diff options
| author | William Wilgus <wilgus.william@gmail.com> | 2021-03-04 21:08:36 -0500 |
|---|---|---|
| committer | William Wilgus <me.theuser@yahoo.com> | 2021-03-05 02:22:20 +0000 |
| commit | b2732222e99faa361be445d98b39274ab0b268d9 (patch) | |
| tree | 3f4b79b4e4c072777b6ecef73360316c8e24e788 | |
| parent | 56a1e87501007188df9160b76bfb0c1118097fe0 (diff) | |
| download | rockbox-b2732222e99faa361be445d98b39274ab0b268d9.tar.gz rockbox-b2732222e99faa361be445d98b39274ab0b268d9.zip | |
Talk.c Guard against use after free / failure to load voicefile
load_voicefile_data wasn't checked for success leading
to a use after free situation
get_clip now checks for valid index_handle before using it
Change-Id: Id66dba6dbd6becfc9e0fe922fbc1d0adec1f0393
| -rw-r--r-- | apps/talk.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/apps/talk.c b/apps/talk.c index 947f1665af..f9d7100800 100644 --- a/apps/talk.c +++ b/apps/talk.c | |||
| @@ -443,7 +443,7 @@ static int get_clip(long id, struct queue_entry *q) | |||
| 443 | size_t clipsize; | 443 | size_t clipsize; |
| 444 | 444 | ||
| 445 | index = id2index(id); | 445 | index = id2index(id); |
| 446 | if (index == -1) | 446 | if (index == -1 || index_handle <= 0) |
| 447 | return -1; | 447 | return -1; |
| 448 | 448 | ||
| 449 | clipbuf = core_get_data(index_handle); | 449 | clipbuf = core_get_data(index_handle); |
| @@ -891,6 +891,7 @@ int talk_id(int32_t id, bool enqueue) | |||
| 891 | int32_t unit; | 891 | int32_t unit; |
| 892 | int decimals; | 892 | int decimals; |
| 893 | struct queue_entry clip; | 893 | struct queue_entry clip; |
| 894 | bool isloaded = false; | ||
| 894 | 895 | ||
| 895 | if (!has_voicefile) | 896 | if (!has_voicefile) |
| 896 | return 0; /* no voicefile loaded, not an error -> pretent success */ | 897 | return 0; /* no voicefile loaded, not an error -> pretent success */ |
| @@ -904,11 +905,11 @@ int talk_id(int32_t id, bool enqueue) | |||
| 904 | int fd = open_voicefile(); | 905 | int fd = open_voicefile(); |
| 905 | if (fd < 0 || !load_voicefile_index(fd)) | 906 | if (fd < 0 || !load_voicefile_index(fd)) |
| 906 | return -1; | 907 | return -1; |
| 907 | load_voicefile_data(fd); | 908 | isloaded = load_voicefile_data(fd); |
| 908 | close(fd); | 909 | close(fd); |
| 909 | } | 910 | } |
| 910 | 911 | ||
| 911 | if (id == -1) /* -1 is an indication for silence */ | 912 | if (id == -1 || !isloaded) /* -1 is an indication for silence */ |
| 912 | return -1; | 913 | return -1; |
| 913 | 914 | ||
| 914 | decimals = (((uint32_t)id) >> DECIMAL_SHIFT) & 0x7; | 915 | decimals = (((uint32_t)id) >> DECIMAL_SHIFT) & 0x7; |