util/nvmutil: rw: safer bound check

avoid pointer-range overflow arithmetic. this patch doesn't change behaviour, but makes an overflow impossible. Signed-off-by: Leah Rowe <leah@libreboot.org>
author: Leah Rowe <leah@libreboot.org> 2026-03-14 23:23:01 +0000
committer: Leah Rowe <leah@libreboot.org> 2026-03-26 06:59:41 +0000
commit: 13006f25165683e036fa3c77572bed86ad0789ba (patch)
tree: 46457b42dd2aef027f582e0b70718d0b110c1e8a
parent: f0f2e0347612d8c5dcdbc64e908a1008105e8041 (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 88dfdba2..2e718b23 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -1812,18 +1812,20 @@ rw_gbe_file_exact(int fd, u8 *mem, size_t nrw,
 {
 	size_t mem_addr;
 	size_t buf_addr;
-	size_t buf_end;
 
 	if (mem == NULL)
 		goto err_rw_gbe_file_exact;
 
 	mem_addr = (size_t)(void *)mem;
 	buf_addr = (size_t)(void *)buf;
-	buf_end  = buf_addr + (size_t)GBE_FILE_SIZE;
 
-	if (mem != (void *)pad &&
-	    (mem_addr < buf_addr || mem_addr >= buf_end))
-	    goto err_rw_gbe_file_exact;
+	if (mem != (void *)pad) {
+		if (mem_addr < buf_addr)
+			goto err_rw_gbe_file_exact;
+
+		if ((mem_addr - buf_addr) >= (size_t)GBE_FILE_SIZE)
+			goto err_rw_gbe_file_exact;
+	}
 
 	if (off < 0 || off >= gbe_file_size)
 		goto err_rw_gbe_file_exact;
author	Leah Rowe <leah@libreboot.org>	2026-03-14 23:23:01 +0000
committer	Leah Rowe <leah@libreboot.org>	2026-03-26 06:59:41 +0000
commit	13006f25165683e036fa3c77572bed86ad0789ba (patch)
tree	46457b42dd2aef027f582e0b70718d0b110c1e8a
parent	f0f2e0347612d8c5dcdbc64e908a1008105e8041 (diff)