# Extended 5.9 — win32Main.c: totalSize int overflow before malloc

Bug ref      : pharo.md §5.9
Severity     : MEDIUM (heap underflow if command line has unusual encodings)
File         : src/win32Main.c
Lines (HEAD) : 33-37

## Problem

```c
sizes = (int*)malloc(sizeof(int)*numberOfArgs);
for( i=0; i<numberOfArgs; i++){
    sizes[i] = WideCharToMultiByte(CP_UTF8, 0, wideArgs[i], -1, NULL, 0, NULL, FALSE);
    totalSize += sizes[i];
}
totalSize += sizeof(char*) * numberOfArgs;
argsInUtf8 = malloc(totalSize);
```

`totalSize` is signed int. Summing many large UTF-16 → UTF-8
conversion sizes (or sizes for malformed surrogates) can wrap
negative. `malloc(totalSize)` then takes a signed-int → size_t
sign-extension and either allocates SIZE_MAX-ish or fails.

## Fix

Promote to size_t/uint64 and check.

```diff
diff --git a/src/win/win32Main.c b/src/win/win32Main.c
index dbad68b54..c360ea901 100644
--- a/src/win/win32Main.c
+++ b/src/win/win32Main.c
@@ -27,14 +27,23 @@ WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdS
 	}
 
 	sizes = (int*)malloc(sizeof(int)*numberOfArgs);
-   
-	for( i=0; i<numberOfArgs; i++){
-		sizes[i] = WideCharToMultiByte(CP_UTF8, 0, wideArgs[i], -1, NULL, 0, NULL, FALSE);
-		totalSize += sizes[i];
-	}
+	if (!sizes) return 0;
 
-	totalSize += sizeof(char*) * numberOfArgs;
+	/* uint64 sum to avoid signed-int overflow if a command line is
+	 * unexpectedly large or contains malformed surrogates. */
+	{
+		uint64_t totalSize64 = 0;
+		for( i=0; i<numberOfArgs; i++){
+			sizes[i] = WideCharToMultiByte(CP_UTF8, 0, wideArgs[i], -1, NULL, 0, NULL, FALSE);
+			if (sizes[i] <= 0) { free(sizes); return 0; }
+			totalSize64 += (uint64_t)sizes[i];
+		}
+		totalSize64 += (uint64_t)sizeof(char*) * (uint64_t)numberOfArgs;
+		if (totalSize64 > 0x10000000ULL) { free(sizes); return 0; }
+		totalSize = (int)totalSize64;
+	}
 	argsInUtf8 = malloc(totalSize);
+	if (!argsInUtf8) { free(sizes); return 0; }
 	
 	currentString = &argsInUtf8[numberOfArgs];
 	

```

## Test plan

- Command line with very large or malformed arguments: function
  fails cleanly instead of allocating SIZE_MAX.

## Risk notes

- 256 MiB cap is generous for any realistic command line.