From 951a2d2210c86dedc928ccad7830ed33570f7be7 Mon Sep 17 00:00:00 2001
From: Martin Haimberger <martin.haimberger@thincast.com>
Date: Fri, 29 May 2015 04:46:50 -0700
Subject: [PATCH] stream: check stream_new in winpr and libfreerdp

also fixed a few things
---
 libfreerdp/codec/interleaved.c             |  16 +++
 libfreerdp/core/certificate.c              |   9 ++
 libfreerdp/core/connection.c               |   8 ++
 libfreerdp/core/gateway/tsg.c              |   9 ++
 libfreerdp/core/info.c                     |   9 ++
 libfreerdp/core/mcs.c                      | 116 ++++++++++++++++++---
 libfreerdp/core/mcs.h                      |   4 +-
 libfreerdp/core/nego.c                     |  16 +++
 libfreerdp/core/nla.c                      |  86 +++++++++++++--
 libfreerdp/core/server.c                   |  38 +++++--
 winpr/libwinpr/utils/test/TestBitStream.c  |   2 +
 winpr/libwinpr/utils/wlog/BinaryAppender.c |   4 +
 winpr/libwinpr/utils/wlog/PacketMessage.c  |   8 ++
 13 files changed, 295 insertions(+), 30 deletions(-)

diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
index e6ecab8bd..1da63498e 100644
--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
@@ -3,6 +3,8 @@
  * Interleaved RLE Bitmap Codec
  *
  * Copyright 2014 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -426,7 +428,21 @@ BITMAP_INTERLEAVED_CONTEXT* bitmap_interleaved_context_new(BOOL Compressor)
 	{
 		interleaved->TempSize = 64 * 64 * 4;
 		interleaved->TempBuffer = _aligned_malloc(interleaved->TempSize, 16);
+		if (!interleaved->TempBuffer)
+		{
+			free(interleaved);
+			WLog_ERR(TAG, "_aligned_malloc failed!");
+			return NULL;
+		}
 		interleaved->bts = Stream_New(NULL, interleaved->TempSize);
+
+		if (!interleaved->bts)
+		{
+			_aligned_free(interleaved->TempBuffer);
+			free(interleaved);
+			WLog_ERR(TAG, "Stream_New failed!");
+			return NULL;
+		}
 	}
 
 	return interleaved;
diff --git a/libfreerdp/core/certificate.c b/libfreerdp/core/certificate.c
index 40091adec..da5b8991c 100644
--- a/libfreerdp/core/certificate.c
+++ b/libfreerdp/core/certificate.c
@@ -4,6 +4,8 @@
  *
  * Copyright 2011 Jiten Pathy
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -630,6 +632,13 @@ BOOL certificate_read_server_certificate(rdpCertificate* certificate, BYTE* serv
 		return TRUE;
 
 	s = Stream_New(server_cert, length);
+
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	Stream_Read_UINT32(s, dwVersion); /* dwVersion (4 bytes) */
 
 	switch (dwVersion & CERT_CHAIN_VERSION_MASK)
diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index 6ab91691f..ffd0be899 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -3,6 +3,8 @@
  * Connection Sequence
  *
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -443,6 +445,12 @@ static BOOL rdp_client_establish_keys(rdpRdp* rdp)
 	length = RDP_PACKET_HEADER_MAX_LENGTH + RDP_SECURITY_HEADER_LENGTH + 4 + key_len + 8;
 	s = Stream_New(NULL, length);
 
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		goto end;
+	}
+
 	rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
 	rdp_write_security_header(s, SEC_EXCHANGE_PKT | SEC_LICENSE_ENCRYPT_SC);
 	length = key_len + 8;
diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c
index 6cc5948b9..db1f763d0 100644
--- a/libfreerdp/core/gateway/tsg.c
+++ b/libfreerdp/core/gateway/tsg.c
@@ -4,6 +4,8 @@
  *
  * Copyright 2012 Fujitsu Technology Solutions GmbH
  * Copyright 2012 Dmitrij Jasnov <dmitrij.jasnov@ts.fujitsu.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -122,6 +124,13 @@ DWORD TsProxySendToServer(handle_t IDL_handle, byte pRpcMessage[], UINT32 count,
 		return -1;
 
