Summary

Invalid negation happening in function dwg_add_handle() in dwg.c:2114

Details

This issue is similar to #1153, as it is also triggered by negating the same value (-2147483648). After having this issue, the program seem to hang in a realloc happening in decode_preR13_entities(), right after calling dwg_add_handle() through dwg_add_handleref(). Unfortunately, I failed to understand completely why, it is possible that executing with such a huge value of offset for a Dwg_Handle object triggers an unwanted behaviors with allocations, but I could not confirm this.

Below is the log of UBSan detecting the bug:

dwg.c:2114:24: runtime error: negation of -2147483648 cannot be represented in type 'int';

Reproduce

In the 3.zip you will find the test case used to trigger this behavior. We tested your fuzzing harness compiling it with LLVM 20 and AFL++ 4.32, running on Ubuntu 20.04. To detect this issue, Undefined Behavior Sanitizer (UBSan) is needed.

Proposed fix

To fix this issue the code could check for this special value before performing the negation; if it is detected it could return an error value to indicate failure.