Headline
CVE-2023-49990: global-buffer-overflow exists in the function SetUpPhonemeTable in synthdata.c · Issue #1824 · espeak-ng/espeak-ng
Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.
System info
Ubuntu x86_64, clang 12.0
version: espeak-ng(1.52-dev)
Command line
./espeak-ng -f poc -w /dev/null
Poc
poc:poc
AddressSanitizer output
==4070074==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fd06cc at pc 0x0000005555f3 bp 0x7ffcdce1ca70 sp 0x7ffcdce1ca68
READ of size 4 at 0x000000fd06cc thread T0
#0 0x5555f2 in SetUpPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43
#1 0x5552d5 in SelectPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:360:2
#2 0x57eae8 in TranslateWord2 /src/espeak-ng/src/libespeak-ng/translate.c:570:4
#3 0x5797d6 in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:1607:6
#4 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2
#5 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9
#6 0x544552 in sync_espeak_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29
#7 0x544552 in espeak_ng_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10
#8 0x51fa9e in espeak_Synth /src/espeak-ng/src/libespeak-ng/espeak_api.c:90:32
#9 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3
#10 0x7f1ab886e082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16
#11 0x41d64d in _start (/src/espeak-ng/src/espeak-ng+0x41d64d)
0x000000fd06cc is located 140 bytes to the right of global variable ‘phoneme_tab_list’ defined in ‘src/libespeak-ng/synthdata.c:61:18’ (0xfcea20) of size 7200
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43 in SetUpPhonemeTable
Shadow bytes around the buggy address:
0x0000801f2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801f2090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801f20a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801f20b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801f20c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0000801f20d0: f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9
0x0000801f20e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801f20f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801f2100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801f2110: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801f2120: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4070074==ABORTING
Related news
Ubuntu Security Notice 6858-1 - It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.