 	s = Stream_New(buffer, length);
+
+	if (!s)
+	{
+		free(buffer);
+		WLog_ERR(TAG, "Stream_New failed!");
+		return -1;
+	}
 	/* PCHANNEL_CONTEXT_HANDLE_NOSERIALIZE_NR (20 bytes) */
 	Stream_Write(s, &tsg->ChannelContext.ContextType, 4); /* ContextType (4 bytes) */
 	Stream_Write(s, tsg->ChannelContext.ContextUuid, 16); /* ContextUuid (16 bytes) */
diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
index 5d2cec013..85c1d175b 100644
--- a/libfreerdp/core/info.c
+++ b/libfreerdp/core/info.c
@@ -3,6 +3,8 @@
  * RDP Client Info
  *
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -640,6 +642,13 @@ BOOL rdp_send_client_info(rdpRdp* rdp)
 	rdp->sec_flags |= SEC_INFO_PKT;
 
 	s = Stream_New(NULL, 2048);
+
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	rdp_init_stream(rdp, s);
 
 	rdp_write_info_packet(rdp, s);
diff --git a/libfreerdp/core/mcs.c b/libfreerdp/core/mcs.c
index 1916469ae..8d082b155 100644
--- a/libfreerdp/core/mcs.c
+++ b/libfreerdp/core/mcs.c
@@ -3,6 +3,8 @@
  * T.125 Multipoint Communication Service (MCS) Protocol
  *
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -304,12 +306,17 @@ BOOL mcs_read_domain_parameters(wStream* s, DomainParameters* domainParameters)
  * @param domainParameters domain parameters
  */
 
-void mcs_write_domain_parameters(wStream* s, DomainParameters* domainParameters)
+BOOL mcs_write_domain_parameters(wStream* s, DomainParameters* domainParameters)
 {
 	int length;
 	wStream* tmps;
 
 	tmps = Stream_New(NULL, Stream_Capacity(s));
+	if (!tmps)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 	ber_write_integer(tmps, domainParameters->maxChannelIds);
 	ber_write_integer(tmps, domainParameters->maxUserIds);
 	ber_write_integer(tmps, domainParameters->maxTokenIds);
@@ -323,6 +330,8 @@ void mcs_write_domain_parameters(wStream* s, DomainParameters* domainParameters)
 	ber_write_sequence_tag(s, length);
 	Stream_Write(s, Stream_Buffer(tmps), length);
 	Stream_Free(tmps, TRUE);
+
+	return TRUE;
 }
 
 /**
@@ -527,13 +536,19 @@ BOOL mcs_recv_connect_initial(rdpMcs* mcs, wStream* s)
  * @param user_data GCC Conference Create Request
  */
 
-void mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData)
+BOOL mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData)
 {
 	int length;
 	wStream* tmps;
+	BOOL ret = FALSE;
 
 	tmps = Stream_New(NULL, Stream_Capacity(s));
 
+	if (!tmps) {
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	/* callingDomainSelector (OCTET_STRING) */
 	ber_write_octet_string(tmps, callingDomainSelector, sizeof(callingDomainSelector));
 
@@ -544,13 +559,16 @@ void mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData)
 	ber_write_BOOL(tmps, TRUE);
 
 	/* targetParameters (DomainParameters) */
-	mcs_write_domain_parameters(tmps, &mcs->targetParameters);
+	if (!mcs_write_domain_parameters(tmps, &mcs->targetParameters))
+		goto out;
 
 	/* minimumParameters (DomainParameters) */
-	mcs_write_domain_parameters(tmps, &mcs->minimumParameters);
+	if (!mcs_write_domain_parameters(tmps, &mcs->minimumParameters))
+		goto out;
 
 	/* maximumParameters (DomainParameters) */
-	mcs_write_domain_parameters(tmps, &mcs->maximumParameters);
+	if (!mcs_write_domain_parameters(tmps, &mcs->maximumParameters))
+		goto out;
 
