From d2cfd87137c43997eeccbc7a3b602814add30a49 Mon Sep 17 00:00:00 2001 From: David Bishop Date: Sat, 21 Feb 2026 20:53:03 -0800 Subject: [PATCH] Fix out-of-bounds read in VoiceKit::dfu_reboot_() The reboot_req array had 3 elements but write() was called with a hardcoded length of 4, reading one byte past the array from the stack. Add the missing payload byte required by the XMOS DFU protocol and use sizeof(reboot_req) instead of a hardcoded length to prevent mismatch. Co-Authored-By: Claude Opus 4.6 --- esphome/components/voice_kit/voice_kit.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/esphome/components/voice_kit/voice_kit.cpp b/esphome/components/voice_kit/voice_kit.cpp index 08add5ae..d6c0354e 100644 --- a/esphome/components/voice_kit/voice_kit.cpp +++ b/esphome/components/voice_kit/voice_kit.cpp @@ -328,9 +328,9 @@ bool VoiceKit::dfu_get_version_() { } bool VoiceKit::dfu_reboot_() { - const uint8_t reboot_req[] = {DFU_CONTROLLER_SERVICER_RESID, DFU_CONTROLLER_SERVICER_RESID_DFU_REBOOT, 1}; + const uint8_t reboot_req[] = {DFU_CONTROLLER_SERVICER_RESID, DFU_CONTROLLER_SERVICER_RESID_DFU_REBOOT, 1, 0}; - auto error_code = this->write(reboot_req, 4); + auto error_code = this->write(reboot_req, sizeof(reboot_req)); if (error_code != i2c::ERROR_OK) { ESP_LOGE(TAG, "Reboot request failed"); return false;