```
* thread #142, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = EXC_BAD_ACCESS (code=2, address=0x1410fc000)
* frame #0: 0x00000001b4bfd730 libsystem_platform.dylib`_platform_strlen + 48
frame #1: 0x000000023205c248 TextToSpeechMauiSupport`IsThisUrlOrRealPath + 52
frame #2: 0x0000000232498b10 TextToSpeechMauiSupport`ve_ttsResourceLoad + 368
frame #3: 0x000000023202f410 TextToSpeechMauiSupport`-[TTSMauiVocalizer _ttsVocalizerReallyLoadResource:rules:resource:supportsAccurateWordCallbacks:resourceIdentifier:] + 388
frame #4: 0x0000000231532a4c TextToSpeechBundleSupport`-[TTSVocalizer _ttsVocalizerLoadProgrammaticRules:forTests:] + 232
frame #5: 0x000000023152e01c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeechEngine:] + 3756
frame #6: 0x000000023152eb70 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeech:] + 56
frame #7: 0x000000023152a41c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _processCurrentRequest:] + 84
frame #8: 0x000000023152b9ec TextToSpeechBundleSupport`-[TTSSpeechServerInstance _handleSpeechThread] + 1480
frame #9: 0x000000023152a3b0 TextToSpeechBundleSupport`_SpeechThread + 44
frame #10: 0x00000001b4bd206c libsystem_pthread.dylib`_pthread_start + 148
```
When this bug's crashes happen, the "s" parameter for `_platform_strlen()` is the (C string) contents of the file from comment #16 and comment #17. If the wrong buffer is being examined, there's no terminal NULL. So `_platform_strlen()` ends up reading past the buffer's end.
Bug 1780938 Comment 19 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
```
* thread #142, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = EXC_BAD_ACCESS (code=2, address=0x1410fc000)
* frame #0: 0x00000001b4bfd730 libsystem_platform.dylib`_platform_strlen + 48
frame #1: 0x000000023205c248 TextToSpeechMauiSupport`IsThisUrlOrRealPath + 52
frame #2: 0x0000000232498b10 TextToSpeechMauiSupport`ve_ttsResourceLoad + 368
frame #3: 0x000000023202f410 TextToSpeechMauiSupport`-[TTSMauiVocalizer _ttsVocalizerReallyLoadResource:rules:resource:supportsAccurateWordCallbacks:resourceIdentifier:] + 388
frame #4: 0x0000000231532a4c TextToSpeechBundleSupport`-[TTSVocalizer _ttsVocalizerLoadProgrammaticRules:forTests:] + 232
frame #5: 0x000000023152e01c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeechEngine:] + 3756
frame #6: 0x000000023152eb70 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeech:] + 56
frame #7: 0x000000023152a41c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _processCurrentRequest:] + 84
frame #8: 0x000000023152b9ec TextToSpeechBundleSupport`-[TTSSpeechServerInstance _handleSpeechThread] + 1480
frame #9: 0x000000023152a3b0 TextToSpeechBundleSupport`_SpeechThread + 44
frame #10: 0x00000001b4bd206c libsystem_pthread.dylib`_pthread_start + 148
```
When this bug's crashes happen, the "s" parameter for `_platform_strlen()` is the (C string) contents of the file from comment #16 and comment #17. If the wrong buffer is being examined, there's presumably no terminal NULL. So `_platform_strlen()` ends up reading past the buffer's end.