 	/* userData (OCTET_STRING) */
 	ber_write_octet_string(tmps, userData->buffer, Stream_GetPosition(userData));
@@ -559,7 +577,10 @@ void mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData)
 	/* Connect-Initial (APPLICATION 101, IMPLICIT SEQUENCE) */
 	ber_write_application_tag(s, MCS_TYPE_CONNECT_INITIAL, length);
 	Stream_Write(s, Stream_Buffer(tmps), length);
+	ret = TRUE;
+out:
 	Stream_Free(tmps, TRUE);
+	return ret;
 }
 
 /**
@@ -574,21 +595,28 @@ BOOL mcs_write_connect_response(wStream* s, rdpMcs* mcs, wStream* userData)
 {
 	int length;
 	wStream* tmps;
+	BOOL ret = FALSE;
 
 	tmps = Stream_New(NULL, Stream_Capacity(s));
 	if (!tmps)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		return FALSE;
+	}
 	ber_write_enumerated(tmps, 0, MCS_Result_enum_length);
 	ber_write_integer(tmps, 0); /* calledConnectId */
-	mcs_write_domain_parameters(tmps, &(mcs->domainParameters));
+	if (!mcs_write_domain_parameters(tmps, &(mcs->domainParameters)))
+		goto out;
 	/* userData (OCTET_STRING) */
 	ber_write_octet_string(tmps, userData->buffer, Stream_GetPosition(userData));
 
 	length = Stream_GetPosition(tmps);
 	ber_write_application_tag(s, MCS_TYPE_CONNECT_RESPONSE, length);
 	Stream_Write(s, Stream_Buffer(tmps), length);
+	ret = TRUE;
+out:
 	Stream_Free(tmps, TRUE);
-	return TRUE;
+	return ret;
 }
 
 /**
@@ -599,28 +627,48 @@ BOOL mcs_write_connect_response(wStream* s, rdpMcs* mcs, wStream* userData)
 
 BOOL mcs_send_connect_initial(rdpMcs* mcs)
 {
-	int status;
+	int status = -1;
 	int length;
-	wStream* s;
+	wStream* s = NULL;
 	int bm, em;
-	wStream* gcc_CCrq;
-	wStream* client_data;
+	wStream* gcc_CCrq = NULL;
+	wStream* client_data = NULL;
 
 	mcs_initialize_client_channels(mcs, mcs->settings);
 
 	client_data = Stream_New(NULL, 512);
+	if (!client_data)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 	gcc_write_client_data_blocks(client_data, mcs);
 
 	gcc_CCrq = Stream_New(NULL, 1024);
+	if (!gcc_CCrq)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		goto out;
+	}
 	gcc_write_conference_create_request(gcc_CCrq, client_data);
 	length = Stream_GetPosition(gcc_CCrq) + 7;
 
 	s = Stream_New(NULL, 1024 + length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		goto out;
+	}
 
 	bm = Stream_GetPosition(s);
 	Stream_Seek(s, 7);
 
-	mcs_write_connect_initial(s, mcs, gcc_CCrq);
+	if (!mcs_write_connect_initial(s, mcs, gcc_CCrq))
+	{
+		WLog_ERR(TAG, "mcs_write_connect_initial failed!");
+		goto out;
+	}
+
 	em = Stream_GetPosition(s);
 	length = (em - bm);
 	Stream_SetPosition(s, bm);
@@ -632,6 +680,7 @@ BOOL mcs_send_connect_initial(rdpMcs* mcs)
 
 	status = transport_write(mcs->transport, s);
 
+out:
 	Stream_Free(s, TRUE);
 	Stream_Free(gcc_CCrq, TRUE);
 	Stream_Free(client_data, TRUE);
@@ -691,19 +740,31 @@ BOOL mcs_send_connect_response(rdpMcs* mcs)
 	wStream* server_data;
 
 	server_data = Stream_New(NULL, 512);
+	if (!server_data)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	if (!gcc_write_server_data_blocks(server_data, mcs))
 		goto error_data_blocks;
 
 	gcc_CCrsp = Stream_New(NULL, 512 + Stream_Capacity(server_data));
 	if (!gcc_CCrsp)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		goto error_data_blocks;
+	}
 
 	gcc_write_conference_create_response(gcc_CCrsp, server_data);
 	length = Stream_GetPosition(gcc_CCrsp) + 7;
 
 	s = Stream_New(NULL, length + 1024);
 	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		goto error_stream_s;
+	}
 
 	bm = Stream_GetPosition(s);
 	Stream_Seek(s, 7);
@@ -777,6 +838,11 @@ BOOL mcs_send_erect_domain_request(rdpMcs* mcs)
 	UINT16 length = 12;
 
