From b2732222e99faa361be445d98b39274ab0b268d9 Mon Sep 17 00:00:00 2001
From: William Wilgus <wilgus.william@gmail.com>
Date: Thu, 4 Mar 2021 21:08:36 -0500
Subject: Talk.c Guard against use after free / failure to load voicefile

load_voicefile_data wasn't checked for success leading
to a use after free situation

get_clip now checks for valid index_handle before using it

Change-Id: Id66dba6dbd6becfc9e0fe922fbc1d0adec1f0393
---
 apps/talk.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'apps/talk.c')

diff --git a/apps/talk.c b/apps/talk.c
index 947f1665af..f9d7100800 100644
--- a/apps/talk.c
+++ b/apps/talk.c
@@ -443,7 +443,7 @@ static int get_clip(long id, struct queue_entry *q)
     size_t clipsize;
 
     index = id2index(id);
-    if (index == -1)
+    if (index == -1 || index_handle <= 0)
         return -1;
 
     clipbuf = core_get_data(index_handle);
@@ -891,6 +891,7 @@ int talk_id(int32_t id, bool enqueue)
     int32_t unit;
     int decimals;
     struct queue_entry clip;
+    bool isloaded = false;
 
     if (!has_voicefile)
         return 0; /* no voicefile loaded, not an error -> pretent success */
@@ -904,11 +905,11 @@ int talk_id(int32_t id, bool enqueue)
         int fd = open_voicefile();
         if (fd < 0 || !load_voicefile_index(fd))
             return -1;
-        load_voicefile_data(fd);
+        isloaded = load_voicefile_data(fd);
         close(fd);
     }
 
-    if (id == -1) /* -1 is an indication for silence */
+    if (id == -1 || !isloaded) /* -1 is an indication for silence */
         return -1;
 
     decimals = (((uint32_t)id) >> DECIMAL_SHIFT) & 0x7;
-- 
cgit v1.2.3