[2019-08-06] - Found with American Fuzzy Lop - CVE-2019-14734

Multiple heap-based buffer overflows in CmtkLoader::load(), in src/mtk.cpp.

```
=================================================================
==7055==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000003845 at pc 0x0000004c6aaf bp 0x7fff98d6e270 sp 0x7fff98d6da20
WRITE of size 3897 at 0x628000003845 thread T0
    #0 0x4c6aae in __asan_memset (/home/fcambus/reps/adplay+0x4c6aae)
    #1 0x7f4ce0d85ad7 in CmtkLoader::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CFileProvider const&) /home/fcambus/adplug/src/mtk.cpp:95:7
    #2 0x7f4ce0cc61d5 in CAdPlug::factory(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Copl*, CPlayers const&, CFileProvider const&) /home/fcambus/adplug/src/adplug.cpp:169:10
    #3 0x4fcd62 in play(char const*, Player*, int) /home/fcambus/adplay-unix/src/adplay.cc:309:11
    #4 0x4fbaf4 in main /home/fcambus/adplay-unix/src/adplay.cc:544:5
    #5 0x7f4ce050409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41f759 in _start (/home/fcambus/reps/adplay+0x41f759)

0x628000003845 is located 0 bytes to the right of 14149-byte region [0x628000000100,0x628000003845)
allocated by thread T0 here:
    #0 0x4f6972 in operator new[](unsigned long) (/home/fcambus/reps/adplay+0x4f6972)
    #1 0x7f4ce0d85223 in CmtkLoader::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CFileProvider const&) /home/fcambus/adplug/src/mtk.cpp:60:9
    #2 0x7f4ce0cc61d5 in CAdPlug::factory(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Copl*, CPlayers const&, CFileProvider const&) /home/fcambus/adplug/src/adplug.cpp:169:10
    #3 0x4fcd62 in play(char const*, Player*, int) /home/fcambus/adplay-unix/src/adplay.cc:309:11
    #4 0x4fbaf4 in main /home/fcambus/adplay-unix/src/adplay.cc:544:5
    #5 0x7f4ce050409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fcambus/reps/adplay+0x4c6aae) in __asan_memset
Shadow bytes around the buggy address:
  0x0c507fff86b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff86c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff8700: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
  0x0c507fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7055==ABORTING
```

```
=================================================================
==7059==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000065 at pc 0x0000004c6798 bp 0x7ffc61e0a6b0 sp 0x7ffc61e09e60
WRITE of size 84 at 0x607000000065 thread T0
    #0 0x4c6797 in __asan_memcpy (/home/fcambus/reps/adplay+0x4c6797)
    #1 0x7f37d10fdd0a in CmtkLoader::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CFileProvider const&) /home/fcambus/adplug/src/mtk.cpp:103:7
    #2 0x7f37d103e1d5 in CAdPlug::factory(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Copl*, CPlayers const&, CFileProvider const&) /home/fcambus/adplug/src/adplug.cpp:169:10
    #3 0x4fcd62 in play(char const*, Player*, int) /home/fcambus/adplay-unix/src/adplay.cc:309:11
    #4 0x4fbaf4 in main /home/fcambus/adplay-unix/src/adplay.cc:544:5
    #5 0x7f37d087c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41f759 in _start (/home/fcambus/reps/adplay+0x41f759)

0x607000000065 is located 0 bytes to the right of 69-byte region [0x607000000020,0x607000000065)
allocated by thread T0 here:
    #0 0x4f6972 in operator new[](unsigned long) (/home/fcambus/reps/adplay+0x4f6972)
    #1 0x7f37d10fd223 in CmtkLoader::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CFileProvider const&) /home/fcambus/adplug/src/mtk.cpp:60:9
    #2 0x7f37d103e1d5 in CAdPlug::factory(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Copl*, CPlayers const&, CFileProvider const&) /home/fcambus/adplug/src/adplug.cpp:169:10
    #3 0x4fcd62 in play(char const*, Player*, int) /home/fcambus/adplay-unix/src/adplay.cc:309:11
    #4 0x4fbaf4 in main /home/fcambus/adplay-unix/src/adplay.cc:544:5
    #5 0x7f37d087c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fcambus/reps/adplay+0x4c6797) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00[05]fa fa fa
  0x0c0e7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7059==ABORTING
```