[PR #1953] Fix/ts heap overflow #2758

New Issue

Open

opened 2026-01-29 17:23:46 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:23:46 +00:00

Owner

Copy Link

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1953

State: closed
Merged: Yes

---

[FIX]

In raising this pull request, I confirm the following (please check boxes):

• I have read and understood the contributors guide.
• I have checked that another pull request for this purpose does not exist.
• I have considered, and confirmed that this submission will be valuable to others.
• I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
• I give this submission freely, and claim no ownership to its content.
• I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

• I absolutely love CCExtractor, but have not contributed previously.
• I am an active contributor to CCExtractor.

---

Description

Component: Transport Stream (TS) handling
File: src/lib_ccx/ts_functions.c
Function: copy_payload_to_capbuf

The Problem

The function copy_payload_to_capbuf grows a capture buffer using:

newcapbuflen = cinfo->capbuflen + payload->length;

However, there was no check for integer overflow before this addition.
If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc.
This can cause a heap buffer overflow, potentially crashing the program or corrupting memory.

The Proposed Fix

• Promoted the newcapbuflen variable to int64_t to handle large sums safely.
• Added an explicit overflow guard:

if (payload->length > INT64_MAX - cinfo->capbuflen)
{
    mprint("Error: capbuf size overflow\n");
    return -1;
}

• Ensured safe allocation using size_t in the realloc call.
• Logged errors and returned safely if allocation fails.

Impact

• Prevents heap memory corruption.
• Prevents crashes caused by malformed TS data.
• Maintains normal functionality for valid input.

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1953 **State:** closed **Merged:** Yes --- <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **[FIX]** **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT). **My familiarity with the project is as follows (check one):** - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description Component: Transport Stream (TS) handling File: src/lib_ccx/ts_functions.c Function: copy_payload_to_capbuf ### The Problem The function `copy_payload_to_capbuf` grows a capture buffer using: ```c newcapbuflen = cinfo->capbuflen + payload->length; ``` However, there was no check for integer overflow before this addition. If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc. This can cause a heap buffer overflow, potentially crashing the program or corrupting memory. ### The Proposed Fix - Promoted the newcapbuflen variable to int64_t to handle large sums safely. - Added an explicit overflow guard: ```c if (payload->length > INT64_MAX - cinfo->capbuflen) { mprint("Error: capbuf size overflow\n"); return -1; } ``` - Ensured safe allocation using size_t in the realloc call. - Logged errors and returned safely if allocation fails. ### Impact - Prevents heap memory corruption. - Prevents crashes caused by malformed TS data. - Maintains normal functionality for valid input.

claunia added the pull-request label 2026-01-29 17:23:46 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

ci/dual-build-artifacts-windows

chore/update-pr-template

fix/teletext-json-report-cleanup

fix/wix-conditional-xml

fix/publish-workflow-timing

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.6

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2758