> @@ -214,13 +214,14 @@ static int get_build_id_32(struct freader *r, unsigned char *build_id, __u32 *si
>
> /* subsequent freader_fetch() calls invalidate pointers, so remember locally */
> phnum = ehdr->e_phnum;
> + phoff = READ_ONCE(ehdr->e_phoff);
>
> /* only supports phdr that fits in one page */
> if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
> return -EINVAL;
>
> for (i = 0; i < phnum; ++i) {
> - phdr = freader_fetch(r, i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr));
> + phdr = freader_fetch(r, phoff + i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr));
What happens if phoff is big enough that this computation wraps?
