alloc-dealloc-mismatch is found in MatroskaDemuxer

Our fuzzer found alloc-dealloc-mismatch in MatroskaDemuxer in the current main(c37b76e). PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "matroskaDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>

using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {
  string fileName = argv[1];
  AbstractDemuxer* demuxer = new MatroskaDemuxer(readManager);

  demuxer->openFile(fileName);
  int64_t discardedSize = 0;
  DemuxedData demuxedData;

  PIDSet acceptedPidSet;

  demuxer->simpleDemuxBlock(demuxedData, acceptedPidSet, discardedSize);

  return 0;
}

Folloing is an output of ASAN. poc.mkv is in poc.zip.

$tsmuxer poc.mkv
[!] [ForkServer] Failed to get executor id: Bad file descriptor
        Tips: Is this forkserver attached to client?
        Just executing program...
=================================================================
==754==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new [] vs operator delete) on 0x610000000040
    #0 0x5654dc77f96d in operator delete(void*) (/src/tsMuxer/build/tsMuxer/tsmuxer+0x1d996d) (BuildId: cc866a7d6c80960a)
    #1 0x5654dc998598 in MatroskaDemuxer::matroska_read_header() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1157:42
    #2 0x5654dc994f7c in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1129:17
    #3 0x5654dc98835c in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2377:29
    #4 0x5654dc985f16 in main /src/tsMuxer/tsMuxer/main.cpp:23:12
    #5 0x7fda00bb9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7fda00bb9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x5654dc6bf484 in _start (/src/tsMuxer/build/tsMuxer/tsmuxer+0x119484) (BuildId: cc866a7d6c80960a)

0x610000000040 is located 0 bytes inside of 184-byte region [0x610000000040,0x6100000000f8)
allocated by thread T0 here:
    #0 0x5654dc77f21d in operator new[](unsigned long) (/src/tsMuxer/build/tsMuxer/tsmuxer+0x1d921d) (BuildId: cc866a7d6c80960a)
    #1 0x5654dc9ab5ee in MatroskaDemuxer::matroska_add_stream() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1893:53
    #2 0x5654dc9a0730 in MatroskaDemuxer::matroska_parse_tracks() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
    #3 0x5654dc9997e3 in MatroskaDemuxer::matroska_read_header() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
    #4 0x5654dc987006 in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
    #5 0x5654dc985d1a in main /src/tsMuxer/tsMuxer/main.cpp:17:12
    #6 0x7fda00bb9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: alloc-dealloc-mismatch (/src/tsMuxer/build/tsMuxer/tsmuxer+0x1d996d) (BuildId: cc866a7d6c80960a) in operator delete(void*)
==754==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==754==ABORTING

It is caused by this line. https://github.com/justdan96/tsMuxer/blob/c37b76e503f723e905db2592caba8ba4b9f58be5/tsMuxer/matroskaDemuxer.cpp#L1157

Ricerca Security, Inc.

justdan96 / tsMuxer

alloc-dealloc-mismatch is found in MatroskaDemuxer #827