From e3305381301497f82dfd0158eb676c6a90b3f820 Mon Sep 17 00:00:00 2001
From: Nikhil Goyal <135103317+ngoyal88@users.noreply.github.com>
Date: Sat, 25 Apr 2026 17:30:08 +0530
Subject: [PATCH] fix(msgpack): prevent integer overflow in mpack growable
 writer

---
 3rd/msgpack/src/mpack.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/3rd/msgpack/src/mpack.c b/3rd/msgpack/src/mpack.c
index 4f0dab4a..66783d65 100644
--- a/3rd/msgpack/src/mpack.c
+++ b/3rd/msgpack/src/mpack.c
@@ -1164,10 +1164,18 @@ static void mpack_growable_writer_flush(mpack_writer_t* writer, const char* data
             (int)count, (int)mpack_writer_buffer_left(writer), (int)used, (int)size);
 
     // grow to fit the data
-    // TODO: this really needs to correctly test for overflow
-    size_t new_size = size * 2;
-    while (new_size < used + count)
+    if (count > SIZE_MAX - used) {
+        mpack_writer_flag_error(writer, mpack_error_memory);
+        return;
+    }
+    size_t new_size = (size > SIZE_MAX / 2) ? SIZE_MAX : size * 2;
+    while (new_size < used + count) {
+        if (new_size > SIZE_MAX / 2) {
+            new_size = SIZE_MAX;
+            break;
+        }
         new_size *= 2;
+    }
 
     mpack_log("flush growing buffer size from %i to %i\n", (int)size, (int)new_size);