chore(release): bump version to 0.5.3

Single-fix patch to close the CodeQL pointer-arithmetic alert that
v0.5.2 left open. v0.5.2 already shipped, so we tag forward instead
of moving the published tag.

ChatTwo/ChatTwo.csproj

@@ -4,7 +4,7 @@
              0.1.0 is our bootstrap release; the underlying Chat 2 base is
              called out in the yaml changelog so users can see what it
              derives from. -->
-        <Version>0.5.2</Version>
+        <Version>0.5.3</Version>
         <ImplicitUsings>enable</ImplicitUsings>
         <!-- HellionChat fork: assembly is renamed so Dalamud uses
              pluginConfigs/HellionChat instead of pluginConfigs/ChatTwo,

ChatTwo/HellionChat.yaml

@@ -44,6 +44,26 @@ tags:
   - Replacement
   - Privacy
 changelog: |-
+  **Hellion Chat 0.5.3 — Pointer arithmetic hardening**
+
+  Single hardening fix on top of v0.5.2.
+
+  Security:
+
+  - Closed CodeQL Critical alert "unvalidated local pointer
+    arithmetic" in ImGuiUtil.WrapText. The earlier v0.5.2 fix
+    handled the empty-input edge case but the rule re-fired on the
+    pointer arithmetic itself because Encoding.GetBytes is virtual
+    on the base Encoding class and CodeQL therefore tracks its
+    return as untrusted input. Now compute the expected byte count
+    via GetByteCount on the same encoder and bail out if a swapped
+    Encoding ever returned a buffer of the wrong length. Real
+    consistency check, not a dead defensive guard.
+
+  No new features, no migration, configuration version stays at 10.
+
+  Based on Chat 2 1.35.3 (upstream Infiziert90/ChatTwo, EUPL-1.2).
+
   **Hellion Chat 0.5.2 — Bugfix patch**
 
   Three corrections to the v0.5.1 surface plus two security findings

ChatTwo/Util/ImGuiUtil.cs

@@ -93,15 +93,16 @@ internal static class ImGuiUtil
 
         foreach (var part in csText.Split(["\r\n", "\r", "\n"], StringSplitOptions.None))
         {
+            // Encoding.GetBytes is virtual, so the returned array's
+            // Length is treated as untrusted by CodeQL for pointer
+            // arithmetic ("cs/unvalidated-local-pointer-arithmetic").
+            // Compute the expected byte count against the same encoder
+            // and bail out if a swapped-in encoding ever returned a
+            // mismatched buffer. Also drops empty splits so the textEnd
+            // pointer below cannot collapse onto text.
+            var expectedLength = Encoding.UTF8.GetByteCount(part);
             var bytes = Encoding.UTF8.GetBytes(part);
-
+            if (expectedLength == 0 || bytes.Length != expectedLength)
-            // Empty splits (consecutive newlines) leave bytes.Length at 0
-            // and the textEnd pointer below would coincide with text. The
-            // ImGuiNative word-wrap calls treat that as undefined input,
-            // and the CodeQL "unvalidated local pointer arithmetic" alert
-            // also flags it. Render an empty line and skip the unsafe
-            // block entirely for this iteration.
-            if (bytes.Length == 0)
             {
                 ImGui.TextUnformatted("");
                 continue;
@@ -110,7 +111,7 @@ internal static class ImGuiUtil
             fixed (byte* rawText = bytes)
             {
                 var text = rawText;
-                var textEnd = text + bytes.Length;
+                var textEnd = text + expectedLength;
 
                 var widthLeft = ImGui.GetContentRegionAvail().X;
                 var endPrevLine = ImGuiNative.CalcWordWrapPositionA(ImGui.GetFont().Handle, ImGuiHelpers.GlobalScale, text, textEnd, widthLeft);