[PR #1866] [MERGED] fix(security): Add bounds checks for buffer overflow vulnerabilities #2637

New Issue

Closed

opened 2026-01-29 17:23:13 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:23:13 +00:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1866
Author: @cfsmp3
Created: 12/20/2025
Status: ✅ Merged
Merged: 12/21/2025
Merged by: @cfsmp3

Base: master ← Head: fix/1427-1428-buffer-overflows

---

📝 Commits (1)

• 9fddaab fix(security): Add bounds checks for buffer overflow vulnerabilities

📊 Changes

2 files changed (+47 additions, -3 deletions)

View changed files

📝 src/lib_ccx/avc_functions.c (+9 -0)
📝 src/lib_ccx/ts_tables.c (+38 -3)

📄 Description

Summary

Fixes two buffer overflow vulnerabilities reported in issues #1427 and #1428:

• #1428 (Global buffer overflow in slice_header): The slice_type value read from H.264 exp-golomb data was used to index slice_types[] array (10 elements) without bounds checking. Malformed H.264 data with slice_type >= 10 would cause out-of-bounds read. Now validates slice_type < 10 before use per H.264 spec Table 7-6.

• #1427 (Heap buffer overflow in parse_PMT): ES_info_length from PMT descriptor data was trusted without validation against buffer bounds. Malformed PMT with excessive ES_info_length could read past the allocated buffer. Now validates ES_info_length and descriptor lengths against the actual buffer size.

Both issues were discovered using AddressSanitizer with crafted TS files.

Changes

• src/lib_ccx/avc_functions.c: Added validation for slice_type value in slice_header() function
• src/lib_ccx/ts_tables.c: Added multiple bounds checks in parse_PMT() for ES_info descriptor parsing

Test plan

• All 299 Rust tests pass
• Debug (ASAN) and release builds compile successfully
• Tested with real TS samples (503.ts, 600_1080p60.ts) - no regressions

Fixes #1427
Fixes #1428

🤖 Generated with Claude Code

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1866 **Author:** [@cfsmp3](https://github.com/cfsmp3) **Created:** 12/20/2025 **Status:** ✅ Merged **Merged:** 12/21/2025 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/1427-1428-buffer-overflows` --- ### 📝 Commits (1) - [`9fddaab`](https://github.com/CCExtractor/ccextractor/commit/9fddaab3b0fc059e859bebc4b8f696b592e0d337) fix(security): Add bounds checks for buffer overflow vulnerabilities ### 📊 Changes **2 files changed** (+47 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/avc_functions.c` (+9 -0) 📝 `src/lib_ccx/ts_tables.c` (+38 -3) </details> ### 📄 Description ## Summary Fixes two buffer overflow vulnerabilities reported in issues #1427 and #1428: - **#1428 (Global buffer overflow in slice_header)**: The `slice_type` value read from H.264 exp-golomb data was used to index `slice_types[]` array (10 elements) without bounds checking. Malformed H.264 data with `slice_type >= 10` would cause out-of-bounds read. Now validates `slice_type < 10` before use per H.264 spec Table 7-6. - **#1427 (Heap buffer overflow in parse_PMT)**: `ES_info_length` from PMT descriptor data was trusted without validation against buffer bounds. Malformed PMT with excessive `ES_info_length` could read past the allocated buffer. Now validates `ES_info_length` and descriptor lengths against the actual buffer size. Both issues were discovered using AddressSanitizer with crafted TS files. ## Changes - `src/lib_ccx/avc_functions.c`: Added validation for `slice_type` value in `slice_header()` function - `src/lib_ccx/ts_tables.c`: Added multiple bounds checks in `parse_PMT()` for ES_info descriptor parsing ## Test plan - [x] All 299 Rust tests pass - [x] Debug (ASAN) and release builds compile successfully - [x] Tested with real TS samples (503.ts, 600_1080p60.ts) - no regressions Fixes #1427 Fixes #1428 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

claunia added the pull-request label 2026-01-29 17:23:13 +00:00

claunia closed this issue 2026-01-29 17:23:13 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2637