sapi: Avoid crash when handling SPEI_WORD_BOUNDARY after speech stopHEADdev

When a SPEI_WORD_BOUNDARY event is received after speech is stopped,
the event may reference text from a previous session, leading to
out-of-bounds access in currentText.sliced().

Pick-to: 6.9 6.8
Change-Id: Id764528fdc6e638d86a8dcccd77985fdf9c0fa3a
Reviewed-by: Volker Hilsheimer <[email protected]>

1 files changed, 4 insertions, 2 deletions

diff --git a/src/plugins/tts/sapi/qtexttospeech_sapi.cpp b/src/plugins/tts/sapi/qtexttospeech_sapi.cpp
index 67d81ea..8def2f8 100644
--- a/src/plugins/tts/sapi/qtexttospeech_sapi.cpp
+++ b/src/plugins/tts/sapi/qtexttospeech_sapi.cpp
@@ -563,8 +563,10 @@ HRESULT QTextToSpeechEngineSapi::NotifyCallback(WPARAM /*wParam*/, LPARAM /*lPar
                 m_state = QTextToSpeech::Ready;
                 break;
             case SPEI_WORD_BOUNDARY:
-                emit sayingWord(currentText.sliced(event.lParam, event.wParam),
-                                event.lParam - textOffset, event.wParam);
+                if (qsizetype(event.lParam + event.wParam) <= currentText.size()) {
+                    emit sayingWord(currentText.sliced(event.lParam, event.wParam),
+                                    event.lParam - textOffset, event.wParam);
+                }
                 break;
             // these are the other TTS events which might be interesting for us at some point
             case SPEI_SENTENCE_BOUNDARY: