Memory Corruption in TrackCreateSamplesIndex
The attached file causes memory corruption in the 'TrackCreateSamplesIndex' function (vlc/modules/demux/mp4/mp4.c) Below is a backtrace of the crash
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x00007fffee5750db in TrackCreateSamplesIndex (p_demux_track=0x7fffe9c08530, p_demux=0x7fffe8c04cb8) at mp4/mp4.c:1491
i_used = 0
i_rest = 0
i_entry = <optimized out>
i_sample_count = 58434037
i = <optimized out>
stsz = <optimized out>
stts = 0x7fffe8c06300
i_sample = <optimized out>
i_chunk = <optimized out>
i_index_sample_used = 0
p_sys = <optimized out>
p_box = <optimized out>
i_index = 2099620
i_next_dts = 3093143935
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) MP4_TrackCreate (p_demux=0x7fffe8c04cb8, p_track=0x7fffe9c08530, p_box_trak=<optimized out>, b_force_enable=false) at mp4/mp4.c:2637
p_sys = 0x7fffe8c05750
p_tkhd = <optimized out>
p_elst = <optimized out>
p_mdhd = <optimized out>
p_udta = <optimized out>
p_hdlr = <optimized out>
p_vmhd = <optimized out>
p_smhd = <optimized out>
language = "und"
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x00007fffee57728f in Open (p_this=0x7fffe8c04cb8) at mp4/mp4.c:589
p_demux = 0x7fffe8c04cb8
p_sys = <optimized out>
p_peek = 0x7fffe8004a10 ""
p_ftyp = <optimized out>
p_rmra = <optimized out>
p_mvhd = <optimized out>
p_trak = <optimized out>
i = <optimized out>
b_seekable = true
b_enabled_es = <optimized out>
b_smooth = <optimized out>
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x00007ffff717a36d in module_load (obj=<optimized out>, m=0x6bc8b0, init=0x7ffff717a2b0 <generic_start>, args=0x7ffff3034908) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7ffff3034a50, reg_save_area = 0x7ffff3034960}}
ret = 0
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x00007ffff717a74d in vlc_module_load (obj=<optimized out>, capability=0x7ffff71ab771 "demux", name=0x7ffff71abab3 "", strict=true, probe=0x7ffff717a2b0 <generic_start>) at modules/modules.c:277
cand = 0x6bc8b0
ret = <optimized out>
i = <optimized out>
buf = "any\000\377\177\000\000`5F\367\377\177\000\000\270L\300\350\377\177\000\000\270J\300\350\377\177\000"
slen = <optimized out>
shortcut = 0x7ffff3034930 "any"
var = 0x0
mods = 0x7fffe8c04ec0
total = 63
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffff3034a50, reg_save_area = 0x7ffff3034960}}
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x00007ffff7141559 in demux_New (p_obj=<optimized out>, p_parent_input=<optimized out>, psz_access=0x7fffe8c04eb2 "mp4", psz_demux=0x7ffff71c3525 "", psz_location=<optimized out>, s=<optimized out>, out=0x7fffe8003fe0, b_quick=true) at input/demux.c:188
p_demux = 0x7fffe8c04cb8
psz_module = 0x7fffe8c04d70 ""
psz_ext = <optimized out>
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x00007ffff714d5a3 in InputSourceInit (p_input=<optimized out>, in=<optimized out>, psz_mrl=<optimized out>, psz_forced_demux=<optimized out>, b_in_can_fail=false) at input/input.c:2535
p_access = 0x7fffe8004398
i_input_list = <optimized out>
ppsz_input_list = <optimized out>
psz_stream_filter = 0x1 <Address 0x1 out of bounds>
psz_access = 0x7fffe8004290 "file"
psz_demux = 0x7ffff71c3525 ""
psz_path = 0x7fffe8004297 "/home/fuzz/fuzzing/tmp/bff-crash-gcGvhn/sf_64ade313647f1ebd0b6c382ebf44aabc-98814.mp4"
psz_anchor = 0x7ffff71c3525 ""
psz_var_demux = <optimized out>
f_fps = <optimized out>
__PRETTY_FUNCTION__ = "InputSourceInit"
psz_dup = <optimized out>
i_pts_delay = <optimized out>
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007ffff714e509 in Init (p_input=0x7fffe8000978) at input/input.c:1225
p_meta = <optimized out>
i = <optimized out>
i_length = <optimized out>
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007ffff714fa30 in input_Preparse (p_parent=<optimized out>, p_item=<optimized out>) at input/input.c:200
p_input = 0x7fffe8000978
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007ffff7133c25 in Preparse (p_item=0x6dc9c0, obj=0x6df178) at playlist/preparser.c:137
i_type = 1
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) Thread (data=0x6f7050) at playlist/preparser.c:217
p_current = 0x6dc9c0
p_preparser = 0x6f7050
obj = 0x6df178
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff79aae9a in start_thread (arg=0x7ffff3035700) at pthread_create.c:308
__res = <optimized out>
pd = 0x7ffff3035700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1, -7429356966708825595, 140737488348256, 140737270471104, 0, 3, 7429383804317282821, 7429373710089269765}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"#12 (closed) 0x00007ffff74d3ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 No locals. #13 (closed) 0x0000000000000000 in ?? () No symbol table info available.
rax 0x7fffec35d010 140737156337680 rbx 0x4000ba 4194490 rcx 0x0 0 rdx 0x7fffed35e010 140737173118992 rsi 0x200997 2099607 rdi 0x7fffe9408f40 140737106710336 rbp 0xb85da17f 0xb85da17f rsp 0x7ffff3034710 0x7ffff3034710 r8 0x7fffe9c09000 140737115099136 r9 0x0 0 r10 0x7fffe9406970 140737106700656 r11 0x7fffe8c068b0 140737098311856 r12 0x0 0 r13 0x37ba1f5 58434037 r14 0x7fffe9c08ae0 140737115097824 r15 0x2009a4 2099620 rip 0x7fffee5750db 0x7fffee5750db <MP4_TrackCreate+2523> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
=> 0x7fffee5750db <MP4_TrackCreate+2523>: movsxd r9,DWORD PTR [r8] }}}