From d5cec1f1f055316c353cfa15ad8d5eb0952d50a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=3D=3FUTF-8=3Fq=3FDundar=3D20G=3DC3=3DB6c=3F=3D?=
 <gocdundar@gmail.com>
Date: Sat, 29 Jan 2022 15:19:23 +0000
Subject: patch 8.2.4255: theoretical computation overflow

Problem:    Theoretical computation overflow.
Solution:   Perform multiplication in a wider type. (closes #9657)
---
 src/alloc.c    |  4 ++--
 src/drawline.c |  2 +-
 src/eval.c     |  2 +-
 src/evalfunc.c |  2 +-
 src/ex_docmd.c |  2 +-
 src/hardcopy.c | 12 ++++++------
 src/list.c     |  2 +-
 src/memfile.c  | 14 ++++++++------
 src/memline.c  |  2 +-
 src/popupwin.c |  7 ++++---
 src/version.c  |  2 ++
 11 files changed, 28 insertions(+), 23 deletions(-)

(limited to 'src')

diff --git a/src/alloc.c b/src/alloc.c
index 47a099fbf1..19f8fcd674 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -737,11 +737,11 @@ ga_grow_inner(garray_T *gap, int n)
     if (n < gap->ga_len / 2)
 	n = gap->ga_len / 2;
 
