Potential fix for code scanning alert no. 2: Off-by-one comparison against length

[brianhexer]

Potential fix for https://github.com/brianhexer/handwritten-prints/security/code-scanning/2

In general, to fix this type of issue you must ensure that any index used to access an array is strictly less than the array’s .length. A <= comparison against .length allows the index to equal .length, which is out of bounds.

In this specific case, the loop condition wordCount <= splitContent.length should be changed to wordCount < splitContent.length. This guarantees that splitContent[wordCount] is only evaluated for valid indices 0 .. splitContent.length - 1. No other logic needs to be altered to preserve behavior: the loop already has internal controls (scrollHeight vs clientHeight, and a later wordCount--) that manage pagination and word distribution. The fix is a one‑character change on the while condition inside generateImages in js/generate-images.mjs; no new methods or imports are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[gemini-code-assist]

Summary of Changes

Hello @brianhexer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical fix to prevent a potential out-of-bounds array access error. By adjusting a single character in a loop condition, it resolves a code scanning alert, ensuring that array elements are only accessed at valid indices. The change is highly targeted and maintains the existing logic for pagination and word distribution, improving the robustness of the generateImages function without altering its intended behavior.

Highlights

• Security Fix: Addresses a code scanning alert (no. 2) related to an off-by-one comparison against an array's length, which could lead to out-of-bounds access.
• Loop Condition Correction: The while loop condition wordCount <= splitContent.length in js/generate-images.mjs has been changed to wordCount < splitContent.length. This ensures that array indexing for splitContent[wordCount] remains within valid bounds.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses the critical 'Off-by-one comparison against length' security vulnerability. The change in js/generate-images.mjs from wordCount <= splitContent.length to wordCount < splitContent.length is the correct way to prevent an out-of-bounds array access. The fix is precise and effectively resolves the reported code scanning alert. While this change is correct, I noticed a separate potential issue in the surrounding code: split(/(\s+)/) is used to split the content, which preserves whitespace, but wordArray.join(' ') is used to put it back together. This likely introduces unwanted extra spaces. This is out of scope for the current PR but would be a good candidate for a follow-up fix.

[Copilot]

Pull request overview

This PR fixes an off-by-one error in the array bounds check within the multi-page generation logic. The security issue allowed the loop to continue when wordCount equals splitContent.length, leading to an out-of-bounds array access at splitContent[wordCount].

Changes:

• Changed loop condition from wordCount <= splitContent.length to wordCount < splitContent.length in the generateImages function

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.