Backport [18573:18578] various leaks and crashes

modules/demux/asf/asf.c

@@ -123,6 +123,7 @@ static int Open( vlc_object_t * p_this )
     /* Load the headers */
     if( DemuxInit( p_demux ) )
     {
+        free( p_sys );
         return VLC_EGENERIC;
     }
     return VLC_SUCCESS;

modules/demux/asf/libasf.c

@@ -492,13 +492,14 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
 {
     asf_object_stream_properties_t *p_sp =
                     (asf_object_stream_properties_t*)p_obj;
-    int     i_peek;
+    size_t   i_peek;
     uint8_t *p_peek;
 
-    if( ( i_peek = stream_Peek( s, &p_peek,  p_sp->i_object_size ) ) < 74 )
+    if( ( i_peek = stream_Peek( s, &p_peek,  p_sp->i_object_size ) ) < 78 )
     {
        return VLC_EGENERIC;
     }
+
     ASF_GetGUID( &p_sp->i_stream_type, p_peek + 24 );
     ASF_GetGUID( &p_sp->i_error_correction_type, p_peek + 40 );
     p_sp->i_time_offset = GetQWLE( p_peek + 56 );
@@ -507,21 +508,42 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
     p_sp->i_flags = GetWLE( p_peek + 72 );
         p_sp->i_stream_number = p_sp->i_flags&0x07f;
     p_sp->i_reserved = GetDWLE( p_peek + 74 );
+    i_peek -= 78;
+
     if( p_sp->i_type_specific_data_length )
     {
+        if( i_peek < p_sp->i_type_specific_data_length )
+            return VLC_EGENERIC;
+
         p_sp->p_type_specific_data =
             malloc( p_sp->i_type_specific_data_length );
+        if( p_sp->p_type_specific_data == NULL )
+            return VLC_ENOMEM;
+
         memcpy( p_sp->p_type_specific_data, p_peek + 78,
                 p_sp->i_type_specific_data_length );
+        i_peek -= p_sp->i_type_specific_data_length;
     }
     else
     {
         p_sp->p_type_specific_data = NULL;
     }
+
     if( p_sp->i_error_correction_data_length )
     {
+        if( i_peek < p_sp->i_error_correction_data_length )
+        {
+            free( p_sp->p_type_specific_data );
+            return VLC_EGENERIC;
+        }
+
         p_sp->p_error_correction_data =
             malloc( p_sp->i_error_correction_data_length );
+        if( p_sp->p_error_correction_data == NULL )
+        {
+            free( p_sp->p_type_specific_data );
+            return VLC_ENOMEM;
+        }
         memcpy( p_sp->p_error_correction_data,
                 p_peek + 78 + p_sp->i_type_specific_data_length,
                 p_sp->i_error_correction_data_length );

modules/demux/avi/libavi.c

@@ -207,43 +207,44 @@ static int AVI_ChunkRead_list( stream_t *s, avi_chunk_t *p_container )
     i_read = stream_Read( s, p_read, i_read ); \
     if( i_read < (int64_t)__EVEN(p_chk->common.i_chunk_size ) + 8 ) \
     { \
+        free( p_buff ); \
         return VLC_EGENERIC; \
     }\
     p_read += 8; \
     i_read -= 8
 
+#define AVI_READ( res, func, size ) \
+    if( i_read < size ) { \
+        free( p_buff); \
+        return VLC_EGENERIC; \
+    } \
+    i_read -= size; \
+    res = func( p_read ); \
+    p_read += size \
+
 #define AVI_READCHUNK_EXIT( code ) \
     free( p_buff ); \
-    if( i_read < 0 ) \
-    { \
-        msg_Warn( (vlc_object_t*)s, "not enough data" ); \
-    } \
     return code
 
+static inline uint8_t GetB( uint8_t *ptr )
+{
+    return *ptr;
+}
+
 #define AVI_READ1BYTE( i_byte ) \
-    i_byte = *p_read; \
-    p_read++; \
-    i_read--
+    AVI_READ( i_byte, GetB, 1 )
 
 #define AVI_READ2BYTES( i_word ) \
-    i_word = GetWLE( p_read ); \
-    p_read += 2; \
-    i_read -= 2
+    AVI_READ( i_word, GetWLE, 2 )
 
 #define AVI_READ4BYTES( i_dword ) \
-    i_dword = GetDWLE( p_read ); \
-    p_read += 4; \
-    i_read -= 4
+    AVI_READ( i_dword, GetDWLE, 4 )
 
-#define AVI_READ8BYTES( i_dword ) \
-    i_dword = GetQWLE( p_read ); \
-    p_read += 8; \
-    i_read -= 8
+#define AVI_READ8BYTES( i_qword ) \
+    AVI_READ( i_qword, GetQWLE, 8 )
 
 #define AVI_READFOURCC( i_dword ) \
-    i_dword = GetFOURCC( p_read ); \
-    p_read += 4; \
-    i_read -= 4
+    AVI_READ( i_dword, GetFOURCC, 4 )
 
 static int AVI_ChunkRead_avih( stream_t *s, avi_chunk_t *p_chk )
 {