Another out of bounds issue in Elf64_r_bin_elf_get_libs

[hannob]

This input file will cause an out of bounds issue in Elf64_r_bin_elf_get_libs. This looks very similar to the already fixed issue #2665, however it is not fixed in current git code.

Example file:
https://crashes.fuzzing-project.org/radare2-oob-heap-read-Elf64_r_bin_elf_get_libs-2

Crash trace from address sanitizer (mostly identical to #2665):

==26794==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000019db7 at pc 0x7f6c7ea08be7 bp 0x7fff58770470 sp 0x7fff5876fc18
READ of size 7 at 0x602000019db7 thread T0
    #0 0x7f6c7ea08be6 in __interceptor_strncpy (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2ebe6)
    #1 0x7f6c7d442d76 in strncpy /usr/include/bits/string3.h:120
    #2 0x7f6c7d442d76 in Elf64_r_bin_elf_get_libs /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1197
    #3 0x7f6c7d4159f3 in libs /f/radare2/radare2/libr/..//libr/bin/p/bin_elf.c:380
    #4 0x7f6c7d34ff82 in r_bin_object_set_items /f/radare2/radare2/libr/bin/bin.c:423
    #5 0x7f6c7d34ff82 in r_bin_object_new /f/radare2/radare2/libr/bin/bin.c:945
    #6 0x7f6c7d3561fa in r_bin_file_new_from_bytes /f/radare2/radare2/libr/bin/bin.c:1056
    #7 0x7f6c7d3561fa in r_bin_load_io_at_offset_as_sz /f/radare2/radare2/libr/bin/bin.c:644
    #8 0x7f6c7d357aba in r_bin_load_io_at_offset_as /f/radare2/radare2/libr/bin/bin.c:666
    #9 0x7f6c7d358eb5 in r_bin_load_io /f/radare2/radare2/libr/bin/bin.c:546
    #10 0x7f6c7e3ae9a0 in r_core_file_do_load_for_io_plugin /f/radare2/radare2/libr/core/file.c:350
    #11 0x7f6c7e3ae9a0 in r_core_bin_load /f/radare2/radare2/libr/core/file.c:487
    #12 0x4059cd in main /f/radare2/radare2/binr/radare2/radare2.c:585
    #13 0x7f6c78895f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #14 0x40a0e3 (/mnt/ram/radare2/radare2+0x40a0e3)

0x602000019db7 is located 0 bytes to the right of 7-byte region [0x602000019db0,0x602000019db7)
allocated by thread T0 here:
    #0 0x7f6c7ea31855 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57855)
    #1 0x7f6c7d42ebe3 in Elf64_r_bin_elf_init_dynamic_section /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:294
    #2 0x7f6c7d42ebe3 in Elf64_r_bin_elf_init /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:338

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strncpy
Shadow bytes around the buggy address:
  0x0c047fffb360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb380: fa fa fa fa fa fa 04 fa fa fa 04 fa fa fa 06 fa
  0x0c047fffb390: fa fa 06 fa fa fa 06 fa fa fa 05 fa fa fa 00 00
  0x0c047fffb3a0: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa 04 fa
=>0x0c047fffb3b0: fa fa 06 fa fa fa[07]fa fa fa 06 fa fa fa 07 fa
  0x0c047fffb3c0: fa fa 07 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x0c047fffb3d0: fa fa 05 fa fa fa 05 fa fa fa 02 fa fa fa 04 fa
  0x0c047fffb3e0: fa fa 00 01 fa fa 00 01 fa fa 00 03 fa fa 05 fa
  0x0c047fffb3f0: fa fa 05 fa fa fa 06 fa fa fa fd fa fa fa fd fa
  0x0c047fffb400: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==26794==ABORTING