[PR #1934] prevent heap buffer overflow in Teletext demux path #2735

Open
opened 2026-01-29 17:23:39 +00:00 by claunia · 0 comments
Owner

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1934

State: closed
Merged: Yes


[FIX] Prevent heap buffer overflow in Teletext demux path

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Summary

This pull request fixes a heap buffer overflow in the Teletext demux path
(CCX_CODEC_TELETEXT) in the function copy_capbuf_demux_data
in src/lib_ccx/ts_functions.c.

Details

Previously, the code copied cinfo->capbuf into the destination buffer
without verifying that there was enough space remaining:

memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);

If capbuflen exceeded the remaining buffer space, this caused a heap
buffer overflow, potentially leading to memory corruption or crash.

The generic PES/DVB path already performed a bounds check, but the
Teletext path was missing this validation.

Fix
A bou
nds check is added before copying the Teletext data:

if (cinfo->capbuflen > BUFSIZE - ptr->len) {
    fatal(CCX_COMMON_EXIT_BUG_BUG,
          "Teletext packet (%ld) larger than remaining buffer (%lld).\n",
          cinfo->capbuflen, BUFSIZE - ptr->len);
}
memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);
ptr->len += cinfo->capbuflen;

Fixes #1933

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1934 **State:** closed **Merged:** Yes --- <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> [FIX] Prevent heap buffer overflow in Teletext demux path **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [x] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [ ] I am an active contributor to CCExtractor. --- ### Summary This pull request fixes a **heap buffer overflow** in the Teletext demux path (`CCX_CODEC_TELETEXT`) in the function `copy_capbuf_demux_data` in `src/lib_ccx/ts_functions.c`. ### Details Previously, the code copied `cinfo->capbuf` into the destination buffer without verifying that there was enough space remaining: ```c memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen); ``` If capbuflen exceeded the remaining buffer space, this caused a heap buffer overflow, potentially leading to memory corruption or crash. The generic PES/DVB path already performed a bounds check, but the Teletext path was missing this validation. Fix A bou nds check is added before copying the Teletext data: ```c if (cinfo->capbuflen > BUFSIZE - ptr->len) { fatal(CCX_COMMON_EXIT_BUG_BUG, "Teletext packet (%ld) larger than remaining buffer (%lld).\n", cinfo->capbuflen, BUFSIZE - ptr->len); } memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen); ptr->len += cinfo->capbuflen; ``` Fixes #1933
claunia added the pull-request label 2026-01-29 17:23:39 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2735