`memcpy` called with null pointer from MatroskaParser

[filip-hejsek]

This indirect call

Aegisub/src/MatroskaParser.c

Line 2253 in 4f267dc

mf->cache->read(mf->cache,v,NULL,0); // touch page

calls this function

Aegisub/src/mkv_wrap.cpp

Lines 63 to 81 in 4f267dc

	static int Read(InputStream *st, uint64_t pos, void *buffer, int count) {
	auto *self = static_cast<MkvStdIO*>(st);
	if (pos >= self->file.size())
	return 0;
	auto remaining = self->file.size() - pos;
	if (remaining < INT_MAX)
	count = std::min(static_cast<int>(remaining), count);
	try {
	memcpy(buffer, self->file.read(pos, count), count);
	}
	catch (agi::Exception const& e) {
	self->error = e.GetMessage();
	return -1;
	}
	return count;
	}

which passes the null buffer to memcpy, which is UB.

UBSan report

../src/mkv_wrap.cpp:73:11: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:48:28: note: nonnull attribute specified here
    #0 0x5555563d4551 in MkvStdIO::Read(InputStream*, unsigned long, void*, int) /home/filiph/git/Aegisub/build/../src/mkv_wrap.cpp:73:4
    #1 0x555555d22981 in parseBlockGroup /home/filiph/git/Aegisub/build/../src/MatroskaParser.c:2253:2
    #2 0x555555d1fb76 in readMoreBlocks /home/filiph/git/Aegisub/build/../src/MatroskaParser.c
    #3 0x555555d013a7 in fillQueues /home/filiph/git/Aegisub/build/../src/MatroskaParser.c:2487:16
    #4 0x555555cf1501 in findLastTimecode /home/filiph/git/Aegisub/build/../src/MatroskaParser.c:2664:10
    #5 0x555555cf1501 in parseFile /home/filiph/git/Aegisub/build/../src/MatroskaParser.c:2751:18
    #6 0x555555cf1501 in mkv_OpenEx /home/filiph/git/Aegisub/build/../src/MatroskaParser.c:2803:5
    #7 0x5555563d19a7 in MatroskaWrapper::HasSubtitles(agi::fs::path const&) /home/filiph/git/Aegisub/build/../src/mkv_wrap.cpp:298:64
    #8 0x5555564462d1 in Project::DoLoadVideo(agi::fs::path const&) /home/filiph/git/Aegisub/build/../src/project.cpp:322:25
    #9 0x55555644b9a8 in Project::LoadUnloadFiles(ProjectProperties) /home/filiph/git/Aegisub/build/../src/project.cpp:213:28
    #10 0x555556449646 in Project::LoadSubtitles(agi::fs::path, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool) /home/filiph/git/Aegisub/build/../src/project.cpp:162:3
    #11 0x55555608dd75 in (anonymous namespace)::recent_subtitle_entry::operator()(agi::Context*, int) /home/filiph/git/Aegisub/build/../src/command/recent.cpp:82:15
    #12 0x55555608dd75 in (anonymous namespace)::mru_wrapper<(anonymous namespace)::recent_subtitle_entry>::operator()(agi::Context*) /home/filiph/git/Aegisub/build/../src/command/recent.cpp:116:6
    #13 0x7ffff6f64170 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1482:39
    #14 0x7ffff6f66aa8 in wxEvtHandler::SearchDynamicEventTable(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1952:41
    #15 0x7ffff6f66dfd in wxEvtHandler::TryHereOnly(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1675:52
    #16 0x7ffff6f66eaf in wxEvtHandler::TryBeforeAndHere(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/include/wx/event.h:4013:47
    #17 0x7ffff6f66eaf in wxEvtHandler::ProcessEventLocally(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1612:28
    #18 0x7ffff6f66fd9 in wxEvtHandler::ProcessEvent(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1585:29
    #19 0x7ffff75db8ff in wxWindowBase::TryAfter(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/wincmn.cpp:3537:63
    #20 0x7ffff6f673e2 in wxEvtHandler::SafelyProcessEvent(wxEvent&) /usr/src/debug/wxwidgets/wxWidgets/src/common/event.cpp:1701:28
    #21 0x7ffff7582f5d in wxMenuBase::DoProcessEvent(wxMenuBase*, wxEvent&, wxWindow*) /usr/src/debug/wxwidgets/wxWidgets/src/common/menucmn.cpp:720:35
    #22 0x7ffff7583075 in wxMenuBase::SendEvent(int, int) /usr/src/debug/wxwidgets/wxWidgets/src/common/menucmn.cpp:683:26