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	mcs_write_domain_mcspdu_header(s, DomainMCSPDU_ErectDomainRequest, length, 0);
 
@@ -822,6 +888,11 @@ BOOL mcs_send_attach_user_request(rdpMcs* mcs)
 	UINT16 length = 8;
 
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	mcs_write_domain_mcspdu_header(s, DomainMCSPDU_AttachUserRequest, length, 0);
 
@@ -870,6 +941,12 @@ BOOL mcs_send_attach_user_confirm(rdpMcs* mcs)
 	rdpSettings* settings;
 	
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	settings = mcs->transport->settings;
 
 	mcs->userId = mcs->baseChannelId++;
@@ -924,6 +1001,11 @@ BOOL mcs_send_channel_join_request(rdpMcs* mcs, UINT16 channelId)
 	UINT16 length = 12;
 
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	mcs_write_domain_mcspdu_header(s, DomainMCSPDU_ChannelJoinRequest, length, 0);
 
@@ -979,6 +1061,11 @@ BOOL mcs_send_channel_join_confirm(rdpMcs* mcs, UINT16 channelId)
 	UINT16 length = 15;
 
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	mcs_write_domain_mcspdu_header(s, DomainMCSPDU_ChannelJoinConfirm, length, 2);
 
@@ -1056,6 +1143,11 @@ BOOL mcs_send_disconnect_provider_ultimatum(rdpMcs* mcs)
 	UINT16 length = 9;
 
 	s = Stream_New(NULL, length);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	mcs_write_domain_mcspdu_header(s, DomainMCSPDU_DisconnectProviderUltimatum, length, 1);
 
diff --git a/libfreerdp/core/mcs.h b/libfreerdp/core/mcs.h
index e4602501b..f47589196 100644
--- a/libfreerdp/core/mcs.h
+++ b/libfreerdp/core/mcs.h
@@ -3,6 +3,8 @@
  * T.125 Multipoint Communication Service (MCS) Protocol
  *
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -164,7 +166,7 @@ struct rdp_mcs
 BOOL mcs_merge_domain_parameters(DomainParameters* targetParameters, DomainParameters* minimumParameters,
 		DomainParameters* maximumParameters, DomainParameters* pOutParameters);
 
-void mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData);
+BOOL mcs_write_connect_initial(wStream* s, rdpMcs* mcs, wStream* userData);
 BOOL mcs_write_connect_response(wStream* s, rdpMcs* mcs, wStream* userData);
 
 BOOL mcs_recv_connect_initial(rdpMcs* mcs, wStream* s);
diff --git a/libfreerdp/core/nego.c b/libfreerdp/core/nego.c
index 4341cd49c..df3fb70bd 100644
--- a/libfreerdp/core/nego.c
+++ b/libfreerdp/core/nego.c
@@ -4,6 +4,8 @@
  *
  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
  * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -328,7 +330,10 @@ BOOL nego_send_preconnection_pdu(rdpNego* nego)
 
 	s = Stream_New(NULL, cbSize);
 	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		return FALSE;
+	}
 
 	Stream_Write_UINT32(s, cbSize); /* cbSize */
 	Stream_Write_UINT32(s, 0); /* Flags */
@@ -528,7 +533,10 @@ BOOL nego_recv_response(rdpNego* nego)
 	s = Stream_New(NULL, 1024);
 
 	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		return FALSE;
+	}
 
 	status = transport_read_pdu(nego->transport, s);
 
