[2019-07-30] - Found with Honggfuzz - CVE-2019-14465

Heap-based buffer overflow in the fmt_mtm_load_song() function, in mtm.c.

Issue can be reproduced by running:

```
schismtracker test01.mtm
```

```
=================================================================
==11045==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d73debd4 at pc 0x0000004b4ae4 bp 0x7ffea6d192b0 sp 0x7ffea6d18a48
WRITE of size 1 at 0x7ff6d73debd4 thread T0
    #0 0x4b4ae3 in strcpy /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_interceptors.cc:433:5
    #1 0x5c40f0 in fmt_mtm_load_song /home/fcambus/schismtracker/fmt/mtm.c:139:3
    #2 0x6caa4b in song_create_load /home/fcambus/schismtracker/schism/audio_loadsave.c:224:11
    #3 0x6caf4e in song_load_unchecked /home/fcambus/schismtracker/schism/audio_loadsave.c:282:12
    #4 0x61dd3c in main /home/fcambus/schismtracker/schism/main.c:1132:7
    #5 0x7ff6dbb9ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #6 0x41eb99 in _start (/home/fcambus/schismtracker/schismtracker+0x41eb99)

0x7ff6d73debd4 is located 140 bytes to the right of 168776-byte region [0x7ff6d73b5800,0x7ff6d73deb48)
allocated by thread T0 here:
    #0 0x4ca73a in calloc /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155:3
    #1 0x5fb5dc in mem_calloc /home/fcambus/schismtracker/schism/util.c:113:6
    #2 0x6de326 in csf_allocate /home/fcambus/schismtracker/player/csndfile.c:98:16
    #3 0x6ca557 in song_create_load /home/fcambus/schismtracker/schism/audio_loadsave.c:207:20
    #4 0x6caf4e in song_load_unchecked /home/fcambus/schismtracker/schism/audio_loadsave.c:282:12
    #5 0x61dd3c in main /home/fcambus/schismtracker/schism/main.c:1132:7
    #6 0x7ff6dbb9ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_interceptors.cc:433:5 in strcpy
Shadow bytes around the buggy address:
  0x0fff5ae73d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ae73d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ae73d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ae73d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ae73d60: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0fff5ae73d70: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0fff5ae73d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ae73d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ae73da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ae73db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ae73dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11045==ABORTING
```