From: Christian Brabandt <cb@256bit.org>
Date: Fri, 3 Apr 2026 09:36:56 +0000 (+0000)
Subject: patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
X-Git-Tag: v9.2.0288^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71a0a552cf08398cb46455687fd3011c33c4e6eb;p=thirdparty%2Fvim.git

patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args

Problem:  Accumulating CSI argument digits without an upper bound causes
          signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
          signed integer overflow (Yasuhiro Matsumoto).

closes: #19894

Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/libvterm/src/parser.c b/src/libvterm/src/parser.c
index b060e2b8ad..e167e0cb1a 100644
--- a/src/libvterm/src/parser.c
+++ b/src/libvterm/src/parser.c
@@ -232,8 +232,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
       if(c >= '0' && c <= '9') {
         if(vt->parser.v.csi.args[vt->parser.v.csi.argi] == CSI_ARG_MISSING)
           vt->parser.v.csi.args[vt->parser.v.csi.argi] = 0;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        if(vt->parser.v.csi.args[vt->parser.v.csi.argi] < (CSI_ARG_MISSING - 9) / 10) {
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        }
         break;
       }
       if(c == ':') {
diff --git a/src/version.c b/src/version.c
index a3f4f24a9a..e81115c310 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    288,
 /**/
     287,
 /**/