double free in ASF demux module

double free encountered while parsing wmv file

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=139821687117376) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=139821687117376) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=139821687117376, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007f2b74a09476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007f2b749ef7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007f2b74a50676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f2b74ba2b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007f2b74a67cfc in malloc_printerr (str=str@entry=0x7f2b74ba5790 "double free or corruption (out)") at ./malloc/malloc.c:5664
#7  0x00007f2b74a69e70 in _int_free (av=0x7f2b74be1c80 <main_arena>, p=0x7f2a48003e00, have_lock=<optimized out>) at ./malloc/malloc.c:4588
#8  0x00007f2b74a6c453 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391
#9  0x00007f2afd62da6e in ASF_FreeObject (s=0x7f2a48013a10, p_obj=0x7f2a48003e10) at ../../modules/demux/asf/libasf.c:1600
#10 0x00007f2afd62d946 in ASF_FreeObject (s=0x7f2a48013a10, p_obj=0x7f2a480162d0) at ../../modules/demux/asf/libasf.c:1582
#11 0x00007f2afd62e2ef in ASF_FreeObjectRoot (s=0x7f2a48013a10, p_root=0x7f2a48016e90) at ../../modules/demux/asf/libasf.c:1830
#12 0x00007f2afd628052 in DemuxEnd (p_demux=0x7f2a48013be0) at ../../modules/demux/asf/asf.c:1409
#13 0x00007f2afd623fae in Close (p_this=0x7f2a48013be0) at ../../modules/demux/asf/asf.c:301
#14 0x00007f2b74e39201 in module_unneed (obj=0x7f2a48013be0, module=0x5602d3bf9ff0) at ../../src/modules/modules.c:290
#15 0x00007f2b74e61f7c in demux_DestroyDemux (demux=0x7f2a48013be0) at ../../src/input/demux.c:89
#16 0x00007f2b74e9d2b9 in vlc_stream_Delete (s=0x7f2a48013be0) at ../../src/input/stream.c:150
#17 0x00007f2b74e7b7a4 in demux_Delete (demux=0x7f2a48013be0) at ../../include/vlc_demux.h:291
#18 0x00007f2b74e84753 in InputSourceDestroy (in=0x7f2af008b8f0) at ../../src/input/input.c:2807
#19 0x00007f2b74e80ac3 in End (p_input=0x7f2af007f780) at ../../src/input/input.c:1441
#20 0x00007f2b74e7dba2 in Preparse (data=0x7f2af007f780) at ../../src/input/input.c:445
#21 0x00007f2b74a5bac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#22 0x00007f2b74aed850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

ASAN repport

VLC media player 4.0.0-dev Otto Chriek (revision 4.0.0-dev-29540-g8e6d1b6661)
[000060600002f9c0] dummy interface: using the dummy interface module...
=================================================================
==4186875==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000339c0 at pc 0x7f36c42c6fd0 bp 0x7f36c7a2baa0 sp 0x7f36c7a2ba90
READ of size 8 at 0x6190000339c0 thread T9 (vlc-preparse)
    #0 0x7f36c42c6fcf in ASF_FreeObject ../../modules/demux/asf/libasf.c:1581
    #1 0x7f36c42c89f9 in ASF_FreeObjectRoot ../../modules/demux/asf/libasf.c:1830
    #2 0x7f36c42b6106 in DemuxEnd ../../modules/demux/asf/asf.c:1409
    #3 0x7f36c42ab48c in Close ../../modules/demux/asf/asf.c:301
    #4 0x7f36dd6f7308 in module_unneed ../../src/modules/modules.c:290
    #5 0x7f36dd7580ad in demux_DestroyDemux ../../src/input/demux.c:89
    #6 0x7f36dd7ef066 in vlc_stream_Delete ../../src/input/stream.c:150
    #7 0x7f36dd79b586 in demux_Delete ../../include/vlc_demux.h:291
    #8 0x7f36dd7b1913 in InputSourceDestroy ../../src/input/input.c:2807
    #9 0x7f36dd7a8003 in End ../../src/input/input.c:1441
    #10 0x7f36dd7a0ab9 in Preparse ../../src/input/input.c:445
    #11 0x7f36dd217ac2 in start_thread nptl/pthread_create.c:442
    #12 0x7f36dd2a984f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)