@@ -798,6 +806,11 @@ BOOL nego_send_negotiation_request(rdpNego* nego)
 	int cookie_length;
 
 	s = Stream_New(NULL, 512);
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
 
 	length = TPDU_CONNECTION_REQUEST_LENGTH;
 	bm = Stream_GetPosition(s);
@@ -988,7 +1001,10 @@ BOOL nego_send_negotiation_response(rdpNego* nego)
 
 	s = Stream_New(NULL, 512);
 	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		return FALSE;
+	}
 
 	length = TPDU_CONNECTION_CONFIRM_LENGTH;
 	bm = Stream_GetPosition(s);
diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index 74473bc95..d2d78da03 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -3,6 +3,8 @@
  * Network Level Authentication (NLA)
  *
  * Copyright 2010-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -88,7 +90,7 @@
 
 #define TERMSRV_SPN_PREFIX	"TERMSRV/"
 
-void nla_send(rdpNla* nla);
+BOOL nla_send(rdpNla* nla);
 int nla_recv(rdpNla* nla);
 void nla_buffer_print(rdpNla* nla);
 void nla_buffer_free(rdpNla* nla);
@@ -293,7 +295,12 @@ int nla_client_begin(rdpNla* nla)
 	WLog_DBG(TAG, "Sending Authentication Token");
 	winpr_HexDump(TAG, WLOG_DEBUG, nla->negoToken.pvBuffer, nla->negoToken.cbBuffer);
 
-	nla_send(nla);
+	if (!nla_send(nla))
+	{
+		nla_buffer_free(nla);
+		return -1;
+	}
+
 	nla_buffer_free(nla);
 
 	nla->state = NLA_STATE_NEGO_TOKEN;
@@ -365,7 +372,11 @@ int nla_client_recv(rdpNla* nla)
 		WLog_DBG(TAG, "Sending Authentication Token");
 		winpr_HexDump(TAG, WLOG_DEBUG, nla->negoToken.pvBuffer, nla->negoToken.cbBuffer);
 
-		nla_send(nla);
+		if (!nla_send(nla))
+		{
+			nla_buffer_free(nla);
+			return -1;
+		}
 		nla_buffer_free(nla);
 
 		nla->state = NLA_STATE_PUB_KEY_AUTH;
@@ -392,7 +403,11 @@ int nla_client_recv(rdpNla* nla)
 			return -1;
 		}
 
-		nla_send(nla);
+		if (!nla_send(nla))
+		{
+			nla_buffer_free(nla);
+			return -1;
+		}
 		nla_buffer_free(nla);
 
 		nla->table->FreeCredentialsHandle(&nla->credentials);
@@ -412,6 +427,12 @@ int nla_client_authenticate(rdpNla* nla)
 
 	s = Stream_New(NULL, 4096);
 
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return -1;
+	}
+
 	if (nla_client_begin(nla) < 1)
 		return -1;
 
@@ -621,7 +642,11 @@ int nla_server_authenticate(rdpNla* nla)
 		WLog_DBG(TAG, "Sending Authentication Token");
 		nla_buffer_print(nla);
 
-		nla_send(nla);
+		if (!nla_send(nla))
+		{
+			nla_buffer_free(nla);
+			return -1;
+		}
 		nla_buffer_free(nla);
 
 		if (nla->status != SEC_I_CONTINUE_NEEDED)
@@ -895,7 +920,7 @@ int nla_sizeof_ts_credentials(rdpNla* nla)
 	return size;
 }
 
-void nla_read_ts_credentials(rdpNla* nla, PSecBuffer ts_credentials)
+BOOL nla_read_ts_credentials(rdpNla* nla, PSecBuffer ts_credentials)
 {
 	wStream* s;
 	int length;
@@ -903,6 +928,13 @@ void nla_read_ts_credentials(rdpNla* nla, PSecBuffer ts_credentials)
 
 	s = Stream_New(ts_credentials->pvBuffer, ts_credentials->cbBuffer);
 
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
+
 	/* TSCredentials (SEQUENCE) */
 	ber_read_sequence_tag(s, &length);
 
@@ -917,6 +949,7 @@ void nla_read_ts_credentials(rdpNla* nla, PSecBuffer ts_credentials)
 	nla_read_ts_password_creds(nla, s);
 
