From 444e4544d24632d5ba6ce90bb14c12d80fbb006e Mon Sep 17 00:00:00 2001 From: "Reece H. Dunn" Date: Wed, 21 Mar 2018 21:24:03 +0000 Subject: [PATCH] Simplify the !v comparison and check PATHSEP SetVoiceStack looks for "!v" in variant_name and skips the first three characters if "!v" is found. The problem here is that it does not check that the third character is the path separator, so may advance into unknown memory if variant_name is exactly "!v". This fixes that problem by checking for the path separator. It also simplifies the logic by checking the bytes explicitly. NOTE: This is not strictly needed, as the only code paths this is relevant for is in espeak_ng_SetVoiceByName, and the variant name comes from ExtractVoiceVariantName, which sets up the variant name correctly. --- src/libespeak-ng/readclause.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libespeak-ng/readclause.c b/src/libespeak-ng/readclause.c index 26bc35b96..aa884d59e 100644 --- a/src/libespeak-ng/readclause.c +++ b/src/libespeak-ng/readclause.c @@ -599,7 +599,7 @@ void SetVoiceStack(espeak_VOICE *v, const char *variant_name) sp->voice_age = v->age; sp->voice_gender = v->gender; - if (strlen(variant_name) >= 2 && memcmp(variant_name, "!v", 2) == 0) + if (variant_name[0] == '!' && variant_name[1] == 'v' && variant_name[2] == PATHSEP) variant_name += 3; // strip variant directory name, !v plus PATHSEP strncpy0(base_voice_variant_name, variant_name, sizeof(base_voice_variant_name)); memcpy(&base_voice, ¤t_voice_selected, sizeof(base_voice));