From e9661f0f3afb4e4dbffa509adfb3df3c9780ad34 Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Sun, 22 Mar 2026 21:49:12 +0530 Subject: [PATCH] Graphics protocol: Fix crash when handling invalid offset values in graphics compose commands --- docs/changelog.rst | 2 ++ kitty/graphics.c | 7 ++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/changelog.rst b/docs/changelog.rst index 68a47fba7..9aa2487e5 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -172,6 +172,8 @@ Detailed list of changes - Graphics protocol: Fix crash when handling invalid PNG image with direct transmission +- Graphics protocol: Fix crash when handling invalid offset values in graphics compose commands + - X11: Fix a regression in the previous release that caused an occasional crash on input device removal (:iss:`9723`) 0.46.2 [2026-03-21] diff --git a/kitty/graphics.c b/kitty/graphics.c index 944c21dab..7365a0223 100644 --- a/kitty/graphics.c +++ b/kitty/graphics.c @@ -1827,9 +1827,10 @@ handle_compose_command(GraphicsManager *self, bool *is_dirty, const GraphicsComm set_command_failed_response("ENOENT", "No destination frame number %u exists in image id: %u\n", g->other_frame_number, img->client_id); return; } - const unsigned int width = g->width ? g->width : img->width; - const unsigned int height = g->height ? g->height : img->height; - const unsigned int dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset; + // Use uint64_t to avoid overflow when testing for validity. All dimensions are 32bit numbers. + const uint64_t width = g->width ? g->width : img->width; + const uint64_t height = g->height ? g->height : img->height; + const uint64_t dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset; if (dest_x + width > img->width || dest_y + height > img->height) { set_command_failed_response("EINVAL", "The destination rectangle is out of bounds"); return;