negative-size-param is found in TSDemuxer::getTrackList()

Our fuzzer found negative-size-param in tsDemuxer. in the current master(94cafe7). PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "tsDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>

using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {
    string fileName = argv[1];
    AbstractDemuxer* demuxer = new TSDemuxer(readManager, "");

    uint32_t fileBlockSize = demuxer->getFileBlockSize();
    demuxer->openFile(fileName);
    int64_t discardedSize = 0;
    DemuxedData demuxedData;
    map<int32_t, TrackInfo> acceptedPidMap;
    demuxer->getTrackList(acceptedPidMap);

    return 0;
}

Following is an output of ASAN. vuln20.ts is in poc20.zip

$ tsmuxer ./crash/vuln20.ts
=================================================================
==13456==ERROR: AddressSanitizer: negative-size-param: (size=-72)
    #0 0x7f3b239483ff in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x55f6b91b155b in TSDemuxer::getTrackList(std::map<int, TrackInfo, std::less<int>, std::allocator<std::pair<int const, TrackInfo> > >&) (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x4ef55b)
    #2 0x55f6b9025f3d in main (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x363f3d)
    #3 0x7f3b232bad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x7f3b232bae3f in __libc_start_main_impl ../csu/libc-start.c:392
    #5 0x55f6b8f3b0b4 in _start (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2790b4)

0x7f3b1f436401 is located 261121 bytes inside of 2129920-byte region [0x7f3b1f3f6800,0x7f3b1f5fe800)
allocated by thread T0 here:
    #0 0x7f3b239c4357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x55f6b8f8b0b5 in ReaderData::init() (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c90b5)
    #2 0x55f6b8f8b1ff in ReaderData::openStream() (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c91ff)
    #3 0x55f6b8f8a510 in FileReaderData::openStream() (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c8510)
    #4 0x55f6b8f8a73c in BufferedFileReader::openStream(int, char const*, int, CodecInfo const*) (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x2c873c)
    #5 0x55f6b91b5bf6 in TSDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x4f3bf6)
    #6 0x55f6b9025e6f in main (/home/vagrant/tsmuxer/for_build/build/tsMuxer/tsmuxer+0x363e6f)
    #7 0x7f3b232bad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
==13456==ABORTING

It is caused by these line. https://github.com/justdan96/tsMuxer/blob/94cafe7244213870aaab37035c827ef839a15929/tsMuxer/tsDemuxer.cpp#L119-L120

There is no comparison between TS_FRAME_SIZE and tsPacket→getHeaderSize(), so memcpy size can be negative.

Since the code is similar, it could happen on the following lines. https://github.com/justdan96/tsMuxer/blob/94cafe7244213870aaab37035c827ef839a15929/tsMuxer/tsDemuxer.cpp#L295-L296

Ricerca Security, Inc.

justdan96 / tsMuxer

negative-size-param is found in TSDemuxer::getTrackList() #862