From: Samuel Thibault samuel.thibault@ens-lyon.org
commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream.
get_char was erroneously given the address of the pointer to the text instead of the address of the text, thus leading to random crashes when the user requests speaking a word while the current position is on a space character and say_word_ctl is not enabled.
Reported-on: https://github.com/bytefire/speakup/issues/1 Reported-by: Kirk Reiser kirk@reisers.ca Reported-by: Janina Sajka janina@rednote.net Reported-by: Alexandr Epaneshnikov aarnaarn2@gmail.com Reported-by: Gregory Nowak greg@gregn.net Reported-by: deedra waters deedra@the-brannons.com Signed-off-by: Samuel Thibault samuel.thibault@ens-lyon.org Tested-by: Alexandr Epaneshnikov aarnaarn2@gmail.com Tested-by: Gregory Nowak greg@gregn.net Tested-by: Michael Taboada michael@michaels.world Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/speakup/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/speakup/main.c +++ b/drivers/staging/speakup/main.c @@ -567,7 +567,7 @@ static u_long get_word(struct vc_data *v return 0; } else if (tmpx < vc->vc_cols - 2 && (ch == SPACE || ch == 0 || (ch < 0x100 && IS_WDLM(ch))) && - get_char(vc, (u_short *)&tmp_pos + 1, &temp) > SPACE) { + get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE) { tmp_pos += 2; tmpx++; } else