Fix a bunch of potential segmentation faults:

 - out of bound read initially uncovered by sam,
 - also malloc() can really return NULL for arbitrary large alloc,
   return value MUST be checked.

diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index c1e5bde5f2d7b71cd6cfea9174f6944add5c563d..5a0ad888ffdfff63622e9cc6f03d76adece229e1 100644 (file)
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -491,13 +491,14 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
 {
     asf_object_stream_properties_t *p_sp =
                     (asf_object_stream_properties_t*)p_obj;
-    int     i_peek;
+    size_t   i_peek;
     uint8_t *p_peek;
 
-    if( ( i_peek = stream_Peek( s, &p_peek,  p_sp->i_object_size ) ) < 74 )
+    if( ( i_peek = stream_Peek( s, &p_peek,  p_sp->i_object_size ) ) < 78 )
     {
        return VLC_EGENERIC;
     }
+
     ASF_GetGUID( &p_sp->i_stream_type, p_peek + 24 );
     ASF_GetGUID( &p_sp->i_error_correction_type, p_peek + 40 );
     p_sp->i_time_offset = GetQWLE( p_peek + 56 );
@@ -506,21 +507,42 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
     p_sp->i_flags = GetWLE( p_peek + 72 );
         p_sp->i_stream_number = p_sp->i_flags&0x07f;
     p_sp->i_reserved = GetDWLE( p_peek + 74 );
+    i_peek -= 78;
+
     if( p_sp->i_type_specific_data_length )
     {
+        if( i_peek < p_sp->i_type_specific_data_length )
+            return VLC_EGENERIC;
+
         p_sp->p_type_specific_data =
             malloc( p_sp->i_type_specific_data_length );
+        if( p_sp->p_type_specific_data == NULL )
+            return VLC_ENOMEM;
+
         memcpy( p_sp->p_type_specific_data, p_peek + 78,
                 p_sp->i_type_specific_data_length );
+        i_peek -= p_sp->i_type_specific_data_length;
     }
     else
     {
         p_sp->p_type_specific_data = NULL;
     }
+
     if( p_sp->i_error_correction_data_length )
     {
+        if( i_peek < p_sp->i_error_correction_data_length )
+        {
+            free( p_sp->p_type_specific_data );
+            return VLC_EGENERIC;
+        }
+
         p_sp->p_error_correction_data =
             malloc( p_sp->i_error_correction_data_length );
+        if( p_sp->p_error_correction_data == NULL )
+        {
+            free( p_sp->p_type_specific_data );
+            return VLC_ENOMEM;
+        }
         memcpy( p_sp->p_error_correction_data,
                 p_peek + 78 + p_sp->i_type_specific_data_length,
                 p_sp->i_error_correction_data_length );