chore(release): bump version to 0.5.3

Single-fix patch to close the CodeQL pointer-arithmetic alert that v0.5.2 left open. v0.5.2 already shipped, so we tag forward instead of moving the published tag.
fix(security): validate UTF8 byte buffer length before pointer arithmetic
2026-05-02 23:46:26 +02:00 · 2026-05-02 23:42:59 +02:00
4 changed files with 37 additions and 16 deletions
@@ -4,7 +4,7 @@
             0.1.0 is our bootstrap release; the underlying Chat 2 base is
             called out in the yaml changelog so users can see what it
             derives from. -->
-        <Version>0.5.2</Version>
+        <Version>0.5.3</Version>
        <ImplicitUsings>enable</ImplicitUsings>
        <!-- HellionChat fork: assembly is renamed so Dalamud uses
             pluginConfigs/HellionChat instead of pluginConfigs/ChatTwo,
@@ -44,6 +44,26 @@ tags:
  - Replacement
  - Privacy
 changelog: |-
+  **Hellion Chat 0.5.3 — Pointer arithmetic hardening**
+
+  Single hardening fix on top of v0.5.2.
+
+  Security:
+
+  - Closed CodeQL Critical alert "unvalidated local pointer
+    arithmetic" in ImGuiUtil.WrapText. The earlier v0.5.2 fix
+    handled the empty-input edge case but the rule re-fired on the
+    pointer arithmetic itself because Encoding.GetBytes is virtual
+    on the base Encoding class and CodeQL therefore tracks its
+    return as untrusted input. Now compute the expected byte count
+    via GetByteCount on the same encoder and bail out if a swapped
+    Encoding ever returned a buffer of the wrong length. Real
+    consistency check, not a dead defensive guard.
+
+  No new features, no migration, configuration version stays at 10.
+
+  Based on Chat 2 1.35.3 (upstream Infiziert90/ChatTwo, EUPL-1.2).
+
  **Hellion Chat 0.5.2 — Bugfix patch**

  Three corrections to the v0.5.1 surface plus two security findings
@@ -93,15 +93,16 @@ internal static class ImGuiUtil

        foreach (var part in csText.Split(["\r\n", "\r", "\n"], StringSplitOptions.None))
        {
+            // Encoding.GetBytes is virtual, so the returned array's
+            // Length is treated as untrusted by CodeQL for pointer
+            // arithmetic ("cs/unvalidated-local-pointer-arithmetic").
+            // Compute the expected byte count against the same encoder
+            // and bail out if a swapped-in encoding ever returned a
+            // mismatched buffer. Also drops empty splits so the textEnd
+            // pointer below cannot collapse onto text.
+            var expectedLength = Encoding.UTF8.GetByteCount(part);
            var bytes = Encoding.UTF8.GetBytes(part);
-
-            // Empty splits (consecutive newlines) leave bytes.Length at 0
-            // and the textEnd pointer below would coincide with text. The
-            // ImGuiNative word-wrap calls treat that as undefined input,
-            // and the CodeQL "unvalidated local pointer arithmetic" alert
-            // also flags it. Render an empty line and skip the unsafe
-            // block entirely for this iteration.
-            if (bytes.Length == 0)
+            if (expectedLength == 0 || bytes.Length != expectedLength)
            {
                ImGui.TextUnformatted("");
                continue;
@@ -110,7 +111,7 @@ internal static class ImGuiUtil
            fixed (byte* rawText = bytes)
            {
                var text = rawText;
-                var textEnd = text + bytes.Length;
+                var textEnd = text + expectedLength;

                var widthLeft = ImGui.GetContentRegionAvail().X;
                var endPrevLine = ImGuiNative.CalcWordWrapPositionA(ImGui.GetFont().Handle, ImGuiHelpers.GlobalScale, text, textEnd, widthLeft);