From e4df0aadc56a4f5cdbcaf3904b28b6d5426bfd92 Mon Sep 17 00:00:00 2001
From: Guanqiang Han <hanguanqiang@kylinos.cn>
Date: Tue, 7 Jul 2026 22:58:43 +0800
Subject: [PATCH] pr: guard input position update against overflow

When expanding tabs, char_to_clump() updates input_position
with input_position + width. With a very large tab width and
enough tab characters, this can overflow signed int.

Use ckd_add() and report integer overflow instead of relying on
undefined signed overflow behavior.

Signed-off-by: Guanqiang Han <hanguanqiang@kylinos.cn>
---
 src/pr.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/pr.c b/src/pr.c
index 09a1b94..31807b3 100644
--- a/src/pr.c
+++ b/src/pr.c
@@ -2732,7 +2732,12 @@ char_to_clump (char c)
   else if (width < 0 && input_position <= -width)
     input_position = 0;
   else
-    input_position += width;
+    {
+      int new_input_position;
+      if (ckd_add (&new_input_position, input_position, width))
+        integer_overflow ();
+      input_position = new_input_position;
+    }
 
   return chars;
 }
-- 
2.54.0.windows.1

