Browse Source
LookupDictList: Fix out-of-bound access (#1736)
When looking for dotted abbreviations we must limit ourself to the size of the buffer used for translating the abbreviation.master
Juho Hiltunen
1 year ago
1 changed files with 15 additions and 8 deletions
+ 15
- 8
src/libespeak-ng/dictionary.c
View File
| while ((word2[nbytes = utf8_nbytes(word2)] == ' ') && (word2[nbytes+1] == '.')) { | while ((word2[nbytes = utf8_nbytes(word2)] == ' ') && (word2[nbytes+1] == '.')) { | ||||
| // look for an abbreviation of the form a.b.c | // look for an abbreviation of the form a.b.c | ||||
| // try removing the spaces between the dots and looking for a match | // try removing the spaces between the dots and looking for a match | ||||
| if (length + 1 > sizeof(word)) { | |||||
| /* Too long abbreviation, leave as it is */ | |||||
| length = 0; | |||||
| break; | |||||
| } | |||||
| memcpy(&word[length], word2, nbytes); | memcpy(&word[length], word2, nbytes); | ||||
| length += nbytes; | length += nbytes; | ||||
| word[length++] = '.'; | word[length++] = '.'; | ||||
| nbytes = 0; | nbytes = 0; | ||||
| while (((c = word2[nbytes]) != 0) && (c != ' ')) | while (((c = word2[nbytes]) != 0) && (c != ' ')) | ||||
| nbytes++; | nbytes++; | ||||
| memcpy(&word[length], word2, nbytes); | |||||
| word[length+nbytes] = 0; | |||||
| found = LookupDict2(tr, word, word2, ph_out, flags, end_flags, wtab); | |||||
| if (found) { | |||||
| // set the skip words flag | |||||
| flags[0] |= FLAG_SKIPWORDS; | |||||
| dictionary_skipwords = length; | |||||
| return 1; | |||||
| if (length + nbytes + 1 <= sizeof(word)) { | |||||
| memcpy(&word[length], word2, nbytes); | |||||
| word[length+nbytes] = 0; | |||||
| found = LookupDict2(tr, word, word2, ph_out, flags, end_flags, wtab); | |||||
| if (found) { | |||||
| // set the skip words flag | |||||
| flags[0] |= FLAG_SKIPWORDS; | |||||
| dictionary_skipwords = length; | |||||
| return 1; | |||||
| } | |||||
| } | } | ||||
| } | } | ||||
Loading…