From 12452f442728e26dc660095de2d9d43129408c6e Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Fri, 22 Aug 2025 07:26:25 +0000
Subject: [PATCH 1/3] Do not double free argv from MSG_COMMAND if it is too
 long, reported by sai02 at student dot ubc dot ca via deraadt. ok deraadt

---
 server-client.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server-client.c b/server-client.c
index 04d4eb5e..89486b7c 100644
--- a/server-client.c
+++ b/server-client.c
@@ -3446,7 +3446,7 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
 	struct msg_command	  data;
 	char			 *buf;
 	size_t			  len;
-	int			  argc;
+	int			  argc = 0;
 	char			**argv, *cause;
 	struct cmd_parse_result	 *pr;
 	struct args_value	 *values;
@@ -3465,12 +3465,12 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
 	if (len > 0 && buf[len - 1] != '\0')
 		fatalx("bad MSG_COMMAND string");
 
-	argc = data.argc;
-	if (cmd_unpack_argv(buf, len, argc, &argv) != 0) {
+	if (cmd_unpack_argv(buf, len, data.argc, &argv) != 0) {
 		cause = xstrdup("command too long");
 		goto error;
 	}
 
+	argc = data.argc;
 	if (argc == 0) {
 		cmdlist = cmd_list_copy(options_get_command(global_options,
 		    "default-client-command"), 0, NULL);

From e6d275b3710bda8f7a4b0bc38950c6851840000e Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Fri, 22 Aug 2025 07:39:40 +0000
Subject: [PATCH 2/3] Do not leak label if it is too long, GitHub issue 4591.

---
 window-tree.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/window-tree.c b/window-tree.c
index 89b5e648..78ed52be 100644
--- a/window-tree.c
+++ b/window-tree.c
@@ -657,8 +657,10 @@ window_tree_draw_session(struct window_tree_modedata *data, struct session *s,
 		screen_write_preview(ctx, &w->active->base, width, sy);
 
 		xasprintf(&label, " %u:%s ", wl->idx, w->name);
-		if (strlen(label) > width)
+		if (strlen(label) > width) {
+			free(label);
 			xasprintf(&label, " %u ", wl->idx);
+		}
 		window_tree_draw_label(ctx, cx + offset, cy, width, sy, &gc,
 		    label);
 		free(label);

From 7325da30526452578541e7b0fe79624e360e2b67 Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Fri, 22 Aug 2025 07:42:51 +0000
Subject: [PATCH 3/3] Extend pane lookup special case for switch-client to
 mouse target ("=") so that it works for panes on status line.

---
 cmd-switch-client.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd-switch-client.c b/cmd-switch-client.c
index dc1b621a..0ff8cf99 100644
--- a/cmd-switch-client.c
+++ b/cmd-switch-client.c
@@ -61,7 +61,8 @@ cmd_switch_client_exec(struct cmd *self, struct cmdq_item *item)
 	const char		*tablename;
 	struct key_table	*table;
 
-	if (tflag != NULL && tflag[strcspn(tflag, ":.%")] != '\0') {
+	if (tflag != NULL &&
+	    (tflag[strcspn(tflag, ":.%")] != '\0' || strcmp(tflag, "=") == 0)) {
 		type = CMD_FIND_PANE;
 		flags = 0;
 	} else {