From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Fri, 15 May 2026 16:44:46 +0000 (+0000)
Subject: patch 9.2.0487: viminfo: possible signed int overflow in register array
X-Git-Tag: v9.2.0487^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee49669e8f3b5ecdcfd2fdd08aeaac0e3de26ea8;p=thirdparty%2Fvim.git

patch 9.2.0487: viminfo: possible signed int overflow in register array

Problem:  viminfo: possible signed int overflow in register array growth
Solution: Cast to size_t (Yasuhiro Matsumoto)

The expression `limit * 2 * sizeof(string_T)` in read_viminfo_register()
multiplies in int and overflows once limit exceeds INT_MAX/2. Cast to
size_t first so the size computation stays unsigned. Defensive only;
reaching this path requires registers consuming many gigabytes.

closes: #20207

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/version.c b/src/version.c
index 046cc83425..0714ec1ac0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    487,
 /**/
     486,
 /**/
diff --git a/src/viminfo.c b/src/viminfo.c
index d05900544a..bb84726c8f 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1706,7 +1706,7 @@ read_viminfo_register(vir_T *virp, int force)
 	    if (size == limit)
 	    {
 		string_T *new_array = (string_T *)
-					   alloc(limit * 2 * sizeof(string_T));
+				    alloc((size_t)limit * 2 * sizeof(string_T));
 
 		if (new_array == NULL)
 		{