From b8b628d8366fa32425f070b667dbd2f6fcbc1317 Mon Sep 17 00:00:00 2001
From: kettenis <kettenis@openbsd.org>
Date: Mon, 12 Dec 2022 18:45:01 +0000
Subject: [PATCH] Improve range check to protect against overflow.

ok patrick@
---
 sys/arch/arm64/dev/aplpmu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/arch/arm64/dev/aplpmu.c b/sys/arch/arm64/dev/aplpmu.c
index b57d7997b3a..b77c3cdd4b6 100644
--- a/sys/arch/arm64/dev/aplpmu.c
+++ b/sys/arch/arm64/dev/aplpmu.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: aplpmu.c,v 1.6 2022/10/12 13:39:50 kettenis Exp $	*/
+/*	$OpenBSD: aplpmu.c,v 1.7 2022/12/12 18:45:01 kettenis Exp $	*/
 /*
  * Copyright (c) 2021 Mark Kettenis <kettenis@openbsd.org>
  *
@@ -212,7 +212,7 @@ aplpmu_nvmem_read(void *cookie, bus_addr_t addr, void *data, bus_size_t size)
 	struct aplpmu_nvmem *an = cookie;
 	struct aplpmu_softc *sc = an->an_sc;
 
-	if (addr >= an->an_size || addr + size > an->an_size)
+	if (addr >= an->an_size || size > an->an_size - addr)
 		return EINVAL;
 
 	return spmi_cmd_read(sc->sc_tag, sc->sc_sid, SPMI_CMD_EXT_READL,
@@ -226,7 +226,7 @@ aplpmu_nvmem_write(void *cookie, bus_addr_t addr, const void *data,
 	struct aplpmu_nvmem *an = cookie;
 	struct aplpmu_softc *sc = an->an_sc;
 
-	if (addr >= an->an_size || addr + size > an->an_size)
+	if (addr >= an->an_size || size > an->an_size - addr)
 		return EINVAL;
 
 	return spmi_cmd_write(sc->sc_tag, sc->sc_sid, SPMI_CMD_EXT_WRITEL,
-- 
2.20.1