From: Martin Matuska <martin@matuska.de>
Date: Sun, 18 May 2025 00:40:05 +0000 (+0200)
Subject: 7z: fix another out-of-bounds read in 7z SFX archive detection
X-Git-Tag: v3.8.0~9^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2613%2Fhead;p=thirdparty%2Flibarchive.git

7z: fix another out-of-bounds read in 7z SFX archive detection

When looping over program header entries (e_shnum)
we need to increment sec_tbl_offset by e_shentsize
and not by fixed values.

Fixes OSS-Fuzz issue 418349489
---

diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index c72322f56..f273f84be 100644
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -856,7 +856,7 @@ find_elf_data_sec(struct archive_read *a)
 				}
 				break;
 			}
-			sec_tbl_offset += format_64 ? 0x40 : 0x28;
+			sec_tbl_offset += e_shentsize;
 			e_shnum--;
 		}
 		break;