starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-04-29 01:21:04 +00:00
Code Issues 1.5k Packages Projects Releases 21 Wiki Activity

[PR #1964] [CLOSED] fix TS/ES: Integer overflow, stack overflow, heap over-read #2760

New Issue
Open
opened 2026-01-29 17:23:47 +00:00 by claunia · 0 comments
claunia commented 2026-01-29 17:23:47 +00:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1964
Author: @THE-Amrit-mahto-05
Created: 1/2/2026
Status: Closed

Base: masterHead: fix/ts-es-critical-bugs

📝 Commits (3)

  • 5dc8292 Fix out-of-bounds read in H.264 SEI parsing
  • 82109e6 Fix DTVCC structural type confusion and OOB writes (#1961)
  • 3e1424c Fix TS/ES: Integer overflow, stack overflow, heap over-read

📊 Changes

4 files changed (+61 additions, -4 deletions)

View changed files

📝 src/lib_ccx/avc_functions.c (+8 -2)
📝 src/lib_ccx/ccx_decoders_708.c (+38 -0)
📝 src/lib_ccx/es_userdata.c (+6 -2)
📝 src/lib_ccx/ts_tables.c (+9 -0)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Description:

This PR addresses three critical and previously unreported vulnerabilities in CCExtractor's TS/ES decoders.

Issue: #1963

Problems fixed:

  1. Integer Overflow in TS PSI buffer (ts_tables.c)

    • Cause: 32-bit wrap-around during PSI buffer reallocation.
    • Fix: Added bounds checks to prevent buffer_length + payload_length from exceeding 1MB.
    • Impact: Prevents heap corruption or memory mismanagement.

  2. Stack Overflow in SCTE 20 parsing (es_userdata.c)

    • Cause: Maximum caption count (31) could lead to 2-byte overflow in cc_data array.
    • Fix: Extended cc_data array and added termination for safety.
    • Impact: Prevents stack memory corruption from malformed SCTE 20 packets.

  3. Heap Buffer Over-read in GXF VBI parsing (es_userdata.c)

    • Cause: decode_vbi reads 720 bytes unconditionally regardless of udatalen.
    • Fix: Checked udatalen >= 720 before calling decode_vbi.
    • Impact: Prevents buffer over-read, crashes, or information leaks.

Testing:

  • Verified PSI buffer does not overflow with large TS packets.
  • Verified SCTE 20 packets with maximum captions are handled safely.
  • Verified truncated GXF VBI packets are skipped safely.
  • Normal streams continue to work with no regressions.

Impact:
Prevents heap corruption, stack overflow, and buffer over-read in core decoders. Ensures robustness against malformed TS/ES streams.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1964 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/2/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/ts-es-critical-bugs` --- ### 📝 Commits (3) - [`5dc8292`](https://github.com/CCExtractor/ccextractor/commit/5dc8292dd22c5fc523b2d11a69990ab8e4b23112) Fix out-of-bounds read in H.264 SEI parsing - [`82109e6`](https://github.com/CCExtractor/ccextractor/commit/82109e6cd9c16c558868de8f75f299eade0cad70) Fix DTVCC structural type confusion and OOB writes (#1961) - [`3e1424c`](https://github.com/CCExtractor/ccextractor/commit/3e1424cda80b7b6f863aed0c27eb749d76981e78) Fix TS/ES: Integer overflow, stack overflow, heap over-read ### 📊 Changes **4 files changed** (+61 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/avc_functions.c` (+8 -2) 📝 `src/lib_ccx/ccx_decoders_708.c` (+38 -0) 📝 `src/lib_ccx/es_userdata.c` (+6 -2) 📝 `src/lib_ccx/ts_tables.c` (+9 -0) </details> ### 📄 Description <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- **Description:** This PR addresses three critical and previously unreported vulnerabilities in CCExtractor's TS/ES decoders. **Issue:** #1963 **Problems fixed:** 1. **Integer Overflow in TS PSI buffer** (`ts_tables.c`) - Cause: 32-bit wrap-around during PSI buffer reallocation. - Fix: Added bounds checks to prevent `buffer_length + payload_length` from exceeding 1MB. - Impact: Prevents heap corruption or memory mismanagement. 2. **Stack Overflow in SCTE 20 parsing** (`es_userdata.c`) - Cause: Maximum caption count (31) could lead to 2-byte overflow in `cc_data` array. - Fix: Extended `cc_data` array and added termination for safety. - Impact: Prevents stack memory corruption from malformed SCTE 20 packets. 3. **Heap Buffer Over-read in GXF VBI parsing** (`es_userdata.c`) - Cause: `decode_vbi` reads 720 bytes unconditionally regardless of `udatalen`. - Fix: Checked `udatalen >= 720` before calling `decode_vbi`. - Impact: Prevents buffer over-read, crashes, or information leaks. **Testing:** - Verified PSI buffer does not overflow with large TS packets. - Verified SCTE 20 packets with maximum captions are handled safely. - Verified truncated GXF VBI packets are skipped safely. - Normal streams continue to work with no regressions. **Impact:** Prevents heap corruption, stack overflow, and buffer over-read in core decoders. Ensures robustness against malformed TS/ES streams. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
claunia added the pull-request label 2026-01-29 17:23:47 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2760
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?