Fix out-of-bounds read in VoiceKit::load_buf_()#553
Open
teancom wants to merge 2 commits intoesphome:devfrom
Open
Fix out-of-bounds read in VoiceKit::load_buf_()#553teancom wants to merge 2 commits intoesphome:devfrom
teancom wants to merge 2 commits intoesphome:devfrom
Conversation
The copy loop used max_len (128) as its bound instead of buf_len (the actual number of remaining bytes), reading past the end of firmware_bin_ on the final chunk. Also fix the offset guard to reject offset == firmware_bin_length_ where zero bytes remain. Replace byte-by-byte loop with memcpy, which the compiler can optimize to word-sized copies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The copy loop used max_len (128) as its bound instead of buf_len (the actual number of remaining bytes), reading past the end of firmware_bin_ on the final chunk. Also fix the offset guard to reject offset == firmware_bin_length_ where zero bytes remain. Replace byte-by-byte loop with memcpy, which the compiler can optimize to word-sized copies.
Note that, even though we were reading past the bounds we just dropped the extra bytes without using them. This is a correctness and (tiny) speed-up thing, not a security / safety thing.