Out-of-Bound Read in read_data_section in 0.12.5

[spaceraccoon]

Hi rurban,

Making a quick report on an out-of-bounds read fuzzing crash. I confirmed this with a build using the --enable-release flag as well.

Release build error:

./programs/dwgread crash.dwg 
ERROR: Invalid num_pages 7274598, skip
ERROR: Invalid section->pages[0] size
Warning: Failed to find section_info[1]
ERROR: Failed to read header section
Warning: Failed to find section_info[3]
ERROR: Failed to read class section
Warning: Failed to find section_info[7]
ERROR: Failed to read objects section
Warning: Failed to find section_info[2]
ERROR: Preview overflow 119 + 0 > 302223
Warning: thumbnail.size mismatch: 302223 != 0
zsh: segmentation fault  ./programs/dwgread ./crash.dwg

Debug trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555810645 in read_data_section (sec_dat=0x7fffffffc1f0, dat=0x7fffffffc880, sections_map=<optimized out>, pages_map=0x555555b0fd50, 
    sec_type=<optimized out>) at decode_r2007.c:840
840           r2007_section_page *section_page = section->pages[i];
(gdb) backtrace
#0  0x0000555555810645 in read_data_section (sec_dat=0x7fffffffc1f0, dat=0x7fffffffc880, sections_map=<optimized out>, pages_map=0x555555b0fd50, 
    sec_type=<optimized out>) at decode_r2007.c:840
#1  0x0000555555808d5c in read_2007_section_revhistory (dat=0x7fffffffc880, dwg=0x7fffffffc8c0, sections_map=0x555555b0f410, 
    pages_map=0x555555b0fd50) at decode_r2007.c:2023
#2  read_r2007_meta_data (dat=0x7fffffffc880, hdl_dat=<optimized out>, dwg=0x7fffffffc8c0) at decode_r2007.c:2466
#3  0x00005555555d5279 in decode_R2007 (dat=0x7fffffffc880, dwg=0x7fffffffc8c0) at decode.c:3469
#4  dwg_decode (dat=0x7fffffffc880, dwg=0x7fffffffc8c0) at decode.c:227
#5  0x00005555555be42d in dwg_read_file (filename=<optimized out>, dwg=0x7fffffffc8c0) at dwg.c:261
#6  0x00005555555be42d in main (argc=<optimized out>, argv=0x7fffffffdec8)

crash.dwg.zip

Thanks!

[spaceraccoon]

Thanks!