 	Stream_Free(s, FALSE);
+	return TRUE;
 }
 
 int nla_write_ts_credentials(rdpNla* nla, wStream* s)
@@ -946,7 +979,7 @@ int nla_write_ts_credentials(rdpNla* nla, wStream* s)
  * @param credssp
  */
 
-void nla_encode_ts_credentials(rdpNla* nla)
+BOOL nla_encode_ts_credentials(rdpNla* nla)
 {
 	wStream* s;
 	int length;
@@ -967,8 +1000,19 @@ void nla_encode_ts_credentials(rdpNla* nla)
 
 	length = ber_sizeof_sequence(nla_sizeof_ts_credentials(nla));
 	if (!sspi_SecBufferAlloc(&nla->tsCredentials, length))
-		return;
+	{
+		WLog_ERR(TAG, "sspi_SecBufferAlloc failed!");
+		return FALSE;
+	}
 	s = Stream_New((BYTE*) nla->tsCredentials.pvBuffer, length);
+
+	if (!s)
+	{
+		sspi_SecBufferFree(&nla->tsCredentials);
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
 	nla_write_ts_credentials(nla, s);
 
 	if (nla->settings->DisableCredentialsDelegation)
@@ -979,6 +1023,7 @@ void nla_encode_ts_credentials(rdpNla* nla)
 	}
 
 	Stream_Free(s, FALSE);
+	return TRUE;
 }
 
 SECURITY_STATUS nla_encrypt_ts_credentials(rdpNla* nla)
@@ -987,7 +1032,8 @@ SECURITY_STATUS nla_encrypt_ts_credentials(rdpNla* nla)
 	SecBufferDesc Message;
 	SECURITY_STATUS status;
 
-	nla_encode_ts_credentials(nla);
+	if (!nla_encode_ts_credentials(nla))
+		return SEC_E_INSUFFICIENT_MEMORY;
 
 	if (!sspi_SecBufferAlloc(&nla->authInfo, nla->ContextSizes.cbMaxSignature + nla->tsCredentials.cbBuffer))
 		return SEC_E_INSUFFICIENT_MEMORY;
@@ -1048,7 +1094,11 @@ SECURITY_STATUS nla_decrypt_ts_credentials(rdpNla* nla)
 	if (status != SEC_E_OK)
 		return status;
 
-	nla_read_ts_credentials(nla, &Buffers[1]);
+	if(!nla_read_ts_credentials(nla, &Buffers[1]))
+	{
+		free(buffer);
+		return SEC_E_INSUFFICIENT_MEMORY;
+	}
 	free(buffer);
 
 	return SEC_E_OK;
@@ -1096,7 +1146,7 @@ int nla_sizeof_ts_request(int length)
  * @param credssp
  */
 
-void nla_send(rdpNla* nla)
+BOOL nla_send(rdpNla* nla)
 {
 	wStream* s;
 	int length;
@@ -1113,6 +1163,13 @@ void nla_send(rdpNla* nla)
 
 	s = Stream_New(NULL, ber_sizeof_sequence(ts_request_length));
 
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return FALSE;
+	}
+
+
 	/* TSRequest */
 	ber_write_sequence_tag(s, ts_request_length); /* SEQUENCE */
 	/* [0] version */
@@ -1146,6 +1203,7 @@ void nla_send(rdpNla* nla)
 	Stream_SealLength(s);
 	transport_write(nla->transport, s);
 	Stream_Free(s, TRUE);
+	return TRUE;
 }
 
 int nla_decode_ts_request(rdpNla* nla, wStream* s)
@@ -1243,6 +1301,12 @@ int nla_recv(rdpNla* nla)
 
 	s = Stream_New(NULL, 4096);
 
