pango: Fix out-of-bounds access in itemize functions

Renyi Zhao · sdroege · commit e60ccb29b1be · 2025-09-05T16:13:21.000+03:00
diff --git a/pango/Gir.toml b/pango/Gir.toml
@@ -96,11 +96,13 @@ status = "generate"
     ignore = true
     [[object.function]]
     name = "itemize"
+    manual = true
         [[object.function.parameter]]
         name = "cached_iter"
         const = true
     [[object.function]]
     name = "itemize_with_base_dir"
+    manual = true
         [[object.function.parameter]]
         name = "cached_iter"
         const = true
diff --git a/pango/src/auto/functions.rs b/pango/src/auto/functions.rs
@@ -2,9 +2,7 @@
 // from gir-files (https://github.com/gtk-rs/gir-files)
 // DO NOT EDIT
 
-use crate::{
-    ffi, AttrIterator, AttrList, Context, Direction, Item, Stretch, Style, Variant, Weight,
-};
+use crate::{ffi, AttrList, Direction, Stretch, Style, Variant, Weight};
 use glib::translate::*;
 
 //#[cfg_attr(feature = "v1_44", deprecated = "Since 1.44")]
@@ -56,50 +54,6 @@ pub fn is_zero_width(ch: char) -> bool {
     unsafe { from_glib(ffi::pango_is_zero_width(ch.into_glib())) }
 }
 
-#[doc(alias = "pango_itemize")]
-pub fn itemize(
-    context: &Context,
-    text: &str,
-    start_index: i32,
-    length: i32,
-    attrs: &AttrList,
-    cached_iter: Option<&AttrIterator>,
-) -> Vec<Item> {
-    unsafe {
-        FromGlibPtrContainer::from_glib_full(ffi::pango_itemize(
-            context.to_glib_none().0,
-            text.to_glib_none().0,
-            start_index,
-            length,
-            attrs.to_glib_none().0,
-            mut_override(cached_iter.to_glib_none().0),
-        ))
-    }
-}
-
-#[doc(alias = "pango_itemize_with_base_dir")]
-pub fn itemize_with_base_dir(
-    context: &Context,
-    base_dir: Direction,
-    text: &str,
-    start_index: i32,
-    length: i32,
-    attrs: &AttrList,
-    cached_iter: Option<&AttrIterator>,
-) -> Vec<Item> {
-    unsafe {
-        FromGlibPtrContainer::from_glib_full(ffi::pango_itemize_with_base_dir(
-            context.to_glib_none().0,
-            base_dir.into_glib(),
-            text.to_glib_none().0,
-            start_index,
-            length,
-            attrs.to_glib_none().0,
-            mut_override(cached_iter.to_glib_none().0),
-        ))
-    }
-}
-
 #[doc(alias = "pango_markup_parser_finish")]
 pub fn markup_parser_finish(
     context: &glib::MarkupParseContext,
diff --git a/pango/src/functions.rs b/pango/src/functions.rs
@@ -6,7 +6,7 @@ use std::{ffi::c_char, ptr};
 pub use crate::auto::functions::*;
 #[cfg(feature = "v1_44")]
 use crate::ShapeFlags;
-use crate::{ffi, Analysis, GlyphString, Item};
+use crate::{ffi, Analysis, AttrIterator, AttrList, Context, Direction, GlyphString, Item};
 
 #[doc(alias = "pango_reorder_items")]
 pub fn reorder_items(logical_items: &glib::List<Item>) -> glib::List<Item> {
@@ -93,3 +93,65 @@ pub fn extents_to_pixels(
         ffi::pango_extents_to_pixels(inclusive.to_glib_none_mut().0, nearest.to_glib_none_mut().0);
     }
 }
+
+#[doc(alias = "pango_itemize")]
+pub fn itemize(
+    context: &Context,
+    text: &str,
+    start_index: i32,
+    length: i32,
+    attrs: &AttrList,
+    cached_iter: Option<&AttrIterator>,
+) -> Vec<Item> {
+    let total_length = text.len() as i32;
+    assert!(
+        start_index >= 0 && start_index < total_length,
+        "start_index is out of range"
+    );
+    assert!(
+        length >= 0 && start_index.checked_add(length).unwrap() < total_length,
+        "start_index + length is out of range"
+    );
+    unsafe {
+        FromGlibPtrContainer::from_glib_full(ffi::pango_itemize(
+            context.to_glib_none().0,
+            text.to_glib_none().0,
+            start_index,
+            length,
+            attrs.to_glib_none().0,
+            mut_override(cached_iter.to_glib_none().0),
+        ))
+    }
+}
+
+#[doc(alias = "pango_itemize_with_base_dir")]
+pub fn itemize_with_base_dir(
+    context: &Context,
+    base_dir: Direction,
+    text: &str,
+    start_index: i32,
+    length: i32,
+    attrs: &AttrList,
+    cached_iter: Option<&AttrIterator>,
+) -> Vec<Item> {
+    let total_length = text.len() as i32;
+    assert!(
+        start_index >= 0 && start_index < total_length,
+        "start_index is out of range"
+    );
+    assert!(
+        length >= 0 && start_index.checked_add(length).unwrap() < total_length,
+        "start_index + length is out of range"
+    );
+    unsafe {
+        FromGlibPtrContainer::from_glib_full(ffi::pango_itemize_with_base_dir(
+            context.to_glib_none().0,
+            base_dir.into_glib(),
+            text.to_glib_none().0,
+            start_index,
+            length,
+            attrs.to_glib_none().0,
+            mut_override(cached_iter.to_glib_none().0),
+        ))
+    }
+}
