From 380c44ed3129bbeda274350db707c7021e27696d Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Jan 26 2024 00:11:34 +0000
Subject: slbt_ar_parse_primary_armap_bsd_32(): more strictly validate the string table.


---

diff --git a/src/arbits/slbt_archive_meta.c b/src/arbits/slbt_archive_meta.c
index 30fb022..1b23c24 100644
--- a/src/arbits/slbt_archive_meta.c
+++ b/src/arbits/slbt_archive_meta.c
@@ -245,6 +245,7 @@ static int slbt_ar_parse_primary_armap_bsd_32(
 	uint32_t                        sizeofrefs;
 	uint32_t                        sizeofstrs;
 	const char *                    ch;
+	const char *                    cap;
 	unsigned char *                 uch;
 	unsigned char                   (*mark)[0x04];
 
@@ -291,20 +292,39 @@ static int slbt_ar_parse_primary_armap_bsd_32(
 
 	m->symstrs = (const char *)mark;
 
+	cap  = memberp->ar_object_data;
+	cap += memberp->ar_object_size;
+
+	if ((cap == m->symstrs) && nsyms)
+		return SLBT_CUSTOM_ERROR(
+			dctx,
+			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
 	if (nsyms && !m->symstrs[0])
 		return SLBT_CUSTOM_ERROR(
 			dctx,
 			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
 
-	for (ch=&m->symstrs[1],nstrs=0; ch<&m->symstrs[sizeofstrs]; ch++)
+	for (ch=&m->symstrs[1],nstrs=0; ch<cap; ch++) {
+		if (!ch[0] && !ch[-1] && (nstrs < nsyms))
+			return SLBT_CUSTOM_ERROR(
+				dctx,
+				SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
 		if (!ch[0] && ch[-1])
 			nstrs++;
+	}
 
 	if (nstrs != nsyms)
 		return SLBT_CUSTOM_ERROR(
 			dctx,
 			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
 
+	if (cap[-1])
+		return SLBT_CUSTOM_ERROR(
+			dctx,
+			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
 	if (!(m->symstrv = calloc(nsyms + 1,sizeof(const char *))))
 		return SLBT_SYSTEM_ERROR(dctx,0);