[2019-12-03] - Found with Honggfuzz - CVE-2019-19555

Stack-based buffer overflow in the read_textobject() function, in read.c.

Issue can be reproduced by running:

```
fig2dev -L box test02
```

```
=================================================================
==5892==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4aaefc62 at pc 0x000000439641 bp 0x7ffc4aaeb890 sp 0x7ffc4aaeb010
WRITE of size 628 at 0x7ffc4aaefc62 thread T0
    #0 0x439640 in scanf_common(void*, int, bool, char const*, __va_list_tag*) (/home/fcambus/fig2dev-3.2.7b/fig2dev/fig2dev+0x439640)
    #1 0x43a792 in __isoc99_sscanf (/home/fcambus/fig2dev-3.2.7b/fig2dev/fig2dev+0x43a792)
    #2 0x4f53f1 in read_textobject /home/fcambus/fig2dev-3.2.7b/fig2dev/read.c:1331:10
    #3 0x4e9e03 in read_objects /home/fcambus/fig2dev-3.2.7b/fig2dev/read.c:431:16
    #4 0x4e7de6 in readfp_fig /home/fcambus/fig2dev-3.2.7b/fig2dev/read.c:172:12
    #5 0x4e7bf8 in read_fig /home/fcambus/fig2dev-3.2.7b/fig2dev/read.c:142:13
    #6 0x4dd35b in main /home/fcambus/fig2dev-3.2.7b/fig2dev/fig2dev.c:422:12
    #7 0x7f6c5a2d61e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #8 0x41c6bd in _start (/home/fcambus/fig2dev-3.2.7b/fig2dev/fig2dev+0x41c6bd)

Address 0x7ffc4aaefc62 is located in stack of thread T0 at offset 16962 in frame
    #0 0x4f4d5f in read_textobject /home/fcambus/fig2dev-3.2.7b/fig2dev/read.c:1304

  This frame has 5 object(s):
    [32, 40) 't' (line 1305)
    [64, 8256) 's' (line 1307)
    [8512, 16704) 's_temp' (line 1307)
    [16960, 16962) 'junk' (line 1307)
    [16976, 16980) 'num' (line 1400) <== Memory access at offset 16962 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/fig2dev-3.2.7b/fig2dev/fig2dev+0x439640) in scanf_common(void*, int, bool, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x100009555f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555f60: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100009555f70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x100009555f80: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[02]f2 f8 f3
  0x100009555f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009555fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5892==ABORTING
```