-    new_len = gap->ga_itemsize * (gap->ga_len + n);
+    new_len = (size_t)gap->ga_itemsize * (gap->ga_len + n);
     pp = vim_realloc(gap->ga_data, new_len);
     if (pp == NULL)
 	return FAIL;
-    old_len = gap->ga_itemsize * gap->ga_maxlen;
+    old_len = (size_t)gap->ga_itemsize * gap->ga_maxlen;
     vim_memset(pp + old_len, 0, new_len - old_len);
     gap->ga_maxlen = gap->ga_len + n;
     gap->ga_data = pp;
diff --git a/src/drawline.c b/src/drawline.c
index 35658a4e88..441a81732b 100644
--- a/src/drawline.c
+++ b/src/drawline.c
@@ -2800,7 +2800,7 @@ win_line(
 	    if (((wp->w_p_cuc
 		      && (int)wp->w_virtcol >= VCOL_HLC - eol_hl_off
 		      && (int)wp->w_virtcol <
-					wp->w_width * (row - startrow + 1) + v
+				   (long)wp->w_width * (row - startrow + 1) + v
 		      && lnum != wp->w_cursor.lnum)
 		    || draw_color_col
 		    || win_attr != 0)
diff --git a/src/eval.c b/src/eval.c
index e269932e27..86f103b94a 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -4632,7 +4632,7 @@ garbage_collect(int testing)
 	// Don't make it bigger though.
 	if (exestack.ga_len + n < exestack.ga_maxlen)
 	{
-	    new_len = exestack.ga_itemsize * (exestack.ga_len + n);
+	    new_len = (size_t)exestack.ga_itemsize * (exestack.ga_len + n);
 	    pp = vim_realloc(exestack.ga_data, new_len);
 	    if (pp == NULL)
 		return FAIL;
diff --git a/src/evalfunc.c b/src/evalfunc.c
index 879fe2239f..cb5fcfe025 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -7327,7 +7327,7 @@ max_min(typval_T *argvars, typval_T *rettv, int domax)
 		if ((l->lv_u.nonmat.lv_stride > 0) ^ domax)
 		    n = l->lv_u.nonmat.lv_start;
 		else
-		    n = l->lv_u.nonmat.lv_start + (l->lv_len - 1)
+		    n = l->lv_u.nonmat.lv_start + ((varnumber_T)l->lv_len - 1)
 						    * l->lv_u.nonmat.lv_stride;
 	    }
 	    else
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index aa91539270..c55b34ddb6 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4738,7 +4738,7 @@ replace_makeprg(exarg_T *eap, char_u *p, char_u **cmdlinep)
 	    while ((pos = (char_u *)strstr((char *)pos + 2, "$*")) != NULL)
 		++i;
 	    len = (int)STRLEN(p);
-	    new_cmdline = alloc(STRLEN(program) + i * (len - 2) + 1);
+	    new_cmdline = alloc(STRLEN(program) + (size_t)i * (len - 2) + 1);
 	    if (new_cmdline == NULL)
 		return NULL;			// out of memory
 	    ptr = new_cmdline;
diff --git a/src/hardcopy.c b/src/hardcopy.c
index c99dc5fa35..a41f330317 100644
--- a/src/hardcopy.c
+++ b/src/hardcopy.c
@@ -2769,9 +2769,9 @@ mch_print_begin(prt_settings_T *psettings)
 	// derive the bbox from that point.  We have the expected cpl chars
 	// across the media and lpp lines down the media.
 	bbox[1] = (int)(top - (psettings->lines_per_page + prt_header_height())
-							    * prt_line_height);
-	bbox[2] = (int)(left + psettings->chars_per_line * prt_char_width
-									+ 0.5);
+						    * (double)prt_line_height);
+	bbox[2] = (int)(left + psettings->chars_per_line
+					       * (double)prt_char_width + 0.5);
 	bbox[3] = (int)(top + 0.5);
     }
     else
@@ -2782,8 +2782,8 @@ mch_print_begin(prt_settings_T *psettings)
 	bbox[1] = (int)bottom;
 	bbox[2] = (int)(left + ((psettings->lines_per_page
 			      + prt_header_height()) * prt_line_height) + 0.5);
-	bbox[3] = (int)(bottom + psettings->chars_per_line * prt_char_width
-									+ 0.5);
+	bbox[3] = (int)(bottom + psettings->chars_per_line
+					       * (double)prt_char_width + 0.5);
     }
     prt_dsc_ints("BoundingBox", 4, bbox);
     // The media width and height does not change with landscape printing!
@@ -2797,7 +2797,7 @@ mch_print_begin(prt_settings_T *psettings)
     if (prt_out_mbyte)
     {
 	prt_dsc_font_resource((prt_use_courier ? NULL
-				 : "DocumentNeededResources"), &prt_ps_mb_font);
+				: "DocumentNeededResources"), &prt_ps_mb_font);
 	if (!prt_custom_cmap)
 	    prt_dsc_resources(NULL, "cmap", prt_cmap);
     }
diff --git a/src/list.c b/src/list.c
index f4fddbdf71..ff7d5ab9ba 100644
--- a/src/list.c
+++ b/src/list.c
@@ -2902,7 +2902,7 @@ list_reverse(list_T *l, typval_T *rettv)
 	if (l->lv_first == &range_list_item)
 	{
 	    varnumber_T new_start = l->lv_u.nonmat.lv_start
-		+ (l->lv_len - 1) * l->lv_u.nonmat.lv_stride;
+		+ ((varnumber_T)l->lv_len - 1) * l->lv_u.nonmat.lv_stride;
 	    l->lv_u.nonmat.lv_end = new_start
 		- (l->lv_u.nonmat.lv_end - l->lv_u.nonmat.lv_start);
 	    l->lv_u.nonmat.lv_start = new_start;
diff --git a/src/memfile.c b/src/memfile.c
index b5ab2d9b12..de3dd6ed45 100644
--- a/src/memfile.c
+++ b/src/memfile.c
@@ -249,7 +249,7 @@ mf_close(memfile_T *mfp, int del_file)
 					    // free entries in used list
     for (hp = mfp->mf_used_first; hp != NULL; hp = nextp)
     {
-	total_mem_used -= hp->bh_page_count * mfp->mf_page_size;
+	total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size;
 	nextp = hp->bh_next;
 	mf_free_bhdr(hp);
     }
@@ -359,7 +359,7 @@ mf_new(memfile_T *mfp, int negative, int page_count)
 	}
 	else if (hp == NULL)	    // need to allocate memory for this block
 	{
-	    if ((p = alloc(mfp->mf_page_size * page_count)) == NULL)
+	    if ((p = alloc((size_t)mfp->mf_page_size * page_count)) == NULL)
 		return NULL;
 	    hp = mf_rem_free(mfp);
 	    hp->bh_data = p;
@@ -718,7 +718,7 @@ mf_ins_used(memfile_T *mfp, bhdr_T *hp)
     else
 	hp->bh_next->bh_prev = hp;
     mfp->mf_used_count += hp->bh_page_count;
-    total_mem_used += hp->bh_page_count * mfp->mf_page_size;
+    total_mem_used += (long_u)hp->bh_page_count * mfp->mf_page_size;
 }
 
