util/nvmutil: rw: safer bound check

avoid pointer-range overflow arithmetic. this patch doesn't change behaviour, but makes an overflow impossible. Signed-off-by: Leah Rowe <leah@libreboot.org>
author: Leah Rowe <leah@libreboot.org> 2026-03-14 23:23:01 +0000
committer: Leah Rowe <leah@libreboot.org> 2026-03-14 23:23:01 +0000
commit: 9d7e990df46b2f0b1b21509870203fc8c158e940 (patch)
tree: 4bddb31c404968335dfd73e48fddf13243faef03
parent: e97f64cb3380e6287eae05b408a3bb6333cc62eb (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 88dfdba2..2e718b23 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -1812,18 +1812,20 @@ rw_gbe_file_exact(int fd, u8 *mem, size_t nrw,
 {
 	size_t mem_addr;
 	size_t buf_addr;
-	size_t buf_end;
 
 	if (mem == NULL)
 		goto err_rw_gbe_file_exact;
 
 	mem_addr = (size_t)(void *)mem;
 	buf_addr = (size_t)(void *)buf;
-	buf_end  = buf_addr + (size_t)GBE_FILE_SIZE;
 
-	if (mem != (void *)pad &&
-	    (mem_addr < buf_addr || mem_addr >= buf_end))
-	    goto err_rw_gbe_file_exact;
+	if (mem != (void *)pad) {
+		if (mem_addr < buf_addr)
+			goto err_rw_gbe_file_exact;
+
+		if ((mem_addr - buf_addr) >= (size_t)GBE_FILE_SIZE)
+			goto err_rw_gbe_file_exact;
+	}
 
 	if (off < 0 || off >= gbe_file_size)
 		goto err_rw_gbe_file_exact;
author	Leah Rowe <leah@libreboot.org>	2026-03-14 23:23:01 +0000
committer	Leah Rowe <leah@libreboot.org>	2026-03-14 23:23:01 +0000
commit	9d7e990df46b2f0b1b21509870203fc8c158e940 (patch)
tree	4bddb31c404968335dfd73e48fddf13243faef03
parent	e97f64cb3380e6287eae05b408a3bb6333cc62eb (diff)