Security fixes:

- Heap overflow in libmms (related to CVE-2006-2200)
- Buffer overrun in Real Media input plugin. [bug #1603458]
  Thanks to Roland Kay for reporting and JW for the patch.

from brad@, tested by bernd@ and me

multimedia/xine-lib/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.7 2006/12/02 20:24:17 pvalchev Exp $
+# $OpenBSD: Makefile,v 1.8 2006/12/07 09:21:01 steven Exp $
 
 COMMENT=		"multimedia decoding library"
 
 V=			1.1.2
 DISTNAME=		xine-lib-${V}
-PKGNAME=		${DISTNAME}p2
+PKGNAME=		${DISTNAME}p3
 EXTRACT_SUFX=		.tar.bz2
 CATEGORIES=		multimedia
 SHARED_LIBS=		xine	14.1

multimedia/xine-lib/patches/patch-src_input_libreal_asmrp_c

@@ -0,0 +1,39 @@
+$OpenBSD: patch-src_input_libreal_asmrp_c,v 1.1 2006/12/07 09:21:01 steven Exp $
+--- src/input/libreal/asmrp.c.orig	Mon Dec  4 14:27:53 2006
++++ src/input/libreal/asmrp.c	Mon Dec  4 14:30:49 2006
+@@ -604,7 +604,7 @@ static int asmrp_rule (asmrp_t *p) {
+   return ret;
+ }
+ 
+-static int asmrp_eval (asmrp_t *p, int *matches) {
++static int asmrp_eval (asmrp_t *p, int *matches, int matchsize) {
+ 
+   int rule_num, num_matches;
+ 
+@@ -613,7 +613,7 @@ static int asmrp_eval (asmrp_t *p, int *
+   asmrp_get_sym (p);
+ 
+   rule_num = 0; num_matches = 0;
+-  while (p->sym != ASMRP_SYM_EOF) {
++  while (p->sym != ASMRP_SYM_EOF && num_matches < matchsize -1) {
+ 
+     if (asmrp_rule (p)) {
+       lprintf ("rule #%d is true\n", rule_num);
+@@ -629,7 +629,7 @@ static int asmrp_eval (asmrp_t *p, int *
+   return num_matches;
+ }
+ 
+-int asmrp_match (const char *rules, int bandwidth, int *matches) {
++int asmrp_match (const char *rules, int bandwidth, int *matches, int matchsize) {
+ 
+   asmrp_t *p;
+   int      num_matches;
+@@ -641,7 +641,7 @@ int asmrp_match (const char *rules, int 
+   asmrp_set_id (p, "Bandwidth", bandwidth);
+   asmrp_set_id (p, "OldPNMPlayer", 0);
+ 
+-  num_matches = asmrp_eval (p, matches);
++  num_matches = asmrp_eval (p, matches, matchsize);
+ 
+   asmrp_dispose (p);
+ 

multimedia/xine-lib/patches/patch-src_input_libreal_asmrp_h

@@ -0,0 +1,11 @@
+$OpenBSD: patch-src_input_libreal_asmrp_h,v 1.1 2006/12/07 09:21:01 steven Exp $
+--- src/input/libreal/asmrp.h.orig	Mon Dec  4 14:28:04 2006
++++ src/input/libreal/asmrp.h	Mon Dec  4 14:31:10 2006
+@@ -37,6 +37,6 @@
+ #ifndef HAVE_ASMRP_H
+ #define HAVE_ASMRP_H
+ 
+-int asmrp_match (const char *rules, int bandwidth, int *matches) ;
++int asmrp_match (const char *rules, int bandwidth, int *matches, int matchsize) ;
+ 
+ #endif

multimedia/xine-lib/patches/patch-src_input_libreal_real_c

@@ -1,14 +1,24 @@
-$OpenBSD: patch-src_input_libreal_real_c,v 1.2 2006/10/12 04:48:14 brad Exp $
+$OpenBSD: patch-src_input_libreal_real_c,v 1.3 2006/12/07 09:21:01 steven Exp $
 --- src/input/libreal/real.c.orig	Sun Jul  9 10:37:40 2006
-+++ src/input/libreal/real.c	Fri Sep 15 17:53:21 2006
-@@ -51,8 +51,9 @@ static const unsigned char xor_table[] =
++++ src/input/libreal/real.c	Mon Dec  4 14:34:35 2006
+@@ -51,9 +51,10 @@ static const unsigned char xor_table[] =
  #define BE_32C(x,y) do { *(uint32_t *)(x) = be2me_32((y)); } while(0)
  #define LE_32C(x,y) do { *(uint32_t *)(x) = le2me_32((y)); } while(0)
  
