From c9ca77a4d415b838810fb22f85c728d211433197 Mon Sep 17 00:00:00 2001 From: "Reece H. Dunn" Date: Wed, 21 Mar 2018 21:16:08 +0000 Subject: [PATCH] Compare variant_name with "!v" only if long enough Various places call SetVoiceStack with "" for the variant_name. This causes -fsanitize=address to fail with an overflow as the call to memcmp is checking the first 2 bytes, and there is only 1 byte available. --- src/libespeak-ng/readclause.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libespeak-ng/readclause.c b/src/libespeak-ng/readclause.c index 52362de44..26bc35b96 100644 --- a/src/libespeak-ng/readclause.c +++ b/src/libespeak-ng/readclause.c @@ -599,7 +599,7 @@ void SetVoiceStack(espeak_VOICE *v, const char *variant_name) sp->voice_age = v->age; sp->voice_gender = v->gender; - if (memcmp(variant_name, "!v", 2) == 0) + if (strlen(variant_name) >= 2 && memcmp(variant_name, "!v", 2) == 0) variant_name += 3; // strip variant directory name, !v plus PATHSEP strncpy0(base_voice_variant_name, variant_name, sizeof(base_voice_variant_name)); memcpy(&base_voice, ¤t_voice_selected, sizeof(base_voice));