From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Wed, 10 Jun 2026 21:00:09 +0000 (+0000)
Subject: patch 9.2.0619: integer overflow in popup image size validation
X-Git-Tag: v9.2.0619^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e7788346c47ed162950b620ccdf3e7cf75d49e5;p=thirdparty%2Fvim.git

patch 9.2.0619: integer overflow in popup image size validation

Problem:  integer overflow in popup image size validation
          (after v9.2.0612)
Solution: Compute the expected size using a 64-bit varnumber_T
          (Yasuhiro Matsumoto).

The image size validation computed iw * ih * 4 in a 32-bit long, which
overflows on MS-Windows (LLP64) and can wrap to a value that matches a
short blob, so the validation passes and the pixels are later read out
of bounds. Compute the expected size in a 64-bit varnumber_T.

closes: #20463

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/popupwin.c b/src/popupwin.c
index 351c865568..fdb1d394cd 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -981,9 +981,11 @@ apply_general_options(win_T *wp, dict_T *dict)
 	{
 	    blob_T  *b = id->di_tv.vval.v_blob;
 	    long     blen = blob_len(b);
-	    int	     has_alpha = (blen == (long)iw * ih * 4);
+	    // 64-bit to avoid iw * ih * 4 overflow on a 32-bit long
+	    varnumber_T	 npixels = (varnumber_T)iw * ih;
+	    int	     has_alpha = (blen == npixels * 4);
 
-	    if (has_alpha || blen == (long)iw * ih * 3)
+	    if (has_alpha || blen == npixels * 3)
 	    {
 		// Detect "same-size image swap": replacing the pixel buffer
 		// without changing the popup's pixel dimensions or pixel
diff --git a/src/version.c b/src/version.c
index 8d6afb613b..9159626e38 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    619,
 /**/
     618,
 /**/