[2019-07-30] - Found with American Fuzzy Lop - CVE-2019-14464

Heap-based buffer overflow in XMFile::read(), in XMFile.cpp.

Issue can be reproduced by running:

```
milkytracker test03.s3m
```

```
=================================================================
==5728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001b004 at pc 0x000000498042 bp 0x7fff46931ba0 sp 0x7fff46931348
WRITE of size 28 at 0x63300001b004 thread T0
    #0 0x498041 in __interceptor_fread /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16
    #1 0x94a046 in XMFile::read(void*, int, int) /home/fcambus/milkytracker/src/milkyplay/XMFile.cpp:404:36
    #2 0xa07c4e in LoaderS3M::load(XMFileBase&, XModule*) /home/fcambus/milkytracker/src/milkyplay/LoaderS3M.cpp:545:7
    #3 0x95d324 in XModule::loadModule(XMFileBase&, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1976:40
    #4 0x95cd03 in XModule::loadModule(char const*, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1954:22
    #5 0x5b2849 in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:668:27
    #6 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43
    #7 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11
    #8 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3
    #9 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17
    #10 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20
    #11 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2
    #12 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3
    #13 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #14 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9)

0x63300001b004 is located 4 bytes to the right of 108544-byte region [0x633000000800,0x63300001b000)
allocated by thread T0 here:
    #0 0x556652 in operator new[](unsigned long) (/home/fcambus/milkytracker/milkytracker+0x556652)
    #1 0x95bcf8 in XModule::XModule() /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1875:10
    #2 0x5aa04d in ModuleEditor::ModuleEditor() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:126:15
    #3 0x78b706 in TabManager::createModuleEditor() /home/fcambus/milkytracker/src/tracker/TabManager.cpp:81:35
    #4 0x7944f3 in Tracker::Tracker() /home/fcambus/milkytracker/src/tracker/Tracker.cpp:160:29
    #5 0x81aaa3 in initTracker(unsigned int, PPDisplayDevice::Orientations, bool, bool) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:805:18
    #6 0x81c8a7 in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:960:2
    #7 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16 in __interceptor_fread
Shadow bytes around the buggy address:
  0x0c667fffb5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5728==ABORTING
```