heap-buffer-overflow error in pcmreframe_process()

[rbouqueau]

LINK: https://drive.google.com/file/d/1kRcfKGIAySBhMLzQhbNhfDeHt6gJI6wC/view?usp=share_link
POC: ./MP4Box -dash 1000 POC9

discovered another heap overflow issue in the code, as highlighted by the AddressSanitizer report. This time, the heap-buffer-overflow error occurs during a READ operation within the __interceptor_memcpy function, involving the pcmreframe_process function.

==2451562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200000c374 at pc 0x7f71a09b4397 bp 0x7fff7f7ebda0 sp 0x7fff7f7eb548
READ of size 2048 at 0x62200000c374 thread T0
#0 0x7f71a09b4396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7f719e154f00 in pcmreframe_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2fb8f00)
#2 0x7f719dcda97c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c)
#3 0x7f719dc9600a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a)
#4 0x7f719dca392e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e)
#5 0x7f719d5140ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce)
#6 0x55bf76c63338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807
#7 0x55bf76c63338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184
#8 0x7f719a968d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f719a968e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x55bf76c39cb4 in _start (/root/gpac2/gpac/bin/gcc/MP4Box+0xabcb4)

Address 0x62200000c374 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c447fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c447fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c447fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==2451562==ABORTING