I think I blogged about this in the past, on my request to access Coverity scan results to be able to fix the xine defects reported by that.
I’m quite impressed that most of the issues I found were not about the actual xine-lib code, but more about the external libraries such as FFmpeg and libdvdnav. This is probably because Coverity didn’t actually scan xine-ui, that surely is full of issues, some of them most likely security issues.
Now, I’ve fixed a few of the stuff I could actually look up myself, it’s not a big deal, I didn’t find any actual security risk, although I think I found something that might be related to a bug with MPEG files, that I need to check out more throughoutfully, and possibly fix.
Most of the issues reported for FFmpeg are also already fixed in their codebase, some of them in xine itself too, and the remaining are mostly corner cases. What surprises me quite a bit is the quantity of reports out of libdvdnav (most of them actually inherited by libdvdread).
I don’t have any direct contact with those upstreams, but I’m afraid I should really try to contact them and see what I can do about those problems, some of them might be the causes for some of the DVD playback issues that are reported from time to time.
Sigh, now tell me again, why it’s 6am and I’m still awake working on fixing someone else’s code?