diff options
author | William Wilgus <wilgus.william@gmail.com> | 2021-03-04 21:08:36 -0500 |
---|---|---|
committer | William Wilgus <me.theuser@yahoo.com> | 2021-03-05 02:22:20 +0000 |
commit | b2732222e99faa361be445d98b39274ab0b268d9 (patch) | |
tree | 3f4b79b4e4c072777b6ecef73360316c8e24e788 | |
parent | 56a1e87501007188df9160b76bfb0c1118097fe0 (diff) | |
download | rockbox-b2732222e9.tar.gz rockbox-b2732222e9.zip |
Talk.c Guard against use after free / failure to load voicefile
load_voicefile_data wasn't checked for success leading
to a use after free situation
get_clip now checks for valid index_handle before using it
Change-Id: Id66dba6dbd6becfc9e0fe922fbc1d0adec1f0393
-rw-r--r-- | apps/talk.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/apps/talk.c b/apps/talk.c index 947f1665af..f9d7100800 100644 --- a/apps/talk.c +++ b/apps/talk.c @@ -443,7 +443,7 @@ static int get_clip(long id, struct queue_entry *q) size_t clipsize; index = id2index(id); - if (index == -1) + if (index == -1 || index_handle <= 0) return -1; clipbuf = core_get_data(index_handle); @@ -891,6 +891,7 @@ int talk_id(int32_t id, bool enqueue) int32_t unit; int decimals; struct queue_entry clip; + bool isloaded = false; if (!has_voicefile) return 0; /* no voicefile loaded, not an error -> pretent success */ @@ -904,11 +905,11 @@ int talk_id(int32_t id, bool enqueue) int fd = open_voicefile(); if (fd < 0 || !load_voicefile_index(fd)) return -1; - load_voicefile_data(fd); + isloaded = load_voicefile_data(fd); close(fd); } - if (id == -1) /* -1 is an indication for silence */ + if (id == -1 || !isloaded) /* -1 is an indication for silence */ return -1; decimals = (((uint32_t)id) >> DECIMAL_SHIFT) & 0x7; |