From: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx> commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream. get_char was erroneously given the address of the pointer to the text instead of the address of the text, thus leading to random crashes when the user requests speaking a word while the current position is on a space character and say_word_ctl is not enabled. Reported-on: https://github.com/bytefire/speakup/issues/1 Reported-by: Kirk Reiser <kirk@xxxxxxxxxx> Reported-by: Janina Sajka <janina@xxxxxxxxxxx> Reported-by: Alexandr Epaneshnikov <aarnaarn2@xxxxxxxxx> Reported-by: Gregory Nowak <greg@xxxxxxxxx> Reported-by: deedra waters <deedra@xxxxxxxxxxxxxxxx> Signed-off-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx> Tested-by: Alexandr Epaneshnikov <aarnaarn2@xxxxxxxxx> Tested-by: Gregory Nowak <greg@xxxxxxxxx> Tested-by: Michael Taboada <michael@michaels.world> Cc: stable <stable@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/staging/speakup/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/staging/speakup/main.c +++ b/drivers/staging/speakup/main.c @@ -561,7 +561,7 @@ static u_long get_word(struct vc_data *v return 0; } else if (tmpx < vc->vc_cols - 2 && (ch == SPACE || ch == 0 || (ch < 0x100 && IS_WDLM(ch))) && - get_char(vc, (u_short *)&tmp_pos + 1, &temp) > SPACE) { + get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE) { tmp_pos += 2; tmpx++; } else {
