Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227316 - espeak stack smash
Summary: espeak stack smash
Alias: None
Product: Fedora
Classification: Fedora
Component: espeak
Version: 6
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Francois Aucamp
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-05 06:14 UTC by Jerry James
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.20-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-08 15:46:17 UTC

Attachments (Terms of Use)

Description Jerry James 2007-02-05 06:14:16 UTC
Description of problem:
I was demonstrating espeak to my older children when my 2-year old said, "I push
a button, too!" and smacked the keyboard.  This output then appeared on my terminal:
*** stack smashing detected ***: /usr/bin/espeak terminated

It took me some time to figure out how he did it, but I can now reproduce the
crash at will.  Enter 33 forward slashes (/) and press return.  32 won't crash
it, but 33 will.  The core file is useless, due to the smashed stack.  However,
triggering the crash in gdb gives this backtrace:

#0  0x0032a402 in __kernel_vsyscall ()
#1  0x00673d40 in raise () from /lib/
#2  0x00675591 in abort () from /lib/
#3  0x006a933b in __libc_message () from /lib/
#4  0x0072da71 in __stack_chk_fail () from /lib/
#5  0x001203e4 in __stack_chk_fail_local () from /usr/lib/
#6  0x0011599a in Translator::TranslateWord (this=0x8b88130, 
    word1=0xb738208b '/' <repeats 33 times>, " ", next_pause=8, 
    wtab=0xb73815ba) at translate.cpp:1460
#7  0x001161cb in Translator::TranslateWord2 (this=0x8b88130, 
    word=0xb738208b '/' <repeats 33 times>, " ", wtab=0xb73815ba, pre_pause=0, 
    next_pause=8) at translate.cpp:1571
#8  0x00117084 in Translator::TranslateClause (this=0x8b88130, f_text=0x0, 
    vp_input=0x8b9d428, tone_out=0xb738231c, voice_change=0xb7382318)
    at translate.cpp:2459
#9  0x00113548 in SpeakNextClause (f_in=0x0, text_in=0x8b9d428, control=0)
    at synthesize.cpp:1431
#10 0x001043c9 in Synthesize (unique_identifier=<value optimized out>, 
    text=0x8b9d428, flags=11726) at speak_lib.cpp:331
#11 0x0011de82 in process_espeak_command (the_command=0x2dce)
    at espeak_command.cpp:543
#12 0x0011f978 in say_thread () at fifo.cpp:446
#13 0x007be3db in start_thread () from /lib/
#14 0x0071826e in clone () from /lib/

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start espeak
2. Enter 33 forward slashes (/)
3. Press ENTER
Actual results:
Glibc reports a stack smash attack and aborts espeak.

Expected results:
Espeak should say "stroke" 33 times.

Additional info:

Comment 1 Francois Aucamp 2007-02-05 07:46:51 UTC
Haha, there's just *no-one* like a 2-year old to stress-test a system. :-)

Thanks for reporting this. As an update, I've verified this bug happens with the
'&', '@', ':' and '\' characters as well (only 21 chars needed when using '\').

Will look into this as well as report it to upstream.

Comment 2 Francois Aucamp 2007-02-05 09:50:33 UTC
Bug submitted to upstream, available here:

In the meantime, I'm submitting espeak version 1.19 to the repository (this does
not yet solve this bug, but includes some other refinements).

New bug status: Version-Release number of affected components:

Comment 3 Francois Aucamp 2007-02-06 06:41:14 UTC
Ok, upstream has acknowledged and fixed this bug; it will be rectified in the
next version, espeak 1.20 (to be released around 7 Feb); I will package this as
soon as it's available.

Until then I'm leaving this bug open...

Comment 4 Jerry James 2007-02-06 18:36:55 UTC
Great.  Thanks for your quick response.  My 2-year-old also thanks you. :-)

Comment 5 Francois Aucamp 2007-02-08 15:46:17 UTC
espeak-1.20-1 built and tested; the problem has been solved. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.