Bug 227316 - espeak stack smash
espeak stack smash
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: espeak (Show other bugs)
6
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Francois Aucamp
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-05 01:14 EST by Jerry James
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.20-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-08 10:46:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry James 2007-02-05 01:14:16 EST
Description of problem:
I was demonstrating espeak to my older children when my 2-year old said, "I push
a button, too!" and smacked the keyboard.  This output then appeared on my terminal:
*** stack smashing detected ***: /usr/bin/espeak terminated

It took me some time to figure out how he did it, but I can now reproduce the
crash at will.  Enter 33 forward slashes (/) and press return.  32 won't crash
it, but 33 will.  The core file is useless, due to the smashed stack.  However,
triggering the crash in gdb gives this backtrace:

#0  0x0032a402 in __kernel_vsyscall ()
#1  0x00673d40 in raise () from /lib/libc.so.6
#2  0x00675591 in abort () from /lib/libc.so.6
#3  0x006a933b in __libc_message () from /lib/libc.so.6
#4  0x0072da71 in __stack_chk_fail () from /lib/libc.so.6
#5  0x001203e4 in __stack_chk_fail_local () from /usr/lib/libespeak.so.1
#6  0x0011599a in Translator::TranslateWord (this=0x8b88130, 
    word1=0xb738208b '/' <repeats 33 times>, " ", next_pause=8, 
    wtab=0xb73815ba) at translate.cpp:1460
#7  0x001161cb in Translator::TranslateWord2 (this=0x8b88130, 
    word=0xb738208b '/' <repeats 33 times>, " ", wtab=0xb73815ba, pre_pause=0, 
    next_pause=8) at translate.cpp:1571
#8  0x00117084 in Translator::TranslateClause (this=0x8b88130, f_text=0x0, 
    vp_input=0x8b9d428, tone_out=0xb738231c, voice_change=0xb7382318)
    at translate.cpp:2459
#9  0x00113548 in SpeakNextClause (f_in=0x0, text_in=0x8b9d428, control=0)
    at synthesize.cpp:1431
#10 0x001043c9 in Synthesize (unique_identifier=<value optimized out>, 
    text=0x8b9d428, flags=11726) at speak_lib.cpp:331
#11 0x0011de82 in process_espeak_command (the_command=0x2dce)
    at espeak_command.cpp:543
#12 0x0011f978 in say_thread () at fifo.cpp:446
#13 0x007be3db in start_thread () from /lib/libpthread.so.0
#14 0x0071826e in clone () from /lib/libc.so.6

Version-Release number of selected component (if applicable):
espeak-1.18-2.fc6

How reproducible:
Always.

Steps to Reproduce:
1. Start espeak
2. Enter 33 forward slashes (/)
3. Press ENTER
  
Actual results:
Glibc reports a stack smash attack and aborts espeak.

Expected results:
Espeak should say "stroke" 33 times.

Additional info:
Comment 1 Francois Aucamp 2007-02-05 02:46:51 EST
Haha, there's just *no-one* like a 2-year old to stress-test a system. :-)

Thanks for reporting this. As an update, I've verified this bug happens with the
'&', '@', ':' and '\' characters as well (only 21 chars needed when using '\').

Will look into this as well as report it to upstream.
Comment 2 Francois Aucamp 2007-02-05 04:50:33 EST
Bug submitted to upstream, available here:
http://sourceforge.net/tracker/index.php?func=detail&aid=1652239&group_id=159649&atid=812675

In the meantime, I'm submitting espeak version 1.19 to the repository (this does
not yet solve this bug, but includes some other refinements).

New bug status: Version-Release number of affected components:
espeak-1.18-2
espeak-1.19-1
Comment 3 Francois Aucamp 2007-02-06 01:41:14 EST
Ok, upstream has acknowledged and fixed this bug; it will be rectified in the
next version, espeak 1.20 (to be released around 7 Feb); I will package this as
soon as it's available.

Until then I'm leaving this bug open...
Comment 4 Jerry James 2007-02-06 13:36:55 EST
Great.  Thanks for your quick response.  My 2-year-old also thanks you. :-)
Comment 5 Francois Aucamp 2007-02-08 10:46:17 EST
espeak-1.20-1 built and tested; the problem has been solved. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.