7zip: Fix out ouf boundary read in ELF detection

Make sure that the string table size is not smaller than 6 (and also
not larger than SIZE_MAX for better 32 bit support).

Such small values would lead to a large loop limit which either leads to
a crash or wrong detection of a ".data" string in possibly uninitialized
memory.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index b20aa5e6dbf3846b760d9989adbd7d8866f48325..84626128770273c8753e5595a261e808f8b6e9df 100644 (file)
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -811,6 +811,8 @@ find_elf_data_sec(struct archive_read *a)
                        strtab_size = (*dec32)(
                            h + e_shstrndx * e_shentsize + 0x14);
                }
+               if (strtab_size < 6 || strtab_size > SIZE_MAX)
+                       break;
 
                /*
                 * Read the STRTAB section to find the .data offset