7z: fix another out-of-bounds read in 7z SFX archive detection

When looping over program header entries (e_shnum)
we need to increment sec_tbl_offset by e_shentsize
and not by fixed values.

Fixes OSS-Fuzz issue 418349489

diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index c72322f56feb9f406cba7a0b82afb102ad2f9ab9..f273f84be521d44079fb0211ca159387034525fc 100644 (file)
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -856,7 +856,7 @@ find_elf_data_sec(struct archive_read *a)
                                }
                                break;
                        }
-                       sec_tbl_offset += format_64 ? 0x40 : 0x28;
+                       sec_tbl_offset += e_shentsize;
                        e_shnum--;
                }
                break;