mirror of
https://github.com/CCExtractor/ccextractor.git
synced 2026-07-08 18:06:30 +00:00
[PR #1953] [MERGED] Fix/ts heap overflow #2755
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/CCExtractor/ccextractor/pull/1953
Author: @THE-Amrit-mahto-05
Created: 1/1/2026
Status: ✅ Merged
Merged: 1/2/2026
Merged by: @cfsmp3
Base:
master← Head:fix/ts-heap-overflow📝 Commits (5)
7526da8Prevent integer overflow in EIA-608 screen buffer reallocation64484af[FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csie43a6b5Fix TS Heap Buffer Overflow in copy_payload_to_capbuf (ts_functions.c)07f1ddcFix capbufsize and capbuflen assignments to use size_t774c3a0Update CHANGES.TXT📊 Changes
4 files changed (+39 additions, -13 deletions)
View changed files
📝
docs/CHANGES.TXT(+1 -0)📝
src/lib_ccx/ccx_decoders_608.c(+24 -4)📝
src/lib_ccx/ccx_decoders_isdb.c(+4 -3)📝
src/lib_ccx/ts_functions.c(+10 -6)📄 Description
[FIX]
In raising this pull request, I confirm the following (please check boxes):
My familiarity with the project is as follows (check one):
Description
Component: Transport Stream (TS) handling
File: src/lib_ccx/ts_functions.c
Function: copy_payload_to_capbuf
The Problem
The function
copy_payload_to_capbufgrows a capture buffer using:However, there was no check for integer overflow before this addition.
If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc.
This can cause a heap buffer overflow, potentially crashing the program or corrupting memory.
The Proposed Fix
Impact
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.