regmap: fix range checks

On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.

On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 5f98f85..5ccbf9a 100644 (file)
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
        range = &map->ranges[range_num];
 
        offset <<= map->reg_offset_shift;
-       if (offset + val_len > range->size) {
+       if (offset + val_len > range->size || offset + val_len < offset) {
                debug("%s: offset/size combination invalid\n", __func__);
                return -ERANGE;
        }
@@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
        range = &map->ranges[range_num];
 
        offset <<= map->reg_offset_shift;
-       if (offset + val_len > range->size) {
+       if (offset + val_len > range->size || offset + val_len < offset) {
                debug("%s: offset/size combination invalid\n", __func__);
                return -ERANGE;
        }