negative size param is found in programStreamDemuxer::simpleDemuxBlock

Our fuzzer found negative size param in programStreamDemuxer. in the current master(75c9cb3). PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "programStreamDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>

using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {

    string fileName = argv[1];
    AbstractDemuxer* demuxer = new ProgramStreamDemuxer(readManager);

    uint32_t fileBlockSize = demuxer->getFileBlockSize();
    demuxer->openFile(fileName);
    int64_t discardedSize = 0;
    DemuxedData demuxedData;
    map<int32_t, TrackInfo> acceptedPidMap;
    demuxer->getTrackList(acceptedPidMap);

    PIDSet acceptedPidSet;
    for (const auto& itr : acceptedPidMap) acceptedPidSet.insert(itr.first);

    demuxer->simpleDemuxBlock(demuxedData, acceptedPidSet, discardedSize);

    return 0;
}

Folloing is an output of ASAN. vuln18.vob is in poc18.zip

$ tsmuxer ./crash/vuln18.vob
=================================================================
==3510==ERROR: AddressSanitizer: negative-size-param: (size=-85)
    #0 0x7f874a27e3ff in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x555d825313b3 in MemoryBlock::append(unsigned char const*, unsigned long) (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2913b3)
    #2 0x555d82724db6 in ProgramStreamDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock> > >&, std::set<int, std::less<int>, std::allocator<int> > const&, long&) (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x484db6)
    #3 0x555d8260317b in main (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x36317b)
    #4 0x7f8749bf0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0x7f8749bf0e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #6 0x555d825180d4 in _start (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2780d4)

0x7f8745e0488c is located 57484 bytes inside of 2129920-byte region [0x7f8745df6800,0x7f8745ffe800)
allocated by thread T0 here:
    #0 0x7f874a2fa357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x555d825680d5 in ReaderData::init() (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c80d5)
    #2 0x555d8256821f in ReaderData::openStream() (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c821f)
    #3 0x555d82567530 in FileReaderData::openStream() (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c7530)
    #4 0x555d8256775c in BufferedFileReader::openStream(int, char const*, int, CodecInfo const*) (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c775c)
    #5 0x555d827220e7 in ProgramStreamDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x4820e7)
    #6 0x555d82602ea3 in main (/home/neto/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x362ea3)
    #7 0x7f8749bf0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
==3510==ABORTING

It is caused by these line. https://github.com/justdan96/tsMuxer/blob/5f43ab2a45482ad448524dc61a1ab7204ca8849d/tsMuxer/programStreamDemuxer.cpp#L289-L291

Ricerca Security, Inc.

justdan96 / tsMuxer

negative size param is found in programStreamDemuxer::simpleDemuxBlock #857