    #23 0x7ffff77a1b65 in menuitem_activate /usr/src/debug/wxwidgets/wxWidgets/src/gtk/menu.cpp:578:20
    #24 0x7ffff77a1b65 in menuitem_activate /usr/src/debug/wxwidgets/wxWidgets/src/gtk/menu.cpp:544:13
    #25 0x7ffff6cf397b in g_closure_invoke /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:916:7
    #26 0x7ffff6d127ea in signal_emit_unlocked_R /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3903:8
    #27 0x7ffff6d1484e in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3535:7
    #28 0x7ffff6d14ac8 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3278:7
    #29 0x7ffff6d14b83 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3598:3
    #30 0x7ffff5ada60c in gtk_widget_activate /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7860:7
    #31 0x7ffff5989b30 in gtk_menu_shell_activate_item /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:1375:3
    #32 0x7ffff5989feb in gtk_menu_shell_button_release /usr/src/debug/gtk3/build/../gtk/gtk/gtkmenushell.c:791:19
    #33 0x7ffff57f4ca1 in _gtk_marshal_BOOLEAN__BOXEDv /usr/src/debug/gtk3/build/gtk/gtkmarshalers.c:130:14
    #34 0x7ffff6d149b6 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:980:7
    #35 0x7ffff6d149b6 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3439:8
    #36 0x7ffff6d14ac8 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3278:7
    #37 0x7ffff6d14b83 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3598:3
    #38 0x7ffff5aef6fd in gtk_widget_event_internal.part.0.lto_priv.0 /usr/src/debug/gtk3/build/../gtk/gtk/gtkwidget.c:7827:4
    #39 0x7ffff5970794 in propagate_event_up /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2591:25
    #40 0x7ffff5970794 in propagate_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:2694:5
    #41 0x7ffff597154a in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1924:9
    #42 0x7ffff597154a in gtk_main_do_event /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1694:1
    #43 0x7ffff4e1e1c6 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:73:6
    #44 0x7ffff4e1e1c6 in _gdk_event_emit /usr/src/debug/gtk3/build/../gtk/gdk/gdkevents.c:67:1
    #45 0x7ffff4e59ccf in gdk_event_source_dispatch /usr/src/debug/gtk3/build/../gtk/gdk/wayland/gdkeventsource.c:124:7
    #46 0x7ffff6506f4c in g_main_dispatch /usr/src/debug/glib2/build/../glib/glib/gmain.c:3565:28
    #47 0x7ffff6508616 in g_main_context_dispatch_unlocked /usr/src/debug/glib2/build/../glib/glib/gmain.c:4425:7
    #48 0x7ffff6508616 in g_main_context_iterate_unlocked /usr/src/debug/glib2/build/../glib/glib/gmain.c:4490:5
    #49 0x7ffff65089d6 in g_main_loop_run /usr/src/debug/glib2/build/../glib/glib/gmain.c:4695:5
    #50 0x7ffff596bc0e in gtk_main /usr/src/debug/gtk3/build/../gtk/gtk/gtkmain.c:1332:7
    #51 0x7ffff7724205 in wxGUIEventLoop::DoRun() /usr/src/debug/wxwidgets/wxWidgets/src/gtk/evtloop.cpp:61:17
    #52 0x7ffff6eac70a in wxEventLoopBase::Run() /usr/src/debug/wxwidgets/wxWidgets/src/common/evtloopcmn.cpp:87:17
    #53 0x7ffff6e85285 in wxAppConsoleBase::MainLoop() /usr/src/debug/wxwidgets/wxWidgets/src/common/appbase.cpp:395:40
    #54 0x5555563b01e9 in AegisubApp::OnRun() /home/filiph/git/Aegisub/build/../src/main.cpp:456:10
    #55 0x7ffff6eec160 in wxEntry(int&, wchar_t**) /usr/src/debug/wxwidgets/wxWidgets/src/common/init.cpp:497:31
    #56 0x5555563a8b24 in main /home/filiph/git/Aegisub/build/../src/main.cpp:81:1
    #57 0x7ffff50366c0 in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:59:16
    #58 0x7ffff50367f8 in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
    #59 0x555555b98fc4 in _start (/home/filiph/git/Aegisub/build/aegisub+0x644fc4) (BuildId: f18d18bac2f87236a7f25dfca1556fb5a61a1d57)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/mkv_wrap.cpp:73:11