Archive for May, 2011

Crash words in the Eloquence speech synthesizer

May 1, 2011

The Eloquence speech synthesizer is an old but popular synth used in many screen readers such as JAWS, Window-Eyes, and System Access, Cellphones, and notetakers.

It’s widely used, very understandable at high speeds and responsive. Despite that, it has at least one problem: it can crash when it reads certain words. With the way screen readers are designed, when the synthesizer crashes, your screen reader goes with it. After that happens, it can be difficult to reload, sometimes requiring the dismissal of error dialogs.

This leads to a question. Are the crashes simple crashes, or can they lead to buffer overflows and the ability to execute code via a carefully-crafted string? If code execution is possible, it might be difficult to get through the preprocessing most screen readers do; but there might be something else using it that does less. I don’t have the knowledge and experience to check for myself, but someone might.

What can we do about this? Unless the screen reader vendors release patches, not much, if Eloquence continues to be used. GW Micro has an Eloquence Fix script, which can easily be updated as new words are found. I don’t know of any fixes for the others. Recent versions of JAWS fixed a few of them, but not all. Unless strings are converted from unicode before checking (e.g. Python’s s.encode(‘mbcs’)), several characters in the unicode range can be used to substitute for the letters, defeating any simple regular expression. I think that the GW Micro script already does this. In the folowing section, delete the slash (/) character from the words listed. I’ve put it there to avoid crashing anyone using Eloquence to read this page. “Re: ” at the beginning says that this line is a regular expression describing part of the word See comments on previous line. These re’s might not be 100% correct, or might pick up false positives. Experiment a bit.

We need to worry about prefixes/suffixes for this one. E.G. re, anti, -ing, etc.
re: c/aesur.+

these next few all have one common pattern. A prefix ("h'", "j'", "s'", "x'", "z'") folowed by something else,
followed by "'re" or "'ve". I won't list the prefix/suffix, just the middle part.
Concatenate the middle parts with apostrophes to get endless combinations. e.g. prefix+a'b'c+suffix.
They don't seem to work in a sentense,
but if you can get them to read on their own they should crash. Experiment a bit.
Empty - prefix+suffix
s, d, hs, js, ll, xs, zs
re: bj+s
re: bx+s

Next, we have word+hesday and word+hesway. e.g.
wed/hesday. I think the word needs to end on a consonant.
But we also have, at the end of a word:
re: hh+s[dw]ay

This crashes, e.g. when next to a number or by itself, but not as part of a word. e.g. nietzsche won't crash.
tz/sche
re: \d+:\d+(1st|2nd|3rd|...)
e.g. 2:33 rd
Some of them don't work, like 4th. I Don't know why.
re: (un|re|non)cosp
juaras - this one is weird.
Add text after it, it'll eventually crash. Example:
juaras/aaaaaaaaa aa
also juares, juaros, juarus.

Last updated: June 21, 2015