Several reads out-of-bound in mplayer 1.1

[Gustavo Grieco <gustavo.grieco () gmail com>]

Some reads out-of-bound in functions asf_mmst_streaming_start and
http_build_request are present in Mplayer 1.1-4.8 (tested in Ubuntu 14.04).
Other versions are probably affected. Upstream is notified.

How to reproduce:

First, launch a dummy server:

$ true | netcat -l 127.0.0.1 5002

Then, mplayer using valgrind:

$ valgrind mplayer mms://127.0.0.1:5002
==31830== Memcheck, a memory error detector
==31830== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==31830== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==31830== Command: mplayer mms://127.0.0.1:5002
==31830==
MPlayer 1.1-4.8 (C) 2000-2012 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote
control.

Playing mms://127.0.0.1:5002.
STREAM_ASF, URL: mms://127.0.0.1:5002
Resolving 127.0.0.1 for AF_INET6...

Couldn't resolve name for AF_INET6: 127.0.0.1
Connecting to server 127.0.0.1[127.0.0.1]: 5002...

Connected
==31830== Invalid read of size 4
==31830==    at 0x5A6792: asf_mmst_streaming_start
(asf_mmst_streaming.c:595)
==31830==    by 0x5A8AA8: open_s (asf_streaming.c:94)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==  Address 0x153e0ef0 is 0 bytes inside a block of size 1 alloc'd
==31830==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31830==    by 0x5A65E7: asf_mmst_streaming_start
(asf_mmst_streaming.c:539)
==31830==    by 0x5A8AA8: open_s (asf_streaming.c:94)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==
==31830== Invalid read of size 4
==31830==    at 0x5A67E6: asf_mmst_streaming_start
(asf_mmst_streaming.c:597)
==31830==    by 0x5A8AA8: open_s (asf_streaming.c:94)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==  Address 0x153e0ef0 is 0 bytes inside a block of size 1 alloc'd
==31830==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31830==    by 0x5A65E7: asf_mmst_streaming_start
(asf_mmst_streaming.c:539)
==31830==    by 0x5A8AA8: open_s (asf_streaming.c:94)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==

Alert! EOF
read error:: Operation now in progress
pre-header read failed
Resolving 127.0.0.1 for AF_INET6...

Couldn't resolve name for AF_INET6: 127.0.0.1
Connecting to server 127.0.0.1[127.0.0.1]: 5002...

connect error: Connection refused
Failed, exiting.
==31830== Invalid read of size 4
==31830==    at 0x5AA4BA: http_build_request (http.c:478)
==31830==    by 0x5AB409: http_send_request (network.c:261)
==31830==    by 0x5AA827: http_streaming_start (http.c:725)
==31830==    by 0x5AAF5B: open_s2 (http.c:936)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==  Address 0x153ecf90 is 0 bytes inside a block of size 2 alloc'd
==31830==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31830==    by 0x5AA492: http_build_request (http.c:468)
==31830==    by 0x5AB409: http_send_request (network.c:261)
==31830==    by 0x5AA827: http_streaming_start (http.c:725)
==31830==    by 0x5AAF5B: open_s2 (http.c:936)
==31830==    by 0x54FD1F: open_stream_full (stream.c:186)
==31830==    by 0x54F3D0: open_stream (open.c:65)
==31830==    by 0x4321D9: main (mplayer.c:3223)
==31830==
Resolving 127.0.0.1 for AF_INET6...

Couldn't resolve name for AF_INET6: 127.0.0.1
Connecting to server 127.0.0.1[127.0.0.1]: 5002...

connect error: Connection refused
No stream found to handle url mms://127.0.0.1:5002


Exiting... (End of file)

This issue was discovered using QuickFuzz and minimized manually

Regards,
Gus.