[PR #1953] [MERGED] Fix/ts heap overflow #2755

Open
opened 2026-01-29 17:23:46 +00:00 by claunia · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1953
Author: @THE-Amrit-mahto-05
Created: 1/1/2026
Status: Merged
Merged: 1/2/2026
Merged by: @cfsmp3

Base: masterHead: fix/ts-heap-overflow


📝 Commits (5)

  • 7526da8 Prevent integer overflow in EIA-608 screen buffer reallocation
  • 64484af [FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi
  • e43a6b5 Fix TS Heap Buffer Overflow in copy_payload_to_capbuf (ts_functions.c)
  • 07f1ddc Fix capbufsize and capbuflen assignments to use size_t
  • 774c3a0 Update CHANGES.TXT

📊 Changes

4 files changed (+39 additions, -13 deletions)

View changed files

📝 docs/CHANGES.TXT (+1 -0)
📝 src/lib_ccx/ccx_decoders_608.c (+24 -4)
📝 src/lib_ccx/ccx_decoders_isdb.c (+4 -3)
📝 src/lib_ccx/ts_functions.c (+10 -6)

📄 Description

[FIX]

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Description

Component: Transport Stream (TS) handling
File: src/lib_ccx/ts_functions.c
Function: copy_payload_to_capbuf

The Problem

The function copy_payload_to_capbuf grows a capture buffer using:

newcapbuflen = cinfo->capbuflen + payload->length;

However, there was no check for integer overflow before this addition.
If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc.
This can cause a heap buffer overflow, potentially crashing the program or corrupting memory.

The Proposed Fix

  • Promoted the newcapbuflen variable to int64_t to handle large sums safely.
  • Added an explicit overflow guard:
if (payload->length > INT64_MAX - cinfo->capbuflen)
{
    mprint("Error: capbuf size overflow\n");
    return -1;
}
  • Ensured safe allocation using size_t in the realloc call.
  • Logged errors and returned safely if allocation fails.

Impact

  • Prevents heap memory corruption.
  • Prevents crashes caused by malformed TS data.
  • Maintains normal functionality for valid input.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1953 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/1/2026 **Status:** ✅ Merged **Merged:** 1/2/2026 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/ts-heap-overflow` --- ### 📝 Commits (5) - [`7526da8`](https://github.com/CCExtractor/ccextractor/commit/7526da884c42b1877f7186eaaca87b30a51b5672) Prevent integer overflow in EIA-608 screen buffer reallocation - [`64484af`](https://github.com/CCExtractor/ccextractor/commit/64484af49ecb40291b1d6e4c8c0e399c6d321863) [FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi - [`e43a6b5`](https://github.com/CCExtractor/ccextractor/commit/e43a6b5ced011bd03637d493ebe32a57538c86d8) Fix TS Heap Buffer Overflow in copy_payload_to_capbuf (ts_functions.c) - [`07f1ddc`](https://github.com/CCExtractor/ccextractor/commit/07f1ddc3febdfe358cff9ef1c2120b90099d0b72) Fix capbufsize and capbuflen assignments to use size_t - [`774c3a0`](https://github.com/CCExtractor/ccextractor/commit/774c3a0d3a1ea4b169c76cd0a92508f3f2102be4) Update CHANGES.TXT ### 📊 Changes **4 files changed** (+39 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `docs/CHANGES.TXT` (+1 -0) 📝 `src/lib_ccx/ccx_decoders_608.c` (+24 -4) 📝 `src/lib_ccx/ccx_decoders_isdb.c` (+4 -3) 📝 `src/lib_ccx/ts_functions.c` (+10 -6) </details> ### 📄 Description <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **[FIX]** **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT). **My familiarity with the project is as follows (check one):** - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description Component: Transport Stream (TS) handling File: src/lib_ccx/ts_functions.c Function: copy_payload_to_capbuf ### The Problem The function `copy_payload_to_capbuf` grows a capture buffer using: ```c newcapbuflen = cinfo->capbuflen + payload->length; ``` However, there was no check for integer overflow before this addition. If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc. This can cause a heap buffer overflow, potentially crashing the program or corrupting memory. ### The Proposed Fix - Promoted the newcapbuflen variable to int64_t to handle large sums safely. - Added an explicit overflow guard: ```c if (payload->length > INT64_MAX - cinfo->capbuflen) { mprint("Error: capbuf size overflow\n"); return -1; } ``` - Ensured safe allocation using size_t in the realloc call. - Logged errors and returned safely if allocation fails. ### Impact - Prevents heap memory corruption. - Prevents crashes caused by malformed TS data. - Maintains normal functionality for valid input. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
claunia added the pull-request label 2026-01-29 17:23:46 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2755