From 36ded73f80fc2de459d58c164ab5cded92336358 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Lend=C3=ADnez?=
 <52505803+JaviLendi@users.noreply.github.com>
Date: Sun, 10 May 2026 11:09:58 +0200
Subject: [PATCH 1/4] Potential fix for code scanning alert no. 243: Setting a
 DACL to NULL in a SECURITY_DESCRIPTOR

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/utils/WinUtil.cpp | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/utils/WinUtil.cpp b/src/utils/WinUtil.cpp
index 2ed02900e49..55d9c54178b 100755
--- a/src/utils/WinUtil.cpp
+++ b/src/utils/WinUtil.cpp
@@ -565,14 +565,20 @@ static void ResetRegKeyAcl(HKEY hkey, const char* keyName) {
         return;
     }
     SECURITY_DESCRIPTOR secdesc;
-    InitializeSecurityDescriptor(&secdesc, SECURITY_DESCRIPTOR_REVISION);
+    if (!InitializeSecurityDescriptor(&secdesc, SECURITY_DESCRIPTOR_REVISION)) {
+        RegCloseKey(hKey);
+        return;
+    }
 
-#pragma warning(push)
-#pragma warning(disable : 6248)
-    // "Setting a SECURITY_DESCRIPTOR's DACL to nullptr will result in an unprotected object"
-    // https://docs.microsoft.com/en-us/cpp/code-quality/c6248?view=msvc-170
-    SetSecurityDescriptorDacl(&secdesc, TRUE, nullptr, TRUE);
-#pragma warning(pop)
+    ACL dacl;
+    if (!InitializeAcl(&dacl, sizeof(dacl), ACL_REVISION)) {
+        RegCloseKey(hKey);
+        return;
+    }
+    if (!SetSecurityDescriptorDacl(&secdesc, TRUE, &dacl, FALSE)) {
+        RegCloseKey(hKey);
+        return;
+    }
 
     RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION, &secdesc);
     RegCloseKey(hKey);

From b7cf6ea55e88b81b9cd658d69456c16e64363bfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Lend=C3=ADnez?=
 <52505803+JaviLendi@users.noreply.github.com>
Date: Sun, 10 May 2026 11:11:01 +0200
Subject: [PATCH 2/4] Potential fix for code scanning alert no. 238: Wrong type
 of arguments to formatting function

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/SumatraPDF.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/SumatraPDF.cpp b/src/SumatraPDF.cpp
index 095c7bcdcae..1b40d76f954 100644
--- a/src/SumatraPDF.cpp
+++ b/src/SumatraPDF.cpp
@@ -3269,7 +3269,7 @@ void CloseTab(WindowTab* tab, bool quitIfLast) {
         return;
     }
     MainWindow* win = tab->win;
-    logf("CloseTab: tab: 0x%p win: 0x%p, hwndFrame: 0x%x, quitIfLast: %d, dm: 0x%p\n", tab, win, win->hwndFrame,
+    logf("CloseTab: tab: 0x%p win: 0x%p, hwndFrame: %p, quitIfLast: %d, dm: 0x%p\n", tab, win, win->hwndFrame,
          (int)quitIfLast, tab->AsFixed());
 
     AbortFinding(win, true);

From 3b1610ffd50a8c1fefbf7fad67c58638c871bf5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Lend=C3=ADnez?=
 <52505803+JaviLendi@users.noreply.github.com>
Date: Sun, 10 May 2026 11:13:35 +0200
Subject: [PATCH 3/4] Potential fix for code scanning alert no. 232:
 Multiplication result converted to larger type

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/utils/WebpReader.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/utils/WebpReader.cpp b/src/utils/WebpReader.cpp
index 3890249b200..3a473ec5428 100644
--- a/src/utils/WebpReader.cpp
+++ b/src/utils/WebpReader.cpp
@@ -38,7 +38,8 @@ Gdiplus::Bitmap* ImageFromData(const ByteSlice& d) {
     if (ok != Gdiplus::Ok) {
         return nullptr;
     }
-    if (!WebPDecodeBGRAInto((const u8*)d.data(), d.size(), (u8*)bmpData.Scan0, bmpData.Stride * h, bmpData.Stride)) {
+    if (!WebPDecodeBGRAInto((const u8*)d.data(), d.size(), (u8*)bmpData.Scan0,
+                            static_cast<size_t>(bmpData.Stride) * static_cast<size_t>(h), bmpData.Stride)) {
         return nullptr;
     }
     bmp.UnlockBits(&bmpData);

From f8b1df1dd1ccdfb13e0735ae7947dd3f11680f2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Lend=C3=ADnez?=
 <52505803+JaviLendi@users.noreply.github.com>
Date: Sun, 10 May 2026 11:14:14 +0200
Subject: [PATCH 4/4] Potential fix for code scanning alert no. 233: Too few
 arguments to formatting function

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/Installer.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Installer.cpp b/src/Installer.cpp
index 75d94ed8ec8..cb02a9ac56e 100644
--- a/src/Installer.cpp
+++ b/src/Installer.cpp
@@ -612,8 +612,7 @@ static void ForAllUsersStateChanged() {
     str::ReplacePtr(&cli->installDir, str::Dup(dir));
     gWnd->editInstallationDir->SetText(cli->installDir);
     logf("ForAllUsersStateChanged: cli->allUsers: %d, cli->installDir: '%s', forAllUsers: %d\n", (int)cli->allUsers,
-         cli->installDir),
-        (int)forAllUsers;
+         cli->installDir, (int)forAllUsers);
 }
 
 static void UpdateUIForOptionsState(InstallerWnd* wnd) {