decode_r2007: fix heap overflow by one

Just a harmless 1 byte overflow with an invalid odd section->name_length. not security relevant. Fixes GH #899. Fuzzing only
LibreDWG · Dec 18, 2023 · 6b0eb53 · 6b0eb53
1 parent b9795ea
commit 6b0eb53
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/decode_r2007.c b/src/decode_r2007.c
@@ -942,7 +942,18 @@ read_sections_map (Bit_Chain *dat, int64_t size_comp, int64_t size_uncomp,
 
       // Section Name (wchar)
       {
-        size_t sz = (size_t)section->name_length;
+        size_t sz = (size_t)section->name_length; // size in bytes really
+        if (sz & 1) // must be even, 2 bytes
+          {
+            LOG_WARN ("Invalid section name_length %" PRId64, section->name_length);
+            section->name_length++;
+            sz++;
+          }
+        if (sz > MAX_SIZE_T)
+          {
+            LOG_WARN ("Invalid section name_length %zu", sz);
+            sz = MAX_SIZE_T;
+          }
         section->name = (DWGCHAR *)calloc (1, section->name_length > 0 ? sz + 2 : 2);
         bit_read_fixed (&page, (BITCODE_RC *)section->name, sz);
       }