From feb4db34a25cdbee2ea4ea7896bdede7e82273ba Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sat, 14 Mar 2026 19:09:34 +0000
Subject: util/nvmutil: safer pointer comparison

technically we're never supposed to do arithmetic on
pointers (there's uintptr for that)

very anal fix

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index ba3fc29f..c8b8060b 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -218,6 +218,7 @@ also consider:
 #include <fcntl.h>
 #include <limits.h>
 #include <stdarg.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1800,13 +1801,21 @@ static ssize_t
 rw_gbe_file_exact(int fd, u8 *mem, size_t nrw,
     off_t off, int rw_type)
 {
+	size_t mem_addr;
+	size_t buf_addr;
+	size_t buf_end;
+
 	if (mem == NULL)
 		goto err_rw_gbe_file_exact;
 
-	if (mem != (void *)pad
-	    && mem != (void *)rnum
-	    && (mem < buf || mem >= (buf + GBE_FILE_SIZE)))
-		goto err_rw_gbe_file_exact;
+	mem_addr = (size_t)(void *)mem;
+	buf_addr = (size_t)(void *)buf;
+	buf_end  = buf_addr + GBE_FILE_SIZE;
+
+	if (mem != (void *)pad &&
+	    mem != (void *)rnum &&
+	    (mem_addr < buf_addr || mem_addr >= buf_end))
+	    goto err_rw_gbe_file_exact;
 
 	if (off < 0 || off >= gbe_file_size)
 		goto err_rw_gbe_file_exact;
-- 
cgit v1.2.1