regmap: fix range checks

On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.

On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 5f98f85cfc..5ccbf9abb8 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];
 
 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}
@@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];
 
 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}