Fix out-of-bounds read when processing malformed SSML.

CHANGELOG.md

 *  New Language option: "lowercaseSentence" for ending a sentence if a period is followed by a lower case letter.
 *  Added voice variants
 
+bug fixes:
+*  Fix reading malformed SSML (Christopher Brannon)
+*  Fix memory allocation (Christopher Brannon)
+
 documentation:
 * Add documentation about voice and language options.
 * Add documentation about dictionary flags.

src/libespeak-ng/readclause.c

 	tr->clause_lower_count = 0;
 	*tone_type = 0;
 
-	if (ungot_char2 != 0)
+	if (ungot_char2 != 0) {
 		c2 = ungot_char2;
-	else
+	} else if (Eof()) {
+		c2 = 0;
+	} else {
 		c2 = GetC();
+	}
 
 	while (!Eof() || (ungot_char != 0) || (ungot_char2 != 0) || (ungot_string_ix >= 0)) {
 		if (!iswalnum(c1)) {
 
 		if ((ungot_string_ix == 0) && (ungot_char2 == 0))
 			c1 = ungot_string[ungot_string_ix++];
-		if (ungot_string_ix >= 0)
+		if (ungot_string_ix >= 0) {
 			c2 = ungot_string[ungot_string_ix++];
-		else {
+		} else if (Eof()) {
+			c2 = ' ';
+		} else {
 			c2 = GetC();
-
-			if (Eof())
-				c2 = ' ';
 		}
+
 		ungot_char2 = 0;
 
 		if ((option_ssml) && (phoneme_mode == 0)) {
 					c1 = GetC();
 				}
 				xml_buf2[n_xml_buf] = 0;
-				c2 = GetC();
+				if (Eof()) {
+					c2 = '\0';
+				} else {
+					c2 = GetC();
+				}
 				sprintf(ungot_string, "%s%c%c", &xml_buf2[0], c1, c2);
 
 				int found = -1;

tests/ssml/badly-escaped1.expected

+kəmpˈa͡ɪl ænd flˈæʃ lˈɪnɪɪd͡ʒ ˈændɹɔ͡ɪd ˌo͡ʊˈɛs

tests/ssml/badly-escaped1.ssml

+compile&flash Lineage Android OS

tests/ssml/badly-escaped2.expected

+kəmpˈa͡ɪl ænd flˈæʃ

tests/ssml/badly-escaped2.ssml

+compile&flash