Headline
CVE-2023-49991: stack-buffer-underflow exists in the function CountVowelPosition in synthdata.c · Issue #1825 · espeak-ng/espeak-ng
Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.
System info
Ubuntu x86_64, clang 12.0
version: espeak-ng(1.52-dev)
Command line
./espeak-ng -f poc -w /dev/null
Poc
poc:poc
AddressSanitizer output
==4070186==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd7a6c0e80 at pc 0x00000055a66a bp 0x7ffd7a6c0b70 sp 0x7ffd7a6c0b68
READ of size 8 at 0x7ffd7a6c0e80 thread T0
#0 0x55a669 in CountVowelPosition /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14
#1 0x55a669 in InterpretCondition /src/espeak-ng/src/libespeak-ng/synthdata.c:626:12
#2 0x55a669 in InterpretPhoneme /src/espeak-ng/src/libespeak-ng/synthdata.c:832:14
#3 0x55ab57 in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:979:2
#4 0x5fc032 in CalcLengths /src/espeak-ng/src/libespeak-ng/setlengths.c:680:5
#5 0x56fe4e in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1563:2
#6 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9
#7 0x544552 in sync_espeak_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29
#8 0x544552 in espeak_ng_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10
#9 0x51fa9e in espeak_Synth /src/espeak-ng/src/libespeak-ng/espeak_api.c:90:32
#10 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3
#11 0x7fe8046c2082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16
#12 0x41d64d in _start (/src/espeak-ng/src/espeak-ng+0x41d64d)
Address 0x7ffd7a6c0e80 is located in stack of thread T0 at offset 0 in frame
#0 0x55a92f in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:964
This frame has 1 object(s):
[32, 192) ‘plist’ (line 967)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14 in CountVowelPosition
Shadow bytes around the buggy address:
0x10002f4d0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d01a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10002f4d01b0: f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3
0x10002f4d01c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002f4d01d0:[f1]f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d01e0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
0x10002f4d01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002f4d0220: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4070186==ABORTING
Related news
Ubuntu Security Notice 6858-1 - It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.