+	if (!s)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
+		return -1;
+	}
+
 	status = transport_read_pdu(nla->transport, s);
 
 	if (status < 0)
diff --git a/libfreerdp/core/server.c b/libfreerdp/core/server.c
index e58b016b1..8f9072287 100644
--- a/libfreerdp/core/server.c
+++ b/libfreerdp/core/server.c
@@ -3,7 +3,8 @@
  * Server Channels
  *
  * Copyright 2014 Marc-Andre Moreau <marcandre.moreau@gmail.com>
- * Copyright 2015 Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -446,7 +447,8 @@ BOOL WTSVirtualChannelManagerCheckFileDescriptor(HANDLE hServer)
 
 			vcm->drdynvc_channel = channel;
 			dynvc_caps = 0x00010050; /* DYNVC_CAPS_VERSION1 (4 bytes) */
-			WTSVirtualChannelWrite(channel, (PCHAR) &dynvc_caps, sizeof(dynvc_caps), &written);
+			if (!WTSVirtualChannelWrite(channel, (PCHAR) &dynvc_caps, sizeof(dynvc_caps), &written))
+				return FALSE;
 		}
 	}
 
@@ -960,7 +962,11 @@ HANDLE WINAPI FreeRDP_WTSVirtualChannelOpen(HANDLE hServer, DWORD SessionId, LPS
 		channel->channelType = RDP_PEER_CHANNEL_TYPE_SVC;
 		channel->receiveData = Stream_New(NULL, client->settings->VirtualChannelChunkSize);
 		if (!channel->receiveData)
+		{
+			WLog_ERR(TAG, "Stream_New failed!");
 			goto error_receiveData;
+		}
+		channel->queue = MessageQueue_New(NULL);
 		channel->queue = MessageQueue_New(NULL);
 		if (!channel->queue)
 			goto error_queue;
@@ -1039,8 +1045,13 @@ HANDLE WINAPI FreeRDP_WTSVirtualChannelOpenEx(DWORD SessionId, LPSTR pVirtualNam
 	channel->client = client;
 	channel->channelType = RDP_PEER_CHANNEL_TYPE_DVC;
 	channel->receiveData = Stream_New(NULL, client->settings->VirtualChannelChunkSize);
+
 	if (!channel->receiveData)
+	{
+		WLog_ERR(TAG, "Stream_New failed!");
 		goto error_receiveData;
+	}
+
 	channel->queue = MessageQueue_New(NULL);
 	if (!channel->queue)
 		goto error_queue;
@@ -1080,6 +1091,7 @@ BOOL WINAPI FreeRDP_WTSVirtualChannelClose(HANDLE hChannelHandle)
 	rdpMcs* mcs;
 	WTSVirtualChannelManager* vcm;
 	rdpPeerChannel* channel = (rdpPeerChannel*) hChannelHandle;
+	BOOL ret = TRUE;
 
 	if (channel)
 	{
@@ -1100,9 +1112,18 @@ BOOL WINAPI FreeRDP_WTSVirtualChannelClose(HANDLE hChannelHandle)
 				ULONG written;
 
 				s = Stream_New(NULL, 8);
-				wts_write_drdynvc_header(s, CLOSE_REQUEST_PDU, channel->channelId);
-				WTSVirtualChannelWrite(vcm->drdynvc_channel, (PCHAR) Stream_Buffer(s), Stream_GetPosition(s), &written);
-				Stream_Free(s, TRUE);
+				if (!s)
+				{
+					WLog_ERR(TAG, "Stream_New failed!");
+					ret = FALSE;
+				}
+				else
+				{
+					wts_write_drdynvc_header(s, CLOSE_REQUEST_PDU, channel->channelId);
+					ret = WTSVirtualChannelWrite(vcm->drdynvc_channel, (PCHAR) Stream_Buffer(s), Stream_GetPosition(s), &written);
+					Stream_Free(s, TRUE);
+				}
+
 			}
 		}
 
@@ -1118,7 +1139,7 @@ BOOL WINAPI FreeRDP_WTSVirtualChannelClose(HANDLE hChannelHandle)
 		free(channel);
 	}
 
