John Bowler

And, indeed; I did a "make install" (to install-8.4.0, as configured) and ran bin/espeak-ng; the test script has the missing '#' characters, the simplified test does not. Swapping to my...

In 8.4.0 a breakpoint at SubstitutePhonemes shows that replace_phonemes[0] is badly formed. Here's the 11.1.0 version which does the substitute of a -> a#; ``` (gdb) print replace_phonemes[0] $2 =...

The problem is a write-beyond-end of **ph_list2**. This contains 1000 elements and with both 8.4.0 and 11.1.0 the code seems to write beyond the end. The difference is that the...

Here's the debug approach with 8.4.0 compiled -O0, starting with a breakpoint on TranslateClause: ``` (gdb) run -xq -v ru -f /tmp/fragment.txt Starting program: /home/jbowler/src/espeak-ng/install-8.4.0-debug/bin/espeak-ng -xq -v ru -f /tmp/fragment.txt...

It seems to have happening because of all the Latin "C" characters; they switch the phoneme table. There are checks in TranslateWord2 for overflow of ph_list2 in some places but...

The attached patch does not protect against malware (crackers) but it should detect the overwrite with moderate to good reliability. [translate.c.patch.txt](https://github.com/espeak-ng/espeak-ng/files/6529217/translate.c.patch.txt) Some manner of malware protection could be achieved using...

Add this line after the declaration of n_ph_list2 in translate.c to stop malware: `#define n_ph_list2 (*(n_ph_list2 > N_PHONEME_LIST ? abort(),0 : &n_ph_list2))` I think even a function call to a...

I pushed a temporary fix. Please check the pull request. Verified against 8.4.0; make all (-O0), make check. I've pulled to 11.1.0 and verifed ; fine there too.

The fundamental problem is that the code in TranslateWord2 is not reliably checking for end-of-output-buffer. Unless you do that the only suggestion above that works is (4). Even then there...

Fixed by the pull requests, if adopted.