Headline
CVE-2023-49993: global-buffer-overflow exists in the function ReadClause in readclause.c · Issue #1826 · espeak-ng/espeak-ng
Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.
System info
Ubuntu x86_64, clang 12.0
version: espeak-ng(1.52-dev)
Command line
./espeak-ng -f poc -w /dev/null
Poc
poc:poc
AddressSanitizer output
==4070638==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fe1cb0 at pc 0x0000005389ce bp 0x7ffd05945410 sp 0x7ffd05945408
WRITE of size 4 at 0x000000fe1cb0 thread T0
#0 0x5389cd in ReadClause /src/espeak-ng/src/libespeak-ng/readclause.c:668:30
#1 0x571b2d in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:984:15
#2 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2
#3 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9
#4 0x544552 in sync_espeak_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29
#5 0x544552 in espeak_ng_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10
#6 0x51fa9e in espeak_Synth /src/espeak-ng/src/libespeak-ng/espeak_api.c:90:32
#7 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3
#8 0x7f79f766d082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16
#9 0x41d64d in _start (/src/espeak-ng/src/espeak-ng+0x41d64d)
0x000000fe1cb0 is located 48 bytes to the left of global variable ‘option_linelength’ defined in ‘src/libespeak-ng/translate.c:99:5’ (0xfe1ce0) of size 4
0x000000fe1cb0 is located 0 bytes to the right of global variable ‘option_punctlist’ defined in ‘src/libespeak-ng/translate.c:96:9’ (0xfe1bc0) of size 240
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/readclause.c:668:30 in ReadClause
Shadow bytes around the buggy address:
0x0000801f4340: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000801f4350: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000801f4360: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000801f4370: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000801f4380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801f4390: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000801f43a0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000801f43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801f43c0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9
0x0000801f43d0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
0x0000801f43e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4070638==ABORTING
Related news
Ubuntu Security Notice 6858-1 - It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.