heap buffer over-read is found in ParsedH264TrackData::extractData()

[JP3BGY]

Our fuzzer found heap buffer over-read in ParsedH264TrackData::extractData() in the current main(7f8667d).
PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "matroskaDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>

using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {
    string fileName = argv[1];
    AbstractDemuxer* demuxer = new MatroskaDemuxer(readManager);

    uint32_t fileBlockSize = demuxer->getFileBlockSize();
    demuxer->openFile(fileName);
    int64_t discardedSize = 0;
    DemuxedData demuxedData;
    map<int32_t, TrackInfo> acceptedPidMap;
    demuxer->getTrackList(acceptedPidMap);

    PIDSet acceptedPidSet;

    for (unsigned i = 0; i < DETECT_STREAM_BUFFER_SIZE / fileBlockSize; i++)
        demuxer->simpleDemuxBlock(demuxedData, acceptedPidSet, discardedSize);

  return 0;
}

Following is an output of ASAN. poc.mkv is in poc.zip.

[!] [ForkServer] Failed to get executor id: Bad file descriptor
        Tips: Is this forkserver attached to client?
        Just executing program...
=================================================================
==15==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001140 at pc 0x55c834cecd20 bp 0x7ffed92415d0 sp 0x7ffed92415c8
READ of size 1 at 0x603000001140 thread T0
    #0 0x55c834cecd1f in ParsedH264TrackData::extractData(AVPacket*, unsigned char*, int) /src/tsMuxer/tsMuxer/matroskaParser.cpp:171:9
    #1 0x55c834ce3e9a in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:711:54
    #2 0x55c834cc3730 in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:993:23
    #3 0x55c834cc0d1b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1164:28
    #4 0x55c834cb40fc in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2416:29
    #5 0x55c834cb18e3 in main /src/tsMuxer/tsMuxer/main.cpp:27:18
    #6 0x7f8f452b2d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f8f452b2e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x55c8349eab14 in _start (/out/tsmuxer-mkv2+0x119b14) (BuildId: 7f8bb041632fd1ac)

0x603000001140 is located 0 bytes to the right of 32-byte region [0x603000001120,0x603000001140)
allocated by thread T0 here:
    #0 0x55c834aaa8ad in operator new[](unsigned long) (/out/tsmuxer-mkv2+0x1d98ad) (BuildId: 7f8bb041632fd1ac)
    #1 0x55c834cdd113 in MatroskaDemuxer::ebml_read_binary(unsigned int*, unsigned char**, int*) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:935:15
    #2 0x55c834cc36ac in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:991:19
    #3 0x55c834cc0d1b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1164:28
    #4 0x55c834cb40fc in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2416:29
    #5 0x55c834cb18e3 in main /src/tsMuxer/tsMuxer/main.cpp:27:18
    #6 0x7f8f452b2d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/tsMuxer/tsMuxer/matroskaParser.cpp:171:9 in ParsedH264TrackData::extractData(AVPacket*, unsigned char*, int)
Shadow bytes around the buggy address:
  0x0c067fff81d0: fd fd fd fa fa fa 00 00 00 07 fa fa fd fd fd fa
  0x0c067fff81e0: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa 00 00
  0x0c067fff81f0: 03 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff8200: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff8210: fa fa 00 00 00 07 fa fa fd fd fd fa fa fa 00 00
=>0x0c067fff8220: 00 06 fa fa 00 00 00 00[fa]fa 00 00 00 04 fa fa
  0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15==ABORTING

It is caused because curPos <= end - m_nalSize in following lines means curPos has at least m_nalSize bytes but m_nalSize+1-th byte is read in line 171.

tsMuxer/tsMuxer/matroskaParser.cpp

Lines 156 to 175 in 7f8667d

	while (curPos <= end - m_nalSize)
	{
	uint32_t elSize = 0;
	if (m_nalSize == 4)
	{
	const auto cur32 = reinterpret_cast<uint32_t*>(curPos);
	elSize = my_ntohl(*cur32);
	}
	else if (m_nalSize == 3)
	elSize = (curPos[0] << 16l) + (curPos[1] << 8l) + curPos[2];
	else if (m_nalSize == 2)
	elSize = (curPos[0] << 8l) + curPos[1];
	else
	THROW(ERR_COMMON, "Unsupported nal unit size " << elSize)
	writeNalHeader(dst);
	assert((curPos[m_nalSize] & 0x80) == 0);
	memcpy(dst, curPos + m_nalSize, FFMIN(elSize, (uint32_t)(end - curPos)));
	curPos += elSize + m_nalSize;
	dst += elSize;
	}