine, XINE_VERBOSITY_LOG,
 	    _("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server);
+    session_abort:
     rtsp_close(rtsp_session->s);
     free(server);
     xine_buffer_free(rtsp_session->recv);
diff --git a/src/video_out/macosx/XineOpenGLView.m b/src/video_out/macosx/XineOpenGLView.m
index 5ed515704..cad087551 100644
--- a/src/video_out/macosx/XineOpenGLView.m
+++ b/src/video_out/macosx/XineOpenGLView.m
@@ -336,7 +336,7 @@ NSColorToYUV(NSColor *color)
     // http://developer.apple.com/samplecode/Sample_Code/Graphics_3D/TextureRange/MainOpenGLView.m.htm
     glTexSubImage2D(GL_TEXTURE_RECTANGLE_EXT, 0, 0, 0,
                     videoSize.width, videoSize.height, GL_YCBCR_422_APPLE,
-#if WORDS_BIG_ENDIAN
+#if WORDS_BIGENDIAN
                     GL_UNSIGNED_SHORT_8_8_APPLE,
 #else
                     GL_UNSIGNED_SHORT_8_8_REV_APPLE,