 /*
@@ -736,7 +736,7 @@ mf_rem_used(memfile_T *mfp, bhdr_T *hp)
     else
 	hp->bh_prev->bh_next = hp->bh_next;
     mfp->mf_used_count -= hp->bh_page_count;
-    total_mem_used -= hp->bh_page_count * mfp->mf_page_size;
+    total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size;
 }
 
 /*
@@ -814,7 +814,8 @@ mf_release(memfile_T *mfp, int page_count)
     if (hp->bh_page_count != page_count)
     {
 	vim_free(hp->bh_data);
-	if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
+	if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
+								       == NULL)
 	{
 	    vim_free(hp);
 	    return NULL;
@@ -881,7 +882,8 @@ mf_alloc_bhdr(memfile_T *mfp, int page_count)
 
     if ((hp = ALLOC_ONE(bhdr_T)) != NULL)
     {
-	if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
+	if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
+								       == NULL)
 	{
 	    vim_free(hp);	    // not enough memory
 	    return NULL;
diff --git a/src/memline.c b/src/memline.c
index 06fd97c7fe..c18109aefe 100644
--- a/src/memline.c
+++ b/src/memline.c
@@ -5778,7 +5778,7 @@ ml_find_line_or_offset(buf_T *buf, linenr_T lnum, long *offp)
 	     && lnum >= curline + buf->b_ml.ml_chunksize[curix].mlcs_numlines)
 		|| (offset != 0
 	       && offset > size + buf->b_ml.ml_chunksize[curix].mlcs_totalsize
-		      + ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines)))
+		 + (long)ffdos * buf->b_ml.ml_chunksize[curix].mlcs_numlines)))
     {
 	curline += buf->b_ml.ml_chunksize[curix].mlcs_numlines;
 	size += buf->b_ml.ml_chunksize[curix].mlcs_totalsize;
diff --git a/src/popupwin.c b/src/popupwin.c
index ec7623d0f7..9dee7579e5 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -3427,7 +3427,7 @@ popup_update_mask(win_T *wp, int width, int height)
 	return;  // cache is still valid
 
     vim_free(wp->w_popup_mask_cells);
-    wp->w_popup_mask_cells = alloc_clear(width * height);
+    wp->w_popup_mask_cells = alloc_clear((size_t)width * height);
     if (wp->w_popup_mask_cells == NULL)
 	return;
     cells = wp->w_popup_mask_cells;
@@ -3639,7 +3639,7 @@ may_update_popup_mask(int type)
 	mask = popup_mask;
     else
 	mask = popup_mask_next;
-    vim_memset(mask, 0, screen_Rows * screen_Columns * sizeof(short));
+    vim_memset(mask, 0, (size_t)screen_Rows * screen_Columns * sizeof(short));
 
     // Find the window with the lowest zindex that hasn't been handled yet,
     // so that the window with a higher zindex overwrites the value in
@@ -4008,7 +4008,8 @@ update_popups(void (*win_update)(win_T *wp))
 	    linenr_T	linecount = wp->w_buffer->b_ml.ml_line_count;
 	    int		height = wp->w_height;
 
-	    sb_thumb_height = (height * height + linecount / 2) / linecount;
+	    sb_thumb_height = ((linenr_T)height * height + linecount / 2)
+								   / linecount;
 	    if (wp->w_topline > 1 && sb_thumb_height == height)
 		--sb_thumb_height;  // scrolled, no full thumb
 	    if (sb_thumb_height == 0)
diff --git a/src/version.c b/src/version.c
index 25f858bcb7..3e4072d37b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4255,
 /**/
     4254,
 /**/
-- 
cgit v1.2.3