[oss-fuzz 6015292738437120] Heap-buffer-overflow cc_storage_append

Ref:
https://oss-fuzz.com/testcase-detail/6015292738437120
xeon ~/work/git/vlc-security-tools $ VLC_TARGET=h265 ASAN_OPTIONS=detect_leaks=0:halt_on_error=1:exitcode=43 \
/home/tom/work/git/vlc-3.0/build-asan-sec-fixed/test/vlc-demux-dec-run /home/tom/Downloads/clusterfuzz-testcase-minimized-vlc-demux-dec-libfuzzer-h265-6015292738437120
=================================================================
==2133296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000261d8 at pc 0x7fa498b28346 bp 0x7ffcec7885b0 sp 0x7ffcec7885a8
READ of size 1 at 0x5020000261d8 thread T0
    #0 0x7fa498b28345 in cc_Extract ../../modules/packetizer/../codec/cc.h:263
    #1 0x7fa498b28da1 in cc_storage_append ../../modules/packetizer/hxxx_common.c:72
    #2 0x7fa498b1a3ca in ParseSEICallback ../../modules/packetizer/hevc.c:990
    #3 0x7fa498b26e7c in HxxxParseSEI ../../modules/packetizer/hxxx_sei.c:131
    #4 0x7fa498b27459 in HxxxParse_AnnexB_SEI ../../modules/packetizer/hxxx_sei.c:35
    #5 0x7fa498b19851 in ParseStoredSEI ../../modules/packetizer/hevc.c:638
    #6 0x7fa498b19ccb in ParseVCL ../../modules/packetizer/hevc.c:679
    #7 0x7fa498b1b89f in ParseNALBlock ../../modules/packetizer/hevc.c:904
    #8 0x7fa498b1bc65 in PacketizeParse ../../modules/packetizer/hevc.c:935
    #9 0x7fa498b1659f in packetizer_PacketizeBlock ../../modules/packetizer/packetizer_helper.h:208
    #10 0x7fa498b16b82 in packetizer_Packetize ../../modules/packetizer/packetizer_helper.h:241
    #11 0x7fa498b16c8d in PacketizeAnnexB ../../modules/packetizer/hevc.c:316
    #12 0x7fa499451df8 in Demux ../../modules/demux/mpeg/h26x.c:430
    #13 0x55a479e3e3ac in demux_Demux ../../include/vlc_demux.h:354
    #14 0x55a479e3e3ac in demux_process_stream ../../test/src/input/demux-run.c:284
    #15 0x55a479e3e65d in vlc_demux_process_url ../../test/src/input/demux-run.c:326
    #16 0x55a479e3e6fc in vlc_demux_process_path ../../test/src/input/demux-run.c:340
    #17 0x55a479e3d549 in main ../../test/vlc-demux-run.c:50
    #18 0x7fa499a33ca7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #19 0x7fa499a33d64 in __libc_start_main_impl ../csu/libc-start.c:360
    #20 0x55a479e3d350 in _start (/home/tom/work/git/vlc-3.0/build-asan-sec-fixed/test/vlc-demux-dec-run+0x2350) (BuildId: 865a9cbe90a5102dceb30d6f775cc7bc868c79e3)

0x5020000261d8 is located 0 bytes after 8-byte region [0x5020000261d0,0x5020000261d8)
allocated by thread T0 here:
    #0 0x7fa49a0f4c57 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fa498b269fe in HxxxParseSEI ../../modules/packetizer/hxxx_sei.c:110
    #2 0x7fa498b27459 in HxxxParse_AnnexB_SEI ../../modules/packetizer/hxxx_sei.c:35
    #3 0x7fa498b19851 in ParseStoredSEI ../../modules/packetizer/hevc.c:638
    #4 0x7fa498b19ccb in ParseVCL ../../modules/packetizer/hevc.c:679
    #5 0x7fa498b1b89f in ParseNALBlock ../../modules/packetizer/hevc.c:904
    #6 0x7fa498b1bc65 in PacketizeParse ../../modules/packetizer/hevc.c:935
    #7 0x7fa498b1659f in packetizer_PacketizeBlock ../../modules/packetizer/packetizer_helper.h:208
    #8 0x7fa498b16b82 in packetizer_Packetize ../../modules/packetizer/packetizer_helper.h:241
    #9 0x7fa498b16c8d in PacketizeAnnexB ../../modules/packetizer/hevc.c:316
    #10 0x7fa499451df8 in Demux ../../modules/demux/mpeg/h26x.c:430
    #11 0x55a479e3e3ac in demux_Demux ../../include/vlc_demux.h:354
    #12 0x55a479e3e3ac in demux_process_stream ../../test/src/input/demux-run.c:284
    #13 0x55a479e3e65d in vlc_demux_process_url ../../test/src/input/demux-run.c:326
    #14 0x55a479e3e6fc in vlc_demux_process_path ../../test/src/input/demux-run.c:340
    #15 0x55a479e3d549 in main ../../test/vlc-demux-run.c:50
    #16 0x7fa499a33ca7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../modules/packetizer/../codec/cc.h:263 in cc_Extract
Shadow bytes around the buggy address:
  0x502000025f00: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x502000025f80: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x502000026000: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x502000026080: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x502000026100: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
=>0x502000026180: fa fa 05 fa fa fa 05 fa fa fa 00[fa]fa fa fa fa
  0x502000026200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000026280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000026300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000026380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000026400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2133296==ABORTING
Samples:
clusterfuzz-testcase-minimized-vlc-demux-dec-libfuzzer-h265-6015292738437120
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information