Heap-based buffer overflow in ModuleEditor::convertInstrument()

[fcambus]

Hi,

While fuzzing milkytracker with American Fuzzy Lop, I found a heap-based buffer overflow in ModuleEditor::convertInstrument(), in ModuleEditor.cpp L250.

Attaching a reproducer (gzipped so GitHub accepts it): test01.xm.gz

Issue can be reproduced by running:

milkytracker test01.xm

=================================================================
==5552==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00001a340 at pc 0x0000005ad03a bp 0x7fff381b4270 sp 0x7fff381b4268
WRITE of size 8 at 0x62f00001a340 thread T0
    #0 0x5ad039 in ModuleEditor::convertInstrument(int) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:250:28
    #1 0x5b15e6 in ModuleEditor::buildInstrumentTable() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:520:3
    #2 0x5b33bc in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:739:3
    #3 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43
    #4 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11
    #5 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3
    #6 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17
    #7 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20
    #8 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2
    #9 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3
    #10 0x7fd445015b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #11 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9)

0x62f00001a340 is located 0 bytes to the right of 48960-byte region [0x62f00000e400,0x62f00001a340)
allocated by thread T0 here:
    #0 0x556652 in operator new[](unsigned long) (/home/fcambus/milkytracker/milkytracker+0x556652)
    #1 0x5a9f92 in ModuleEditor::ModuleEditor() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:119:16
    #2 0x78b706 in TabManager::createModuleEditor() /home/fcambus/milkytracker/src/tracker/TabManager.cpp:81:35
    #3 0x7944f3 in Tracker::Tracker() /home/fcambus/milkytracker/src/tracker/Tracker.cpp:160:29
    #4 0x81aaa3 in initTracker(unsigned int, PPDisplayDevice::Orientations, bool, bool) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:805:18
    #5 0x81c8a7 in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:960:2
    #6 0x7fd445015b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:250:28 in ModuleEditor::convertInstrument(int)
Shadow bytes around the buggy address:
  0x0c5e7fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5e7fffb460: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c5e7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5552==ABORTING

[Deltafire]

Thanks for submitting these :)

[fcambus]

This issue got assigned CVE-2019-14497.