From 3128f04f58200f062135515146cfe8e642ddffff Mon Sep 17 00:00:00 2001
From: Martin Matuska <martin@matuska.de>
Date: Sun, 18 May 2025 02:40:05 +0200
Subject: [PATCH] 7z: fix another out-of-bounds read in 7z SFX archive
 detection

When looping over program header entries (e_shnum)
we need to increment sec_tbl_offset by e_shentsize
and not by fixed values.

Fixes OSS-Fuzz issue 418349489
---
 libarchive/archive_read_support_format_7zip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index c72322f56..f273f84be 100644
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -856,7 +856,7 @@ find_elf_data_sec(struct archive_read *a)
 				}
 				break;
 			}
-			sec_tbl_offset += format_64 ? 0x40 : 0x28;
+			sec_tbl_offset += e_shentsize;
 			e_shnum--;
 		}
 		break;
-- 
2.47.2