 +#ifndef MAX
  #define MAX(x,y) ((x>y) ? x : y)
--
 +#endif
  
+-
  static void hash(char *field, char *param) {
  
+   uint32_t a, b, c, d;
+@@ -476,7 +477,7 @@ rmff_header_t *real_parse_sdp(char *data
+ 
+     lprintf("calling asmrp_match with:\n%s\n%u\n", desc->stream[i]->asm_rule_book, bandwidth);
+ 
+-    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches);
++    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches, sizeof(rulematches)/sizeof(rulematches[0]));
+     for (j=0; j<n; j++) {
+       lprintf("asmrp rule match: %u for stream %u\n", rulematches[j], desc->stream[i]->stream_id);
+       sprintf(b,"stream=%u;rule=%u,", desc->stream[i]->stream_id, rulematches[j]);

multimedia/xine-lib/patches/patch-src_input_mms_c

@@ -1,6 +1,6 @@
-$OpenBSD: patch-src_input_mms_c,v 1.1.1.1 2006/03/24 22:43:41 jakemsr Exp $
---- src/input/mms.c.orig	Sat Dec 24 23:39:48 2005
-+++ src/input/mms.c	Sat Dec 24 23:40:23 2005
+$OpenBSD: patch-src_input_mms_c,v 1.2 2006/12/07 09:21:01 steven Exp $
+--- src/input/mms.c.orig	Sun Jul  9 10:37:35 2006
++++ src/input/mms.c	Mon Dec  4 14:44:00 2006
 @@ -50,6 +50,7 @@
  #include <iconv.h>
  #include <locale.h>
@@ -9,6 +9,15 @@ $OpenBSD: patch-src_input_mms_c,v 1.1.1.1 2006/03/24 22:43:41 jakemsr Exp $
  #endif
  
  /********** logging **********/
+@@ -138,7 +139,7 @@ struct mms_s {
+   int           num_stream_ids;
+   int           stream_ids[ASF_MAX_NUM_STREAMS];
+   int           stream_types[ASF_MAX_NUM_STREAMS];
+-  int           asf_packet_len;
++  uint32_t      asf_packet_len;
+   uint64_t      file_len;
+   char          guid[37];
+   uint32_t      bitrates[ASF_MAX_NUM_STREAMS];
 @@ -299,7 +300,7 @@ static int send_command (mms_t *this, in
  
  #ifdef USE_ICONV
@@ -18,3 +27,47 @@ $OpenBSD: patch-src_input_mms_c,v 1.1.1.1 2006/03/24 22:43:41 jakemsr Exp $
  }
  
  static void string_utf16_close(iconv_t url_conv) {
+@@ -371,13 +372,17 @@ static int get_packet_header (mms_t *thi
+       goto error;
+     
+     header->packet_len = LE_32(this->buf + 8) + 4;
++    if (header->packet_len > BUF_SIZE - 12) {
++      header->packet_len = 0;
++      goto error;
++    }
+     lprintf("mms command\n");
+     packet_type = MMS_PACKET_COMMAND;
+   } else {
+     header->packet_seq     = LE_32(this->buf);
+     header->packet_id_type = this->buf[4];
+     header->flags          = this->buf[5];
+-    header->packet_len     = LE_16(this->buf + 6) - 8;
++    header->packet_len     = (LE_16(this->buf + 6) - 8) & 0xffff;
+     if (header->packet_id_type == ASF_HEADER_PACKET_ID_TYPE) {
+       lprintf("asf header\n");
+       packet_type = MMS_PACKET_ASF_HEADER;
+@@ -497,6 +502,11 @@ static int get_asf_header (mms_t *this) 
+         break;
+       case MMS_PACKET_ASF_HEADER:
+       case MMS_PACKET_ASF_PACKET:
++        if (header.packet_len + this->asf_header_len > ASF_HEADER_LEN) {
++            xprintf (this->stream->xine, XINE_VERBOSITY_LOG,
++                     "libmms: asf packet too large\n");
++            return 0;
++        }
+         len = _x_io_tcp_read (this->stream, this->s,
+                               (char*)(this->asf_header + this->asf_header_len), header.packet_len);
+         if (len != header.packet_len) {
+@@ -542,6 +552,12 @@ static void interp_asf_header (mms_t *th
+       case GUID_ASF_FILE_PROPERTIES:
+ 
+         this->asf_packet_len = LE_32(this->asf_header + i + 92 - 24);
++        if (this->asf_packet_len > BUF_SIZE) {
++          this->asf_packet_len = 0;
++          xprintf (this->stream->xine, XINE_VERBOSITY_LOG,
++                   "libmms: asf packet len too large\n");
++          break;
++        }
+         this->file_len       = LE_64(this->asf_header + i + 40 - 24);
+         lprintf ("file object, file_length = %lld, packet length = %d",
+ 		 this->file_len, this->asf_packet_len);

multimedia/xine-lib/patches/patch-src_input_mmsh_c

@@ -0,0 +1,23 @@
+$OpenBSD: patch-src_input_mmsh_c,v 1.1 2006/12/07 09:21:01 steven Exp $
+--- src/input/mmsh.c.orig	Mon Dec  4 14:44:07 2006
++++ src/input/mmsh.c	Mon Dec  4 14:45:35 2006
+@@ -182,7 +182,7 @@ struct mmsh_s {
+   int           num_stream_ids;
+   int           stream_ids[ASF_MAX_NUM_STREAMS];
+   int           stream_types[ASF_MAX_NUM_STREAMS];
+-  int           packet_length;
++  uint32_t      packet_length;
+   int64_t       file_length;
+   char          guid[37];
+   uint32_t      bitrates[ASF_MAX_NUM_STREAMS];
+@@ -491,6 +491,10 @@ static void interp_header (mmsh_t *this)
+       case GUID_ASF_FILE_PROPERTIES:
+ 
+         this->packet_length = LE_32(this->asf_header + i + 92 - 24);
++        if (this->packet_length > CHUNK_SIZE) {
++          this->packet_length = 0;
++          break;
++        }
+         this->file_length   = LE_64(this->asf_header + i + 40 - 24);
+         /*lprintf ("file object, file_length = %lld, packet length = %d",
+ 		 this->file_length, this->packet_count);*/