Commit: patch 9.2.0619: integer overflow in popup image size validation
0 views
Skip to first unread message
Christian Brabandt
Jun 10, 2026, 5:15:13 PM (7 hours ago) Jun 10
to vim...@googlegroups.com
patch 9.2.0619: integer overflow in popup image size validation
Commit: https://github.com/vim/vim/commit/5e7788346c47ed162950b620ccdf3e7cf75d49e5
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Wed Jun 10 21:00:09 2026 +0000
patch 9.2.0619: integer overflow in popup image size validation
Problem: integer overflow in popup image size validation
(after v9.2.0612)
Solution: Compute the expected size using a 64-bit varnumber_T
(Yasuhiro Matsumoto).
The image size validation computed iw * ih * 4 in a 32-bit long, which
overflows on MS-Windows (LLP64) and can wrap to a value that matches a
short blob, so the validation passes and the pixels are later read out
of bounds. Compute the expected size in a 64-bit varnumber_T.
closes: #20463
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/popupwin.c b/src/popupwin.c
index 351c86556..fdb1d394c 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -981,9 +981,11 @@ apply_general_options(win_T *wp, dict_T *dict)
{
blob_T *b = id->di_tv.vval.v_blob;
long blen = blob_len(b);
- int has_alpha = (blen == (long)iw * ih * 4);
+ // 64-bit to avoid iw * ih * 4 overflow on a 32-bit long
+ varnumber_T npixels = (varnumber_T)iw * ih;
+ int has_alpha = (blen == npixels * 4);
- if (has_alpha || blen == (long)iw * ih * 3)
+ if (has_alpha || blen == npixels * 3)
{
// Detect "same-size image swap": replacing the pixel buffer
// without changing the popup's pixel dimensions or pixel
diff --git a/src/version.c b/src/version.c
index 8d6afb613..9159626e3 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 619,
/**/
618,
/**/
Commit: https://github.com/vim/vim/commit/5e7788346c47ed162950b620ccdf3e7cf75d49e5
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Wed Jun 10 21:00:09 2026 +0000
patch 9.2.0619: integer overflow in popup image size validation
Problem: integer overflow in popup image size validation
(after v9.2.0612)
Solution: Compute the expected size using a 64-bit varnumber_T
(Yasuhiro Matsumoto).
The image size validation computed iw * ih * 4 in a 32-bit long, which
overflows on MS-Windows (LLP64) and can wrap to a value that matches a
short blob, so the validation passes and the pixels are later read out
of bounds. Compute the expected size in a 64-bit varnumber_T.
closes: #20463
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/popupwin.c b/src/popupwin.c
index 351c86556..fdb1d394c 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -981,9 +981,11 @@ apply_general_options(win_T *wp, dict_T *dict)
{
blob_T *b = id->di_tv.vval.v_blob;
long blen = blob_len(b);
- int has_alpha = (blen == (long)iw * ih * 4);
+ // 64-bit to avoid iw * ih * 4 overflow on a 32-bit long
+ varnumber_T npixels = (varnumber_T)iw * ih;
+ int has_alpha = (blen == npixels * 4);
- if (has_alpha || blen == (long)iw * ih * 3)
+ if (has_alpha || blen == npixels * 3)
{
// Detect "same-size image swap": replacing the pixel buffer
// without changing the popup's pixel dimensions or pixel
diff --git a/src/version.c b/src/version.c
index 8d6afb613..9159626e3 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 619,
/**/
618,
/**/
Reply all
Reply to author
Forward
0 new messages