[PR #1949] [CLOSED] Prevent integer overflow in EIA-608 screen buffer reallocation #2749

New Issue

claunia · 2026-01-29T17:23:44Z

claunia commented

2026-01-29 17:23:44 +00:00

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1949
Author: @THE-Amrit-mahto-05
Created: 1/1/2026
Status: ❌ Closed

Base: master ← Head: fix/eia608-integer-overflow

📝 Commits (1)

7526da8 Prevent integer overflow in EIA-608 screen buffer reallocation

📊 Changes

1 file changed (+24 additions, -4 deletions)

View changed files

📝 src/lib_ccx/ccx_decoders_608.c (+24 -4)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

[FIX] Prevent integer overflow in EIA-608 screen buffer allocation

Description

This PR fixes a potential integer overflow in the EIA-608 decoder, which could lead to a heap buffer overflow when processing malformed subtitle input.

Component: EIA-608 decoder
File: src/lib_ccx/ccx_decoders_608.c
Functions: write_cc_buffer, write_cc_line

Problem

The screen buffer was being reallocated using:

(sub->nb_data + 1) * sizeof(struct eia608_screen)

without checking for integer overflow. If sub->nb_data is extremely large (due to a malformed or crafted subtitle), this multiplication could wrap around, causing a tiny buffer allocation and heap overflow on subsequent writes.

Fix

Added an overflow guard before allocation:

if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen))

Calculated allocation size explicitly using size_t new_size
Ensured safe handling of realloc() failure (log error and return safely)

Impact

Prevents heap memory corruption
Prevents program crashes
Keeps normal behavior unchanged

Fixes #1948

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1949 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/1/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/eia608-integer-overflow` --- ### 📝 Commits (1) - [`7526da8`](https://github.com/CCExtractor/ccextractor/commit/7526da884c42b1877f7186eaaca87b30a51b5672) Prevent integer overflow in EIA-608 screen buffer reallocation ### 📊 Changes **1 file changed** (+24 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/ccx_decoders_608.c` (+24 -4) </details> ### 📄 Description  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT). **My familiarity with the project is as follows (check one):** - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- [FIX] Prevent integer overflow in EIA-608 screen buffer allocation ### Description This PR fixes a potential integer overflow in the EIA-608 decoder, which could lead to a heap buffer overflow when processing malformed subtitle input. **Component:** EIA-608 decoder **File:** `src/lib_ccx/ccx_decoders_608.c` **Functions:** `write_cc_buffer`, `write_cc_line` ### Problem The screen buffer was being reallocated using: ```c (sub->nb_data + 1) * sizeof(struct eia608_screen) ``` without checking for integer overflow. If sub->nb_data is extremely large (due to a malformed or crafted subtitle), this multiplication could wrap around, causing a tiny buffer allocation and heap overflow on subsequent writes. ### Fix - Added an overflow guard before allocation: ```c if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) ``` - Calculated allocation size explicitly using size_t new_size - Ensured safe handling of realloc() failure (log error and return safely) ### Impact - Prevents heap memory corruption - Prevents program crashes - Keeps normal behavior unchanged Fixes #1948 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia added the pull-request label 2026-01-29 17:23:44 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2749