Bugzilla

(Following up comment #18)
> So my guess is that this bug happens when the code that crashes reads from the "wrong" buffer (of the four returned by `_CFSafelyReallocate()` -- that is, not the last one), and triggers a buffer overflow trying to read past its end.

`-[TTSSpeechServerInstance _unzipFile:withPassword:]` returns a CFData object containing the (unzipped) contents of the file. Now I think it's more likely that this bug's crashes are triggered when the CFData object is incomplete (that it doesn't contain the whole file). Since the (unzipped) file is a text file, this would (presumably) mean that it doesn't contain a terminal NULL. So `_platform_strlen()` would attempt to read past its end.

I also suspect there can be problems reading the "file" from comment #16 and comment #17 when a lot of 'com.apple.TextToSpeech.SpeechThread' threads are contending to read it. Lots of these threads do pile up (temporarily) when you follow the STR from comment #21.

(Following up comment #18)
> So my guess is that this bug happens when the code that crashes reads from the "wrong" buffer (of the four returned by `_CFSafelyReallocate()` -- that is, not the last one), and triggers a buffer overflow trying to read past its end.

`-[TTSSpeechServerInstance _unzipFile:withPassword:]` returns a `CFData` object containing the (unzipped) contents of the file. Now I think it's more likely that this bug's crashes are triggered when the `CFData` object is incomplete (that it doesn't contain the whole file). Since the (unzipped) file is a text file, this would (presumably) mean that it doesn't contain a terminal NULL. So `_platform_strlen()` would attempt to read past its end.

I also suspect there can be problems reading the "file" from comment #16 and comment #17 when a lot of 'com.apple.TextToSpeech.SpeechThread' threads are contending to read it. Lots of these threads do pile up (temporarily) when you follow the STR from comment #21.