From 73a49493a261a2a7fb748875e66d85bf0ff2b050 Mon Sep 17 00:00:00 2001
From: Jonathan Swoboda <154711427+swoboda1337@users.noreply.github.com>
Date: Wed, 18 Mar 2026 16:43:42 -0400
Subject: [PATCH] [vbus][shelly_dimmer][st7789v][modbus_controller] Fix integer
 overflows, off-by-one, and coordinate swap (#14916)

---
 .../modbus_controller/modbus_controller.h     |  2 +-
 .../shelly_dimmer/shelly_dimmer.cpp           |  2 +-
 esphome/components/st7789v/st7789v.cpp        |  4 +--
 .../components/vbus/sensor/vbus_sensor.cpp    | 26 ++++++++++++-------
 esphome/components/vbus/vbus.cpp              |  3 +--
 5 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/esphome/components/modbus_controller/modbus_controller.h b/esphome/components/modbus_controller/modbus_controller.h
index fca2926568..bd3d4d705e 100644
--- a/esphome/components/modbus_controller/modbus_controller.h
+++ b/esphome/components/modbus_controller/modbus_controller.h
@@ -178,7 +178,7 @@ template<typename N> N mask_and_shift_by_rightbit(N data, uint32_t mask) {
     return result;
   }
   for (size_t pos = 0; pos < sizeof(N) << 3; pos++) {
-    if ((mask & (1 << pos)) != 0)
+    if ((mask & (1UL << pos)) != 0)
       return result >> pos;
   }
   return 0;
diff --git a/esphome/components/shelly_dimmer/shelly_dimmer.cpp b/esphome/components/shelly_dimmer/shelly_dimmer.cpp
index 88fcbcbfe1..230fb963b1 100644
--- a/esphome/components/shelly_dimmer/shelly_dimmer.cpp
+++ b/esphome/components/shelly_dimmer/shelly_dimmer.cpp
@@ -402,7 +402,7 @@ bool ShellyDimmer::handle_frame_() {
   // Handle response.
   switch (cmd) {
     case SHELLY_DIMMER_PROTO_CMD_POLL: {
-      if (payload_len < 16) {
+      if (payload_len < 17) {
         return false;
       }
 
diff --git a/esphome/components/st7789v/st7789v.cpp b/esphome/components/st7789v/st7789v.cpp
index 6e4360ae74..dc03fb04ca 100644
--- a/esphome/components/st7789v/st7789v.cpp
+++ b/esphome/components/st7789v/st7789v.cpp
@@ -156,9 +156,9 @@ void ST7789V::update() {
 void ST7789V::set_model_str(const char *model_str) { this->model_str_ = model_str; }
 
 void ST7789V::write_display_data() {
-  uint16_t x1 = this->offset_height_;
+  uint16_t x1 = this->offset_width_;
   uint16_t x2 = x1 + get_width_internal() - 1;
-  uint16_t y1 = this->offset_width_;
+  uint16_t y1 = this->offset_height_;
   uint16_t y2 = y1 + get_height_internal() - 1;
 
