len0rd/rockbox
1
0
Fork 1
mirror of https://github.com/Rockbox/rockbox.git synced 2025-10-13 18:17:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Talk.c Guard against use after free / failure to load voicefile

Browse source 
load_voicefile_data wasn't checked for success leading
to a use after free situation

get_clip now checks for valid index_handle before using it

Change-Id: Id66dba6dbd6becfc9e0fe922fbc1d0adec1f0393
This commit is contained in:
William Wilgus 2021-03-04 21:08:36 -05:00 committed by William Wilgus
parent 56a1e87501
commit b2732222e9
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apps/talk.c
View file

@ -443,7 +443,7 @@ static int get_clip(long id, struct queue_entry *q)
size_t clipsize;
index = id2index(id);
if (index == -1)
if (index == -1 || index_handle <= 0)
return -1;
clipbuf = core_get_data(index_handle);
@ -891,6 +891,7 @@ int talk_id(int32_t id, bool enqueue)
int32_t unit;
int decimals;
struct queue_entry clip;
bool isloaded = false;
if (!has_voicefile)
return 0; /* no voicefile loaded, not an error -> pretent success */
@ -904,11 +905,11 @@ int talk_id(int32_t id, bool enqueue)
int fd = open_voicefile();
if (fd < 0 || !load_voicefile_index(fd))
return -1;
load_voicefile_data(fd);
isloaded = load_voicefile_data(fd);
close(fd);
}
if (id == -1) /* -1 is an indication for silence */
if (id == -1 || !isloaded) /* -1 is an indication for silence */
return -1;
decimals = (((uint32_t)id) >> DECIMAL_SHIFT) & 0x7;