From 67b180d63dad28a7e988d4b84653c57dc094dc01 Mon Sep 17 00:00:00 2001 From: mudlord Date: Sun, 16 May 2021 17:55:14 +1000 Subject: [PATCH 1/4] Look into fixing CVE-2021-28927 --- frontend/drivers/platform_win32.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/frontend/drivers/platform_win32.c b/frontend/drivers/platform_win32.c index 710ac40bc6..1e8227cfe3 100644 --- a/frontend/drivers/platform_win32.c +++ b/frontend/drivers/platform_win32.c @@ -1011,13 +1011,13 @@ static bool is_narrator_running_windows(void) static bool accessibility_speak_windows(int speed, const char* speak_text, int priority) { - char cmd[1200]; + char *cmd = NULL; const char *voice = get_user_language_iso639_1(true); const char *language = accessibility_win_language_code(voice); const char *langid = accessibility_win_language_id(voice); bool res = false; const char* speeds[10] = {"-10", "-7.5", "-5", "-2.5", "0", "2", "4", "6", "8", "10"}; - + size_t nbytes_cmd = 0; if (speed < 1) speed = 1; else if (speed > 10) @@ -1035,15 +1035,32 @@ static bool accessibility_speak_windows(int speed, if (USE_POWERSHELL) { + + if (strlen(language) > 0) - snprintf(cmd, sizeof(cmd), - "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.SelectVoice(\\\"%s\\\"); $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", language, speeds[speed-1], (char*) speak_text); + { + nbytes_cmd = snprintf(NULL, 0, + "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.SelectVoice(\\\"%s\\\"); $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", language, speeds[speed-1], (char*) speak_text) + 1; + cmd = malloc(nbytes_cmd); + snprintf(cmd, nbytes_cmd, + "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.SelectVoice(\\\"%s\\\"); $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", language, speeds[speed-1], (char*) speak_text); + } + else - snprintf(cmd, sizeof(cmd), - "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); + { + + nbytes_cmd = snprintf(NULL, 0, + "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); + cmd = malloc(nbytes_cmd); + snprintf(cmd, nbytes_cmd, + "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); + } + if (pi_set) terminate_win32_process(g_pi); res = create_win32_process(cmd); + free(cmd); + cmd = NULL; if (!res) { pi_set = false; From 9fbf3b9732531c6c41a27592b7cabd7a80f194a2 Mon Sep 17 00:00:00 2001 From: mudlord Date: Sun, 16 May 2021 17:58:43 +1000 Subject: [PATCH 2/4] Whoops --- frontend/drivers/platform_win32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/drivers/platform_win32.c b/frontend/drivers/platform_win32.c index 1e8227cfe3..24c216c677 100644 --- a/frontend/drivers/platform_win32.c +++ b/frontend/drivers/platform_win32.c @@ -1050,7 +1050,7 @@ static bool accessibility_speak_windows(int speed, { nbytes_cmd = snprintf(NULL, 0, - "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); + "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text) + 1; cmd = malloc(nbytes_cmd); snprintf(cmd, nbytes_cmd, "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); From 734401440dff272982c87a625ab03b0a370fc4fc Mon Sep 17 00:00:00 2001 From: mudlord Date: Sun, 16 May 2021 18:20:52 +1000 Subject: [PATCH 3/4] People are never happy. --- frontend/drivers/platform_win32.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/frontend/drivers/platform_win32.c b/frontend/drivers/platform_win32.c index 24c216c677..c5be1e20f7 100644 --- a/frontend/drivers/platform_win32.c +++ b/frontend/drivers/platform_win32.c @@ -1042,6 +1042,7 @@ static bool accessibility_speak_windows(int speed, nbytes_cmd = snprintf(NULL, 0, "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.SelectVoice(\\\"%s\\\"); $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", language, speeds[speed-1], (char*) speak_text) + 1; cmd = malloc(nbytes_cmd); + if(!cmd)return false; snprintf(cmd, nbytes_cmd, "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.SelectVoice(\\\"%s\\\"); $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", language, speeds[speed-1], (char*) speak_text); } @@ -1052,6 +1053,7 @@ static bool accessibility_speak_windows(int speed, nbytes_cmd = snprintf(NULL, 0, "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text) + 1; cmd = malloc(nbytes_cmd); + if(!cmd)return false; snprintf(cmd, nbytes_cmd, "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech; $synth = New-Object System.Speech.Synthesis.SpeechSynthesizer; $synth.Rate = %s; $synth.Speak(\\\"%s\\\");\"", speeds[speed-1], (char*) speak_text); } From 3b8bd1a6e877b420b3ba3d7e043a0407b3758ca0 Mon Sep 17 00:00:00 2001 From: mudlord Date: Sun, 16 May 2021 18:28:59 +1000 Subject: [PATCH 4/4] There. --- frontend/drivers/platform_win32.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/frontend/drivers/platform_win32.c b/frontend/drivers/platform_win32.c index c5be1e20f7..398e516bd7 100644 --- a/frontend/drivers/platform_win32.c +++ b/frontend/drivers/platform_win32.c @@ -1115,13 +1115,8 @@ static bool accessibility_speak_windows(int speed, if (SUCCEEDED(hr)) { wchar_t *wc = utf8_to_utf16_string_alloc(speak_text); - - snprintf(cmd, sizeof(cmd), - "%s", speeds[speed], langid, speak_text); - if (!wc) return false; - hr = ISpVoice_Speak(pVoice, wc, SPF_ASYNC /*SVSFlagsAsync*/, NULL); free(wc); }