   this->enable();
diff --git a/esphome/components/vbus/sensor/vbus_sensor.cpp b/esphome/components/vbus/sensor/vbus_sensor.cpp
index 1cabb49703..407a81c83b 100644
--- a/esphome/components/vbus/sensor/vbus_sensor.cpp
+++ b/esphome/components/vbus/sensor/vbus_sensor.cpp
@@ -48,8 +48,8 @@ void DeltaSolBSPlusSensor::handle_message(std::vector<uint8_t> &message) {
   if (this->operating_hours2_sensor_ != nullptr)
     this->operating_hours2_sensor_->publish_state(get_u16(message, 18));
   if (this->heat_quantity_sensor_ != nullptr) {
-    this->heat_quantity_sensor_->publish_state(get_u16(message, 20) + get_u16(message, 22) * 1000 +
-                                               get_u16(message, 24) * 1000000);
+    this->heat_quantity_sensor_->publish_state(get_u16(message, 20) + get_u16(message, 22) * 1000.0f +
+                                               get_u16(message, 24) * 1000000.0f);
   }
   if (this->time_sensor_ != nullptr)
     this->time_sensor_->publish_state(get_u16(message, 12));
@@ -130,8 +130,8 @@ void DeltaSolCSensor::handle_message(std::vector<uint8_t> &message) {
   if (this->operating_hours2_sensor_ != nullptr)
     this->operating_hours2_sensor_->publish_state(get_u16(message, 14));
   if (this->heat_quantity_sensor_ != nullptr) {
-    this->heat_quantity_sensor_->publish_state(get_u16(message, 16) + get_u16(message, 18) * 1000 +
-                                               get_u16(message, 20) * 1000000);
+    this->heat_quantity_sensor_->publish_state(get_u16(message, 16) + get_u16(message, 18) * 1000.0f +
+                                               get_u16(message, 20) * 1000000.0f);
   }
   if (this->time_sensor_ != nullptr)
     this->time_sensor_->publish_state(get_u16(message, 22));
@@ -162,8 +162,10 @@ void DeltaSolCS2Sensor::handle_message(std::vector<uint8_t> &message) {
     this->pump_speed_sensor_->publish_state(message[12]);
   if (this->operating_hours_sensor_ != nullptr)
     this->operating_hours_sensor_->publish_state(get_u16(message, 14));
-  if (this->heat_quantity_sensor_ != nullptr)
-    this->heat_quantity_sensor_->publish_state((get_u16(message, 26) << 16) + get_u16(message, 24));
+  if (this->heat_quantity_sensor_ != nullptr) {
+    this->heat_quantity_sensor_->publish_state((static_cast<uint32_t>(get_u16(message, 26)) << 16) |
+                                               get_u16(message, 24));
+  }
   if (this->version_sensor_ != nullptr)
     this->version_sensor_->publish_state(get_u16(message, 28) * 0.01f);
 }
@@ -204,8 +206,10 @@ void DeltaSolCS4Sensor::handle_message(std::vector<uint8_t> &message) {
     this->operating_hours1_sensor_->publish_state(get_u16(message, 10));
   if (this->operating_hours2_sensor_ != nullptr)
     this->operating_hours2_sensor_->publish_state(get_u16(message, 14));
-  if (this->heat_quantity_sensor_ != nullptr)
-    this->heat_quantity_sensor_->publish_state((get_u16(message, 30) << 16) + get_u16(message, 28));
+  if (this->heat_quantity_sensor_ != nullptr) {
+    this->heat_quantity_sensor_->publish_state((static_cast<uint32_t>(get_u16(message, 30)) << 16) |
+                                               get_u16(message, 28));
+  }
   if (this->time_sensor_ != nullptr)
     this->time_sensor_->publish_state(get_u16(message, 22));
   if (this->version_sensor_ != nullptr)
@@ -250,8 +254,10 @@ void DeltaSolCSPlusSensor::handle_message(std::vector<uint8_t> &message) {
     this->operating_hours1_sensor_->publish_state(get_u16(message, 10));
   if (this->operating_hours2_sensor_ != nullptr)
     this->operating_hours2_sensor_->publish_state(get_u16(message, 14));
-  if (this->heat_quantity_sensor_ != nullptr)
-    this->heat_quantity_sensor_->publish_state((get_u16(message, 30) << 16) + get_u16(message, 28));
+  if (this->heat_quantity_sensor_ != nullptr) {
+    this->heat_quantity_sensor_->publish_state((static_cast<uint32_t>(get_u16(message, 30)) << 16) |
+                                               get_u16(message, 28));
+  }
   if (this->time_sensor_ != nullptr)
     this->time_sensor_->publish_state(get_u16(message, 22));
   if (this->version_sensor_ != nullptr)
diff --git a/esphome/components/vbus/vbus.cpp b/esphome/components/vbus/vbus.cpp
index c6786ee31e..195d6ed568 100644
--- a/esphome/components/vbus/vbus.cpp
+++ b/esphome/components/vbus/vbus.cpp
@@ -67,8 +67,7 @@ void VBus::loop() {
         }
         septet_spread(this->buffer_.data(), 7, 6, this->buffer_[13]);
         uint16_t id = (this->buffer_[8] << 8) + this->buffer_[7];
-        uint32_t value =
-            (this->buffer_[12] << 24) + (this->buffer_[11] << 16) + (this->buffer_[10] << 8) + this->buffer_[9];
+        uint32_t value = encode_uint32(this->buffer_[12], this->buffer_[11], this->buffer_[10], this->buffer_[9]);
         ESP_LOGV(TAG, "P1 C%04x %04x->%04x: %04x %04" PRIx32 " (%" PRIu32 ")", this->command_, this->source_,
                  this->dest_, id, value, value);
       } else if ((this->protocol_ == 0x10) && (this->buffer_.size() == 9)) {