Segmentation fault in xlnt::detail::compound_document::read_directory()

[apach301]

Hi,
I was playing with libFuzzer and found crash when opening encrypted xlsx-file with xlnt::workbook::load function.

Segmentation fault occurs when loading crash-16b4cf6103695fbb96cd52ff2c5be05e83344d4e.txt file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:

/load_fuzzer crash-16b4cf6103695fbb96cd52ff2c5be05e83344d4e.txt

Sanitizer output:

=================================================================
==32142==ERROR: AddressSanitizer: SEGV on unknown address 0x61dc00000a80 (pc 0x7f955c2e2dc9 bp 0x7ffd2fd0b8d0 sp 0x7ffd2fd0b088 T0)
==32142==The signal is caused by a READ memory access.
    #0 0x7f955c2e2dc9  /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:345
    #1 0x4db0b1 in __asan_memcpy /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x109a359 in xlnt::detail::compound_document::read_directory() /xlnt/source/detail/cryptography/compound_document.cpp:975:34
    #3 0x109709b in xlnt::detail::compound_document::compound_document(std::istream&) /xlnt/source/detail/cryptography/compound_document.cpp:517:5
    #4 0x982c40 in (anonymous namespace)::decrypt_xlsx(std::vector<unsigned char, std::allocator<unsigned char> > const&, std::__cxx11::basic_string<char16_t, std::char_traits<char16_t>, std::allocator<char16_t> > const&) /xlnt/source/detail/cryptography/xlsx_crypto_consumer.cpp:320:37
    #5 0x98243a in xlnt::detail::decrypt_xlsx(std::vector<unsigned char, std::allocator<unsigned char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /xlnt/source/detail/cryptography/xlsx_crypto_consumer.cpp:339:12
    #6 0x983bee in xlnt::detail::xlsx_consumer::read(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /xlnt/source/detail/cryptography/xlsx_crypto_consumer.cpp:345:28
    #7 0x547138 in xlnt::workbook::load(std::istream&) /xlnt/source/workbook/workbook.cpp:901:22
    #8 0x56df87 in xlnt::workbook::load(std::vector<unsigned char, std::allocator<unsigned char> > const&) /xlnt/source/workbook/workbook.cpp:919:5
    #9 0x514da2 in LLVMFuzzerTestOneInput /xlnt/build/../load_fuzzer.cc:9:23
    #10 0x441d41 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #11 0x42c35c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #12 0x4320cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #13 0x45ae12 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7f955c24b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x426c7d in _start (/load_fuzzer+0x426c7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:345 
==32142==ABORTING