Bug 227316 - espeak stack smash
Summary: espeak stack smash
Alias: None
Product: Fedora
Classification: Fedora
Component: espeak (Show other bugs)
(Show other bugs)
Version: 6
Hardware: i686 Linux
Target Milestone: ---
Assignee: Francois Aucamp
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-05 06:14 UTC by Jerry James
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.20-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-08 15:46:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jerry James 2007-02-05 06:14:16 UTC
Description of problem:
I was demonstrating espeak to my older children when my 2-year old said, "I push
a button, too!" and smacked the keyboard.  This output then appeared on my terminal:
*** stack smashing detected ***: /usr/bin/espeak terminated

It took me some time to figure out how he did it, but I can now reproduce the
crash at will.  Enter 33 forward slashes (/) and press return.  32 won't crash
it, but 33 will.  The core file is useless, due to the smashed stack.  However,
triggering the crash in gdb gives this backtrace:

#0  0x0032a402 in __kernel_vsyscall ()
#1  0x00673d40 in raise () from /lib/libc.so.6
#2  0x00675591 in abort () from /lib/libc.so.6
#3  0x006a933b in __libc_message () from /lib/libc.so.6
#4  0x0072da71 in __stack_chk_fail () from /lib/libc.so.6
#5  0x001203e4 in __stack_chk_fail_local () from /usr/lib/libespeak.so.1
#6  0x0011599a in Translator::TranslateWord (this=0x8b88130, 
    word1=0xb738208b '/' <repeats 33 times>, " ", next_pause=8, 
    wtab=0xb73815ba) at translate.cpp:1460
#7  0x001161cb in Translator::TranslateWord2 (this=0x8b88130, 
    word=0xb738208b '/' <repeats 33 times>, " ", wtab=0xb73815ba, pre_pause=0, 
    next_pause=8) at translate.cpp:1571
#8  0x00117084 in Translator::TranslateClause (this=0x8b88130, f_text=0x0, 
    vp_input=0x8b9d428, tone_out=0xb738231c, voice_change=0xb7382318)
    at translate.cpp:2459
#9  0x00113548 in SpeakNextClause (f_in=0x0, text_in=0x8b9d428, control=0)
    at synthesize.cpp:1431
#10 0x001043c9 in Synthesize (unique_identifier=<value optimized out>, 
    text=0x8b9d428, flags=11726) at speak_lib.cpp:331
#11 0x0011de82 in process_espeak_command (the_command=0x2dce)
    at espeak_command.cpp:543
#12 0x0011f978 in say_thread () at fifo.cpp:446
#13 0x007be3db in start_thread () from /lib/libpthread.so.0
#14 0x0071826e in clone () from /lib/libc.so.6

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start espeak
2. Enter 33 forward slashes (/)
3. Press ENTER
Actual results:
Glibc reports a stack smash attack and aborts espeak.

Expected results:
Espeak should say "stroke" 33 times.

Additional info:

Comment 1 Francois Aucamp 2007-02-05 07:46:51 UTC
Haha, there's just *no-one* like a 2-year old to stress-test a system. :-)

Thanks for reporting this. As an update, I've verified this bug happens with the
'&', '@', ':' and '\' characters as well (only 21 chars needed when using '\').

Will look into this as well as report it to upstream.

Comment 2 Francois Aucamp 2007-02-05 09:50:33 UTC
Bug submitted to upstream, available here:

In the meantime, I'm submitting espeak version 1.19 to the repository (this does
not yet solve this bug, but includes some other refinements).

New bug status: Version-Release number of affected components:

Comment 3 Francois Aucamp 2007-02-06 06:41:14 UTC
Ok, upstream has acknowledged and fixed this bug; it will be rectified in the
next version, espeak 1.20 (to be released around 7 Feb); I will package this as
soon as it's available.

Until then I'm leaving this bug open...

Comment 4 Jerry James 2007-02-06 18:36:55 UTC
Great.  Thanks for your quick response.  My 2-year-old also thanks you. :-)

Comment 5 Francois Aucamp 2007-02-08 15:46:17 UTC
espeak-1.20-1 built and tested; the problem has been solved. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.