heap-buffer-overflow exists in the function bit_read_fixed in /src/bits.c

[SEU-SSL]

System info
Ubuntu x86_64, clang 13.0.1
version: last commit 07c078a

Command line
./programs/dwg2dxf ./poc

Poc
poc: poc

AddressSanitizer output
==4125299==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000012 at pc 0x7fc49363558d bp 0x7ffda16f9180 sp 0x7ffda16f8928
WRITE of size 65534 at 0x602000000012 thread T0
#0 0x7fc49363558c in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x55db8e50129a in bit_read_fixed /src/libredwg-crashes/src/bits.c:1611
#2 0x55db8f32a347 in read_sections_map /src/libredwg-crashes/src/decode_r2007.c:961
#3 0x55db8f38ca78 in read_r2007_meta_data /src/libredwg-crashes/src/decode_r2007.c:2402
#4 0x55db8e5be6e1 in decode_R2007 /src/libredwg-crashes/src/decode.c:3482
#5 0x55db8e5167fe in dwg_decode /src/libredwg-crashes/src/decode.c:235
#6 0x55db8e4db389 in dwg_read_file /src/libredwg-crashes/src/dwg.c:275
#7 0x55db8e4d8ef8 in main /src/libredwg-crashes/programs/dwg2dxf.c:261
#8 0x7fc49327d082 in __libc_start_main ../csu/libc-start.c:308
#9 0x55db8e4d7d8d in _start (/src/libredwg-crashes/programs/dwg2dxf+0x262d8d)

0x602000000012 is located 0 bytes to the right of 2-byte region [0x602000000010,0x602000000012)
allocated by thread T0 here:
#0 0x7fc4936a7a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x55db8f32a2f0 in read_sections_map /src/libredwg-crashes/src/decode_r2007.c:960
#2 0x55db8f38ca78 in read_r2007_meta_data /src/libredwg-crashes/src/decode_r2007.c:2402
#3 0x55db8e5be6e1 in decode_R2007 /src/libredwg-crashes/src/decode.c:3482
#4 0x55db8e5167fe in dwg_decode /src/libredwg-crashes/src/decode.c:235
#5 0x55db8e4db389 in dwg_read_file /src/libredwg-crashes/src/dwg.c:275
#6 0x55db8e4d8ef8 in main /src/libredwg-crashes/programs/dwg2dxf.c:261
#7 0x7fc49327d082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4125299==ABORTING