Summary

Invalid negation happening in function bit_read_MC() in dwg.bits.c:987

Details

The line of code return (negative ? -((BITCODE_MC)result) : (BITCODE_MC)result); in some cases tries to return the absolute value of the variable result, by negating it if it is negative. Unfortunately, if result contains a specific value (-2147483648, or 0x80000000) this results in an unwanted result as there is no positive integer to represent that value. In practice, the negation of -2147483648 will be -2147483648 itself. The impact of this bug depends on how erratically the execution can be after bit_read_MC() returns such a value, but seems limited.

Below is the log of UBSan detecting the bug:

bits.c:987:30: runtime error: negation of -2147483648 cannot be represented in type 'BITCODE_MC' (aka 'int');

Reproduce

In the attached archive you will find the test case used to trigger this behavior. We tested your fuzzing harness compiling it with LLVM 20 and AFL++ 4.32, running on Ubuntu 20.04. To detect this issue, Undefined Behavior Sanitizer (UBSan) is needed.

Proposed fix

To fix this issue the code could check for this specia value before performing the negation; if it is detected it could return 0, which apparently is the error code for this function as stated in its last line.