#1154 heap overflow in MediaInfoLib::File_Gxf::ChooseParser_ChannelGrouping

[casperslei]

desc:
This function should check TrackID.

1574   │ File__Analyze* File_Gxf::ChooseParser_ChannelGrouping(int8u TrackID)
1575   │ {
1576   │ #ifdef MEDIAINFO_SMPTEST0337_YES
1577   │     File_ChannelGrouping* Parser;
1578   │     if (Audio_Count%2)
1579   │     {
1580   │         if (!Streams[TrackID-1].IsChannelGrouping)

result:

=================================================================
==95136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6260000000a6 at pc 0x000000e6a2d9 bp 0x7ffe03efce10 sp 0x7ffe03efce08
READ of size 1 at 0x6260000000a6 thread T0
    #0 0xe6a2d8 in MediaInfoLib::File_Gxf::ChooseParser_ChannelGrouping(unsigned char) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Gxf.cpp:1580:33
    #1 0xe5c7b7 in MediaInfoLib::File_Gxf::map() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Gxf.cpp:1049:63
    #2 0xe558f6 in MediaInfoLib::File_Gxf::Data_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Gxf.cpp:810:21
    #3 0x1b1a27e in MediaInfoLib::File__Analyze::Data_Manage() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2389:9
    #4 0x1b0e4ad in MediaInfoLib::File__Analyze::Buffer_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1540:10
    #5 0x1b03c45 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1107:14
    #6 0x1afec2e in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:719:16
    #7 0x6b8bbb in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1375:11
    #8 0x1747173 in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:759:24
    #9 0x17423d3 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:313:12
    #10 0x5c5fd1 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_File.cpp:836:86
    #11 0x173f2ef in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:230:25
    #12 0x683427 in MediaInfoLib::MediaInfo_Internal::Entry() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1121:29
    #13 0x6562f6 in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:877:9
    #14 0x702f03 in MediaInfoLib::MediaInfoList_Internal::Entry() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:215:17
    #15 0x6fefe4 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:151:9
    #16 0x4fd13d in fuzztest(int, char**) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:154:25
    #17 0x4fec3f in main /home/casper/targets/struct/mediainfo/aflllvm/MediaInfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:170:9
    #18 0x7f4535ab6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #19 0x426469 in _start (/home/casper/targets/struct/mediainfo/aflllvm/fuzzrun/mediainfodbg+0x426469)

0x6260000000a6 is located 90 bytes to the left of 10752-byte region [0x626000000100,0x626000002b00)
allocated by thread T0 here:
    #0 0x4f7278 in operator new(unsigned long) /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:99
    #1 0xe6b274 in __gnu_cxx::new_allocator<MediaInfoLib::File_Gxf::stream>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/ext/new_allocator.h:111:27
    #2 0xe6b274 in std::allocator_traits<std::allocator<MediaInfoLib::File_Gxf::stream> >::allocate(std::allocator<MediaInfoLib::File_Gxf::stream>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/alloc_traits.h:436:20
    #3 0xe6b274 in std::_Vector_base<MediaInfoLib::File_Gxf::stream, std::allocator<MediaInfoLib::File_Gxf::stream> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:172:20
    #4 0xe6b274 in std::vector<MediaInfoLib::File_Gxf::stream, std::allocator<MediaInfoLib::File_Gxf::stream> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/vector.tcc:571:34

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Gxf.cpp:1580:33 in MediaInfoLib::File_Gxf::ChooseParser_ChannelGrouping(unsigned char)
Shadow bytes around the buggy address:
  0x0c4c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c7fff8010: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==95136==ABORTING

[Jerome Martinez]

Fixed.