0x6190000339c0 is located 64 bytes inside of 1104-byte region [0x619000033980,0x619000033dd0)
freed by thread T9 (vlc-preparse) here:
    #0 0x7f36ddaa5537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f36c42c05f5 in ASF_FreeObject_extended_stream_properties ../../modules/demux/asf/libasf.c:921
    #2 0x7f36c42c73bc in ASF_FreeObject ../../modules/demux/asf/libasf.c:1597
    #3 0x7f36c42c6fee in ASF_FreeObject ../../modules/demux/asf/libasf.c:1582
    #4 0x7f36c42c6fee in ASF_FreeObject ../../modules/demux/asf/libasf.c:1582
    #5 0x7f36c42c89f9 in ASF_FreeObjectRoot ../../modules/demux/asf/libasf.c:1830
    #6 0x7f36c42b6106 in DemuxEnd ../../modules/demux/asf/asf.c:1409
    #7 0x7f36c42ab48c in Close ../../modules/demux/asf/asf.c:301
    #8 0x7f36dd6f7308 in module_unneed ../../src/modules/modules.c:290
    #9 0x7f36dd7580ad in demux_DestroyDemux ../../src/input/demux.c:89
    #10 0x7f36dd7ef066 in vlc_stream_Delete ../../src/input/stream.c:150
    #11 0x7f36dd79b586 in demux_Delete ../../include/vlc_demux.h:291
    #12 0x7f36dd7b1913 in InputSourceDestroy ../../src/input/input.c:2807
    #13 0x7f36dd7a8003 in End ../../src/input/input.c:1441
    #14 0x7f36dd7a0ab9 in Preparse ../../src/input/input.c:445
    #15 0x7f36dd217ac2 in start_thread nptl/pthread_create.c:442

previously allocated by thread T9 (vlc-preparse) here:
    #0 0x7f36ddaa5887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f36c42c1ae2 in ASF_ReadObject_extended_stream_properties ../../modules/demux/asf/libasf.c:1015
    #2 0x7f36c42c6be8 in ASF_ReadObject ../../modules/demux/asf/libasf.c:1554
    #3 0x7f36c42bc544 in ASF_ReadObject_header_extension ../../modules/demux/asf/libasf.c:533
    #4 0x7f36c42c6be8 in ASF_ReadObject ../../modules/demux/asf/libasf.c:1554
    #5 0x7f36c42b8889 in ASF_ReadObject_Header ../../modules/demux/asf/libasf.c:213
    #6 0x7f36c42c6be8 in ASF_ReadObject ../../modules/demux/asf/libasf.c:1554
    #7 0x7f36c42c7f71 in ASF_ReadObjectRoot ../../modules/demux/asf/libasf.c:1723
    #8 0x7f36c42af734 in DemuxInit ../../modules/demux/asf/asf.c:820
    #9 0x7f36c42aa2bb in Open ../../modules/demux/asf/asf.c:172
    #10 0x7f36dd7583c9 in demux_Probe ../../src/input/demux.c:112
    #11 0x7f36dd6f6d3b in vlc_module_load ../../src/modules/modules.c:228
    #12 0x7f36dd758c7a in demux_NewAdvanced ../../src/input/demux.c:196
    #13 0x7f36dd7afae5 in InputDemuxNew ../../src/input/input.c:2550
    #14 0x7f36dd7b09ff in InputSourceInit ../../src/input/input.c:2678
    #15 0x7f36dd7a73fe in Init ../../src/input/input.c:1326
    #16 0x7f36dd7a09d1 in Preparse ../../src/input/input.c:439
    #17 0x7f36dd217ac2 in start_thread nptl/pthread_create.c:442

Thread T9 (vlc-preparse) created by T2 (vlc-run-prepars) here:
    #0 0x7f36dda49685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7f36dd8f13bb in vlc_clone_attr ../../src/posix/thread.c:179
    #2 0x7f36dd8f1588 in vlc_clone ../../src/posix/thread.c:190
    #3 0x7f36dd79f081 in input_Start ../../src/input/input.c:134
    #4 0x7f36dd7b9748 in input_item_Parse ../../src/input/parse.c:101
    #5 0x7f36dd727b01 in Parse ../../src/preparser/preparser.c:224
    #6 0x7f36dd7281fa in RunnableRun ../../src/preparser/preparser.c:279
    #7 0x7f36dd896cc9 in ThreadRun ../../src/misc/executor.c:134
    #8 0x7f36dd217ac2 in start_thread nptl/pthread_create.c:442

Thread T2 (vlc-run-prepars) created by T0 here:
    #0 0x7f36dda49685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7f36dd8f13bb in vlc_clone_attr ../../src/posix/thread.c:179
    #2 0x7f36dd8f1588 in vlc_clone ../../src/posix/thread.c:190
    #3 0x7f36dd896f75 in SpawnThread ../../src/misc/executor.c:164
    #4 0x7f36dd8971a3 in vlc_executor_New ../../src/misc/executor.c:199
    #5 0x7f36dd7287c0 in vlc_preparser_New ../../src/preparser/preparser.c:321
    #6 0x7f36dd6b70be in libvlc_InternalInit ../../src/libvlc.c:237
    #7 0x7f36dd9bd794 in libvlc_new ../../lib/core.c:68
    #8 0x564cdff85d77 in main ../../bin/vlc.c:232
    #9 0x7f36dd1acd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../modules/demux/asf/libasf.c:1581 in ASF_FreeObject
Shadow bytes around the buggy address:
  0x0c327fffe6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe710: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c327fffe720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffe730: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c327fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffe780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4186875==ABORTING