diff --git a/sys/dev/cfi/cfi_dev.c b/sys/dev/cfi/cfi_dev.c
index 1c812a49cb3..24408cf3358 100644
--- a/sys/dev/cfi/cfi_dev.c
+++ b/sys/dev/cfi/cfi_dev.c
@@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag,
 		rq = (struct cfiocqry *)data;
 		if (rq->offset >= sc->sc_size / sc->sc_width)
 			return (ESPIPE);
-		if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
+		if (rq->offset > ULONG_MAX - rq->count ||
+		    rq->offset + rq->count > sc->sc_size / sc->sc_width)
 			return (ENOSPC);
 
 		while (!error && rq->count--) {