[PATCH 4.9 021/102] staging/speakup: fix get_word non-space look-ahead

From: Greg Kroah-Hartman
Date: Wed Apr 01 2020 - 12:35:27 EST


From: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>

commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream.

get_char was erroneously given the address of the pointer to the text
instead of the address of the text, thus leading to random crashes when
the user requests speaking a word while the current position is on a space
character and say_word_ctl is not enabled.

Reported-on: https://github.com/bytefire/speakup/issues/1
Reported-by: Kirk Reiser <kirk@xxxxxxxxxx>
Reported-by: Janina Sajka <janina@xxxxxxxxxxx>
Reported-by: Alexandr Epaneshnikov <aarnaarn2@xxxxxxxxx>
Reported-by: Gregory Nowak <greg@xxxxxxxxx>
Reported-by: deedra waters <deedra@xxxxxxxxxxxxxxxx>
Signed-off-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>
Tested-by: Alexandr Epaneshnikov <aarnaarn2@xxxxxxxxx>
Tested-by: Gregory Nowak <greg@xxxxxxxxx>
Tested-by: Michael Taboada <michael@xxxxxxxxxxxxxx>
Cc: stable <stable@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/staging/speakup/main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/staging/speakup/main.c
+++ b/drivers/staging/speakup/main.c
@@ -565,8 +565,7 @@ static u_long get_word(struct vc_data *v
return 0;
} else if ((tmpx < vc->vc_cols - 2)
&& (ch == SPACE || ch == 0 || IS_WDLM(ch))
- && ((char)get_char(vc, (u_short *) &tmp_pos + 1, &temp) >
- SPACE)) {
+ && ((char)get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE)) {
tmp_pos += 2;
tmpx++;
} else