From 022b5cf193ffed6f3feaee741987f5860e78ed61 Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Mon, 30 Mar 2026 09:23:40 +0000
Subject: [PATCH] When in copy mode with a large scroll offset and the window
 is resized so that history shrinks, data->oy can exceed screen_hsize causing
 an unsigned integer underflow in the py computation. Clamp data->oy in
 window_copy_resize and window_copy_cmd_refresh_from_pane before the
 subtraction. From futpib at gmail dot com in GitHub issue 4958.

---
 window-copy.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/window-copy.c b/window-copy.c
index bf265b5b..cc9f3e5d 100644
--- a/window-copy.c
+++ b/window-copy.c
@@ -1026,6 +1026,8 @@ window_copy_resize(struct window_mode_entry *wme, u_int sx, u_int sy)
 
 	screen_resize(s, sx, sy, 0);
 	cx = data->cx;
+	if (data->oy > gd->hsize + data->cy)
+		data->oy = gd->hsize + data->cy;
 	cy = gd->hsize + data->cy - data->oy;
 	reflow = (gd->sx != sx);
 	if (reflow)
@@ -2736,6 +2738,8 @@ window_copy_cmd_refresh_from_pane(struct window_copy_cmd_state *cs)
 
 	if (data->viewmode)
 		return (WINDOW_COPY_CMD_NOTHING);
+	if (data->oy > screen_hsize(data->backing))
+		data->oy = screen_hsize(data->backing);
 	oy_from_top = screen_hsize(data->backing) - data->oy;
 
 	screen_free(data->backing);