Red Hat Bugzilla – Bug 227316
espeak stack smash
Last modified: 2007-11-30 17:11:56 EST
Description of problem:
I was demonstrating espeak to my older children when my 2-year old said, "I push
a button, too!" and smacked the keyboard. This output then appeared on my terminal:
*** stack smashing detected ***: /usr/bin/espeak terminated
It took me some time to figure out how he did it, but I can now reproduce the
crash at will. Enter 33 forward slashes (/) and press return. 32 won't crash
it, but 33 will. The core file is useless, due to the smashed stack. However,
triggering the crash in gdb gives this backtrace:
#0 0x0032a402 in __kernel_vsyscall ()
#1 0x00673d40 in raise () from /lib/libc.so.6
#2 0x00675591 in abort () from /lib/libc.so.6
#3 0x006a933b in __libc_message () from /lib/libc.so.6
#4 0x0072da71 in __stack_chk_fail () from /lib/libc.so.6
#5 0x001203e4 in __stack_chk_fail_local () from /usr/lib/libespeak.so.1
#6 0x0011599a in Translator::TranslateWord (this=0x8b88130,
word1=0xb738208b '/' <repeats 33 times>, " ", next_pause=8,
wtab=0xb73815ba) at translate.cpp:1460
#7 0x001161cb in Translator::TranslateWord2 (this=0x8b88130,
word=0xb738208b '/' <repeats 33 times>, " ", wtab=0xb73815ba, pre_pause=0,
next_pause=8) at translate.cpp:1571
#8 0x00117084 in Translator::TranslateClause (this=0x8b88130, f_text=0x0,
vp_input=0x8b9d428, tone_out=0xb738231c, voice_change=0xb7382318)
#9 0x00113548 in SpeakNextClause (f_in=0x0, text_in=0x8b9d428, control=0)
#10 0x001043c9 in Synthesize (unique_identifier=<value optimized out>,
text=0x8b9d428, flags=11726) at speak_lib.cpp:331
#11 0x0011de82 in process_espeak_command (the_command=0x2dce)
#12 0x0011f978 in say_thread () at fifo.cpp:446
#13 0x007be3db in start_thread () from /lib/libpthread.so.0
#14 0x0071826e in clone () from /lib/libc.so.6
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Start espeak
2. Enter 33 forward slashes (/)
3. Press ENTER
Glibc reports a stack smash attack and aborts espeak.
Espeak should say "stroke" 33 times.
Haha, there's just *no-one* like a 2-year old to stress-test a system. :-)
Thanks for reporting this. As an update, I've verified this bug happens with the
'&', '@', ':' and '\' characters as well (only 21 chars needed when using '\').
Will look into this as well as report it to upstream.
Bug submitted to upstream, available here:
In the meantime, I'm submitting espeak version 1.19 to the repository (this does
not yet solve this bug, but includes some other refinements).
New bug status: Version-Release number of affected components:
Ok, upstream has acknowledged and fixed this bug; it will be rectified in the
next version, espeak 1.20 (to be released around 7 Feb); I will package this as
soon as it's available.
Until then I'm leaving this bug open...
Great. Thanks for your quick response. My 2-year-old also thanks you. :-)
espeak-1.20-1 built and tested; the problem has been solved. Closing bug.