From 83d08dbee258a28719d3a8e778b8cf7736d589b9 Mon Sep 17 00:00:00 2001
From: Rain <Rainyan@users.noreply.github.com>
Date: Sat, 21 Feb 2026 04:28:19 +0200
Subject: [PATCH 1/2] Convert to wider type before addition

Unlikely to ever overflow but this silences a VS nag
---
 src/game/client/neo/ui/neo_ui.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/game/client/neo/ui/neo_ui.cpp b/src/game/client/neo/ui/neo_ui.cpp
index b00528b814..63a07f1194 100644
--- a/src/game/client/neo/ui/neo_ui.cpp
+++ b/src/game/client/neo/ui/neo_ui.cpp
@@ -2428,7 +2428,7 @@ void TextEdit(wchar_t *wszText, const int iMaxWszTextSize, const TextEditFlags f
 					static wchar_t wszStaticTmpText[MAX_TEXTINPUT_U8BYTES_LIMIT];
 					if (bFromEnd)
 					{
-						V_wcsncat(wszText, wszClipboard, iMaxWszTextSize + 1);
+						V_wcsncat(wszText, wszClipboard, (size_t)iMaxWszTextSize + 1);
 						c->iTextSelCur = V_wcslen(wszText);
 					}
 					else if (bIsCursor)

From d5b3659ca657fc330886bf3814e4152feb51140f Mon Sep 17 00:00:00 2001
From: Rain <Rainyan@users.noreply.github.com>
Date: Sat, 21 Feb 2026 04:48:21 +0200
Subject: [PATCH 2/2] Fix buffer underflow

Text size of 0 would result in array index of 0-1
---
 src/game/client/neo/ui/neo_ui.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/game/client/neo/ui/neo_ui.cpp b/src/game/client/neo/ui/neo_ui.cpp
index 63a07f1194..6dbc2c3cf7 100644
--- a/src/game/client/neo/ui/neo_ui.cpp
+++ b/src/game/client/neo/ui/neo_ui.cpp
@@ -1981,6 +1981,11 @@ void SliderU8(const wchar_t *wszLeftLabel, uint8 *ucValue, const uint8 iMin, con
 
 static int TextEditChIdxFromMouse(const int iWszTextSize)
 {
+	if (iWszTextSize <= 0)
+	{
+		return 0;
+	}
+
 	const int iMouseOnXWidth = c->iMouseAbsX - (c->rWidgetArea.x0 + c->iMarginX);
 	int iChIdx = -1;
 	for (int i = 0; i < iWszTextSize; ++i)