[PR #1951] [CLOSED] Fix/isdbcc stack overflow #2753

New Issue

claunia · 2026-01-29T17:23:45Z

claunia commented

2026-01-29 17:23:45 +00:00

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1951
Author: @THE-Amrit-mahto-05
Created: 1/1/2026
Status: ❌ Closed

Base: master ← Head: fix/isdbcc-stack-overflow

📝 Commits (2)

7526da8 Prevent integer overflow in EIA-608 screen buffer reallocation
64484af [FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi

📊 Changes

2 files changed (+28 additions, -7 deletions)

View changed files

📝 src/lib_ccx/ccx_decoders_608.c (+24 -4)
📝 src/lib_ccx/ccx_decoders_isdb.c (+4 -3)

📄 Description

[FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

Description

This pull request fixes a stack buffer overflow in the ISDB-CC decoder.

Component: ISDB-CC decoder
File: src/lib_ccx/ccx_decoders_isdb.c
Function: parse_csi

Problem

The function parse_csi uses a small stack buffer uint8_t arg[10] to store CSI command arguments.
The original code had a dangerous off-by-one error:

if (i >= (sizeof(arg)) + 1)

This allowed writing 11 bytes into a 10-byte buffer, causing a stack buffer overflow.
A malformed subtitle could crash the program or corrupt memory.

Solution

Corrected the loop boundary:

if (i >= sizeof(arg) - 1)

Added a final bounds check:

if (i < sizeof(arg))
    arg[i] = *buf++;

Improved logging for malformed CSI commands.

Impact

Prevents stack memory corruption
Prevents program crashes
Keeps normal functionality intact

Fixes issue: #1950

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1951 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/1/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/isdbcc-stack-overflow` --- ### 📝 Commits (2) - [`7526da8`](https://github.com/CCExtractor/ccextractor/commit/7526da884c42b1877f7186eaaca87b30a51b5672) Prevent integer overflow in EIA-608 screen buffer reallocation - [`64484af`](https://github.com/CCExtractor/ccextractor/commit/64484af49ecb40291b1d6e4c8c0e399c6d321863) [FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi ### 📊 Changes **2 files changed** (+28 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/ccx_decoders_608.c` (+24 -4) 📝 `src/lib_ccx/ccx_decoders_isdb.c` (+4 -3) </details> ### 📄 Description  **[FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi** **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT). **My familiarity with the project is as follows (check one):** - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description This pull request fixes a **stack buffer overflow** in the ISDB-CC decoder. **Component:** ISDB-CC decoder **File:** src/lib_ccx/ccx_decoders_isdb.c **Function:** parse_csi ### Problem The function `parse_csi` uses a small stack buffer `uint8_t arg[10]` to store CSI command arguments. The original code had a dangerous off-by-one error: ```c if (i >= (sizeof(arg)) + 1) ``` This allowed writing 11 bytes into a 10-byte buffer, causing a stack buffer overflow. A malformed subtitle could crash the program or corrupt memory. ### Solution - Corrected the loop boundary: ```c if (i >= sizeof(arg) - 1) ``` - Added a final bounds check: ```c if (i < sizeof(arg)) arg[i] = *buf++; ``` - Improved logging for malformed CSI commands. ### Impact - Prevents stack memory corruption - Prevents program crashes - Keeps normal functionality intact Fixes issue: #1950 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia added the pull-request label 2026-01-29 17:23:45 +00:00

claunia closed this issue

2026-01-29 17:23:45 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2753