From dc2e98f576bbd52187576c66eb585d6e14e85b97 Mon Sep 17 00:00:00 2001
From: "Dustin L. Howett" <duhowett@microsoft.com>
Date: Tue, 5 May 2026 14:19:25 -0500
Subject: [PATCH] Don't allow overflowing lengths in WM_COPYDATA (#20185)

It is possible to craft a packet whose `len` is `0x80000001`.

We should not produce values that do not fit in size_t (on e.g. x86).

Reject them summarily.

(cherry picked from commit 8edac5fb12f9e7c21a88cf3d1617817ad0fdecc6)
Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgr4enI
Service-Version: 1.25
---
 src/cascadia/WindowsTerminal/WindowEmperor.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/cascadia/WindowsTerminal/WindowEmperor.cpp b/src/cascadia/WindowsTerminal/WindowEmperor.cpp
index 07e96fcc2e..21dcc6d37e 100644
--- a/src/cascadia/WindowsTerminal/WindowEmperor.cpp
+++ b/src/cascadia/WindowsTerminal/WindowEmperor.cpp
@@ -97,9 +97,8 @@ static const uint8_t* deserializeString(const uint8_t* it, const uint8_t* end, w
     uint32_t len;
     it = deserializeUint32(it, end, len);
 
-    const auto bytes = static_cast<size_t>(len) * sizeof(wchar_t);
-
-    if (bytes == 0 || static_cast<size_t>(end - it) < bytes)
+    size_t bytes{};
+    if (!SUCCEEDED(SizeTMult(static_cast<size_t>(len), sizeof(wchar_t), &bytes)) || bytes == 0 || static_cast<size_t>(end - it) < bytes)
     {
         throw std::out_of_range("Not enough data for string content");
     }