From fefd856d67f495060b39aa6df01b1079744cb818 Mon Sep 17 00:00:00 2001
From: Michael Weghorn <m.weghorn@posteo.de>
Date: Wed, 11 Oct 2023 15:51:08 +0200
Subject: [PATCH] a11y: Convert negative text deletion index to actual offset

`gtk_editable_delete_text` can be called with a
negative `end_pos`, in which case the characters
from the start pos to the end of the text are
removed. [1]

It e.g. gets called this way from
`gtk_editable_set_text`.

So far, that negative index was not converted,
but passed as is in the AT-SPI callback
`delete_text_cb` when calling the `text_changed`
handler (`emit_text_changed` in
`gtk/a11y/gtkatspicontext.c`) which just uses the
index as is, also in it's call to `g_strndup`,
resulting in a crash when negative indices are
used.

Fix this by converting negative values to the
actual end index in `delete_text_cb` before
calling the handler.

[1] https://docs.gtk.org/gtk3/method.Editable.delete_text.html

Fixes: #6149
---
 gtk/a11y/gtkatspitext.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gtk/a11y/gtkatspitext.c b/gtk/a11y/gtkatspitext.c
index 3b7364f826..18d101323a 100644
--- a/gtk/a11y/gtkatspitext.c
+++ b/gtk/a11y/gtkatspitext.c
@@ -1629,6 +1629,10 @@ delete_text_cb (GtkEditable *editable,
     return;
 
   text = gtk_editable_get_chars (editable, start, end);
+
+  if (end < 0)
+    end = g_utf8_strlen(text, -1);
+
   changed->text_changed (changed->data, "delete", start, end - start, text);
   g_free (text);
 }