mirror of
https://github.com/CCExtractor/ccextractor.git
synced 2026-07-08 18:06:30 +00:00
[PR #1802] [MERGED] fix(utility): prevent buffer overruns and add OOM checks in change_filename #2537
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/CCExtractor/ccextractor/pull/1802
Author: @cfsmp3
Created: 12/12/2025
Status: ✅ Merged
Merged: 12/13/2025
Merged by: @cfsmp3
Base:
master← Head:fix/utility-buffer-overruns📝 Commits (6)
a66fb8cfix(utility): prevent buffer overruns and add OOM checks in change_filenamea2cb65ffix(ccx_encoders_spupng): add NULL checks and fix memory leaks9841235fix(ocr): add NULL checks and fix memory leaks54c7dfafix(mcc_encoder): prevent buffer overruns and add OOM checksbcf7eb2fix(708_output): replace sprintf with snprintf for buffer safety468bd2cstyle: fix clang-format issues in macro definitions📊 Changes
6 files changed (+350 additions, -115 deletions)
View changed files
📝
src/lib_ccx/ccx_decoders_708_output.c(+170 -64)📝
src/lib_ccx/ccx_decoders_708_output.h(+1 -1)📝
src/lib_ccx/ccx_encoders_mcc.c(+40 -21)📝
src/lib_ccx/ccx_encoders_spupng.c(+28 -5)📝
src/lib_ccx/ocr.c(+83 -9)📝
src/lib_ccx/utility.c(+28 -15)📄 Description
Summary
This PR fixes multiple buffer overrun vulnerabilities and missing out-of-memory (OOM) checks in the
change_filename()function insrc/lib_ccx/utility.c. This function handles file rotation/renaming for output files.Issues Found and Fixed
1. Missing OOM Checks (3 instances)
The function had three
malloc()calls without NULL checks, which could lead to null pointer dereferences if memory allocation failed:temp_encodercurrent_namestrcpyimmediately afternewnamesnprintfimmediately afterFix: Added
fatal(EXIT_NOT_ENOUGH_MEMORY, ...)checks after each allocation, following the project's established pattern.2. Buffer Overflow in
new_extension(CRITICAL)The buffer could only hold 5 characters plus null terminator (e.g., ".9999"), but
itercould theoretically exceed 9999, causing ".10000" (7 chars) to overflow.Fix: Increased buffer to 16 bytes and use
snprintf():3. Unsafe
sprintf()Usage (4 instances)All
sprintf()calls were replaced withsnprintf()with proper size limits:sprintf(str_number, "%d", ...)snprintf()sprintf(new_extension, ".%d", iter)snprintf(new_extension, sizeof(new_extension), ".%d", iter)4. Unsafe
strcpy()/strcat()ChainsThe original code used multiple unsafe string operations:
Fix: Replaced with bounded operations:
5. Insufficient Buffer Padding
Fix: Increased to 16 bytes padding and track sizes properly:
Code Changes Summary
malloc()without NULL checksprintf()callsstrcpy()callsstrcat()callssnprintf()callsstrncpy()callsSecurity Impact
These fixes prevent:
new_extension[6]with large iteration countscurrent_nameandnewnamewith long filenames or many rotationsWhile exploitation would require specific conditions (memory pressure or many file rotations), these are defense-in-depth improvements for a tool that processes untrusted media files.
Test Plan
🤖 Generated with Claude Code
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.