When running avcinfo, a heap-buffer-overflow occur in function AP4_BitStream::WriteBytes in Ap4BitStream.cpp

[wcventure]

Hi, there.

A Heap-buffer-overflow problem was discovered in function AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) in Ap4BitStream.cpp. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./avcinfo $POC" to reproduce the error.
POC.zip

=================================================================
==5498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004a817d bp 0x7ffddfab9910 sp 0x7ffddfab90c0
READ of size 8 at 0x60200000eff4 thread T0
    #0 0x4a817c in __asan_memcpy (/Bento4/Build/avcinfo+0x4a817c)
    #1 0x4f90ab in AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:133:9
    #2 0x4f4829 in PrintSliceInfo(unsigned char const*) /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:84:5
    #3 0x4f40a3 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:171:21
    #4 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41e318 in _start (/Bento4/Build/avcinfo+0x41e318)

0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
    #0 0x4efb90 in operator new[](unsigned long) (/Bento4/Build/avcinfo+0x4efb90)
    #1 0x51b622 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
    #2 0x51bb39 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151:33
    #3 0x4f786b in AP4_NalParser::Feed(void const*, unsigned int, unsigned int&, AP4_DataBuffer const*&, bool) /Bento4/Source/C++/Codecs/Ap4NalParser.cpp:188:9
    #4 0x4f39f5 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:150:22
    #5 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (/Bento4/Build/avcinfo+0x4a817c) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5498==ABORTING
Aborted

$ git log

commit 5a0ce8023ea312a2d87c194049106e893ed57767
Merge: 91d2bc6 bab5bb9
Author: Gilles Boccon-Gibod <bok@bok.net>
Date:   Fri Dec 28 22:42:38 2018 -0800

    Merge pull request #347 from orivej/apps

    Let Scons and CMake build all apps