heap-buffer-overflow exists in the function bit_read_fixed in /src/bits.c

[SEU-SSL]

System info Ubuntu x86_64, clang 13.0.1 version: last commit https://github.com/LibreDWG/libredwg/commit/07c078aca71840f0f9a0dffb3032056d043858b0

Command line ./programs/dwg2dxf ./poc

Poc poc: poc

AddressSanitizer output ==4125299==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000012 at pc 0x7fc49363558d bp 0x7ffda16f9180 sp 0x7ffda16f8928 WRITE of size 65534 at 0x602000000012 thread T0 #0 0x7fc49363558c in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 #1 0x55db8e50129a in bit_read_fixed /src/libredwg-crashes/src/bits.c:1611 #2 0x55db8f32a347 in read_sections_map /src/libredwg-crashes/src/decode_r2007.c:961 #3 0x55db8f38ca78 in read_r2007_meta_data /src/libredwg-crashes/src/decode_r2007.c:2402 #4 0x55db8e5be6e1 in decode_R2007 /src/libredwg-crashes/src/decode.c:3482 #5 0x55db8e5167fe in dwg_decode /src/libredwg-crashes/src/decode.c:235 #6 0x55db8e4db389 in dwg_read_file /src/libredwg-crashes/src/dwg.c:275 #7 0x55db8e4d8ef8 in main /src/libredwg-crashes/programs/dwg2dxf.c:261 #8 0x7fc49327d082 in __libc_start_main ../csu/libc-start.c:308 #9 0x55db8e4d7d8d in _start (/src/libredwg-crashes/programs/dwg2dxf+0x262d8d)

0x602000000012 is located 0 bytes to the right of 2-byte region [0x602000000010,0x602000000012) allocated by thread T0 here: #0 0x7fc4936a7a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x55db8f32a2f0 in read_sections_map /src/libredwg-crashes/src/decode_r2007.c:960 #2 0x55db8f38ca78 in read_r2007_meta_data /src/libredwg-crashes/src/decode_r2007.c:2402 #3 0x55db8e5be6e1 in decode_R2007 /src/libredwg-crashes/src/decode.c:3482 #4 0x55db8e5167fe in dwg_decode /src/libredwg-crashes/src/decode.c:235 #5 0x55db8e4db389 in dwg_read_file /src/libredwg-crashes/src/dwg.c:275 #6 0x55db8e4d8ef8 in main /src/libredwg-crashes/programs/dwg2dxf.c:261 #7 0x7fc49327d082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4125299==ABORTING