Added a check for the length of config in case of heap overflow.

Bug: 26070127 Change-Id: Idcd36be58f1c2e9f085eda51d7453f65fc82e5b0
author: Xingyang Cai <xycai@google.com> 2016-01-04 18:10:01 +0000
committer: Xingyang Cai <xycai@google.com> 2016-01-06 12:19:19 +0000
commit: 5a2cd5c411cc3d01a4b9dcda0c641237fac51efe (patch)
tree: a82ecd0d52e324084fce5b44306aacb221dc45e9
parent: 2ff9b2e63b70c9a78a8c731f92d7e2b888db6351 (diff)
download: svox-5a2cd5c411cc3d01a4b9dcda0c641237fac51efe.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/pico/tts/com_svox_picottsengine.cpp b/pico/tts/com_svox_picottsengine.cpp
index 2d8a510..984ecc5 100644
--- a/pico/tts/com_svox_picottsengine.cpp
+++ b/pico/tts/com_svox_picottsengine.cpp
@@ -1068,7 +1068,13 @@ tts_result TtsEngine::init( synthDoneCB_t synthDoneCBPtr, const char *config )
 
     // was the initialization given an alternative path for the lingware location?
     if ((config != NULL) && (strlen(config) > 0)) {
-        pico_alt_lingware_path = (char*)malloc(strlen(config));
+        int max_filename_length = PICO_MAX_DATAPATH_NAME_SIZE + PICO_MAX_FILE_NAME_SIZE;
+        if (strlen(config) >= max_filename_length) {
+            ALOGE("The length of engine config is too long (should be less than %d bytes).",
+                max_filename_length);
+            return TTS_FAILURE;
+        }
+        pico_alt_lingware_path = (char*)malloc(strlen(config) + 1);
         strcpy((char*)pico_alt_lingware_path, config);
         ALOGV("Alternative lingware path %s", pico_alt_lingware_path);
     } else {
author	Xingyang Cai <xycai@google.com>	2016-01-04 18:10:01 +0000
committer	Xingyang Cai <xycai@google.com>	2016-01-06 12:19:19 +0000
commit	5a2cd5c411cc3d01a4b9dcda0c641237fac51efe (patch)
tree	a82ecd0d52e324084fce5b44306aacb221dc45e9
parent	2ff9b2e63b70c9a78a8c731f92d7e2b888db6351 (diff)
download	svox-5a2cd5c411cc3d01a4b9dcda0c641237fac51efe.tar.gz