From 6b0eb533728ace85c4f0171792969df5dcc690e3 Mon Sep 17 00:00:00 2001
From: Reini Urban <reini.urban@gmail.com>
Date: Mon, 18 Dec 2023 12:42:58 +0100
Subject: [PATCH] decode_r2007: fix heap overflow by one

Just a harmless 1 byte overflow with an invalid odd section->name_length.
not security relevant.
Fixes GH #899. Fuzzing only
---
 src/decode_r2007.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/decode_r2007.c b/src/decode_r2007.c
index 479ddbbeb9..ee5acc19ce 100644
--- a/src/decode_r2007.c
+++ b/src/decode_r2007.c
@@ -942,7 +942,18 @@ read_sections_map (Bit_Chain *dat, int64_t size_comp, int64_t size_uncomp,
 
       // Section Name (wchar)
       {
-        size_t sz = (size_t)section->name_length;
+        size_t sz = (size_t)section->name_length; // size in bytes really
+        if (sz & 1) // must be even, 2 bytes
+          {
+            LOG_WARN ("Invalid section name_length %" PRId64, section->name_length);
+            section->name_length++;
+            sz++;
+          }
+        if (sz > MAX_SIZE_T)
+          {
+            LOG_WARN ("Invalid section name_length %zu", sz);
+            sz = MAX_SIZE_T;
+          }
         section->name = (DWGCHAR *)calloc (1, section->name_length > 0 ? sz + 2 : 2);
         bit_read_fixed (&page, (BITCODE_RC *)section->name, sz);
       }