-	return TRUE;
+	return ret;
 }
 
 BOOL WINAPI FreeRDP_WTSVirtualChannelRead(HANDLE hChannelHandle, ULONG TimeOut, PCHAR Buffer, ULONG BufferSize, PULONG pBytesRead)
@@ -1194,6 +1215,11 @@ BOOL WINAPI FreeRDP_WTSVirtualChannelWrite(HANDLE hChannelHandle, PCHAR Buffer,
 		while (Length > 0)
 		{
 			s = Stream_New(NULL, channel->client->settings->VirtualChannelChunkSize);
+			if (!s)
+			{
+				WLog_ERR(TAG, "Stream_New failed!");
+				return FALSE;
+			}
 			buffer = Stream_Buffer(s);
 
 			Stream_Seek_UINT8(s);
diff --git a/winpr/libwinpr/utils/test/TestBitStream.c b/winpr/libwinpr/utils/test/TestBitStream.c
index 456da8e93..7df24a02f 100644
--- a/winpr/libwinpr/utils/test/TestBitStream.c
+++ b/winpr/libwinpr/utils/test/TestBitStream.c
@@ -56,6 +56,8 @@ int TestBitStream(int argc, char* argv[])
 	BYTE buffer[1024];
 	ZeroMemory(buffer, sizeof(buffer));
 	bs = BitStream_New();
+	if (!bs)
+		return 1;
 	BitStream_Attach(bs, buffer, sizeof(buffer));
 	BitStream_Write_Bits(bs, 0xAF, 8); /* 11110101 */
 	BitStream_Write_Bits(bs, 0xF, 4); /* 1111 */
diff --git a/winpr/libwinpr/utils/wlog/BinaryAppender.c b/winpr/libwinpr/utils/wlog/BinaryAppender.c
index 15fc290fe..6f8257274 100644
--- a/winpr/libwinpr/utils/wlog/BinaryAppender.c
+++ b/winpr/libwinpr/utils/wlog/BinaryAppender.c
@@ -3,6 +3,8 @@
  * WinPR Logger
  *
  * Copyright 2013 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -148,6 +150,8 @@ int WLog_BinaryAppender_WriteMessage(wLog* log, wLogBinaryAppender* appender, wL
 			(4 + TextStringLength + 1);
 
 	s = Stream_New(NULL, MessageLength);
+	if (!s)
+		return -1;
 
 	Stream_Write_UINT32(s, MessageLength);
 
diff --git a/winpr/libwinpr/utils/wlog/PacketMessage.c b/winpr/libwinpr/utils/wlog/PacketMessage.c
index 3ec18806d..c816660a9 100644
--- a/winpr/libwinpr/utils/wlog/PacketMessage.c
+++ b/winpr/libwinpr/utils/wlog/PacketMessage.c
@@ -3,6 +3,8 @@
  * WinPR Logger
  *
  * Copyright 2013 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2015 Thincast Technologies GmbH
+ * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -245,6 +247,8 @@ int WLog_PacketMessage_Write_EthernetHeader(wPcap* pcap, wEthernetHeader* ethern
 		return -1;
 
 	s = Stream_New(buffer, 14);
+	if (!s)
+		return -1;
 	Stream_Write(s, ethernet->Destination, 6);
 	Stream_Write(s, ethernet->Source, 6);
 	Stream_Write_UINT16_BE(s, ethernet->Type);
@@ -284,6 +288,8 @@ int WLog_PacketMessage_Write_IPv4Header(wPcap* pcap, wIPv4Header* ipv4)
 		return -1;
 
 	s = Stream_New(buffer, 20);
+	if (!s)
+		return -1;
 	Stream_Write_UINT8(s, (ipv4->Version << 4) | ipv4->InternetHeaderLength);
 	Stream_Write_UINT8(s, ipv4->TypeOfService);
 	Stream_Write_UINT16_BE(s, ipv4->TotalLength);
@@ -312,6 +318,8 @@ int WLog_PacketMessage_Write_TcpHeader(wPcap* pcap, wTcpHeader* tcp)
 		return -1;
 
 	s = Stream_New(buffer, 20);
+	if (!s)
+		return -1;
 	Stream_Write_UINT16_BE(s, tcp->SourcePort);
 	Stream_Write_UINT16_BE(s, tcp->DestinationPort);
 	Stream_Write_UINT32_BE(s, tcp->SequenceNumber);