[PR #1966] [CLOSED] fix: Critical Teletext Decoder Vulnerabilities: Out-of-Bounds Read/Write and Loop Overflow #2763

New Issue

Open

opened 2026-01-29 17:23:47 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:23:47 +00:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1966
Author: @THE-Amrit-mahto-05
Created: 1/2/2026
Status: ❌ Closed

Base: master ← Head: fix/teletext-critical-bugs

---

📝 Commits (4)

• 5dc8292 Fix out-of-bounds read in H.264 SEI parsing
• 82109e6 Fix DTVCC structural type confusion and OOB writes (#1961)
• 3e1424c Fix TS/ES: Integer overflow, stack overflow, heap over-read
• cc7a43b [FIX] Teletext decoder: fix OOB read/write and loop overflow (#1965)

📊 Changes

5 files changed (+82 additions, -8 deletions)

View changed files

📝 src/lib_ccx/avc_functions.c (+8 -2)
📝 src/lib_ccx/ccx_decoders_708.c (+38 -0)
📝 src/lib_ccx/es_userdata.c (+6 -2)
📝 src/lib_ccx/telxcc.c (+21 -4)
📝 src/lib_ccx/ts_tables.c (+9 -0)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

• I have read and understood the contributors guide.
• I have checked that another pull request for this purpose does not exist.
• I have considered, and confirmed that this submission will be valuable to others.
• I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
• I give this submission freely, and claim no ownership to its content.
• I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

• I have never used CCExtractor.
• I have used CCExtractor just a couple of times.
• I absolutely love CCExtractor, but have not contributed previously.
• I am an active contributor to CCExtractor.

---

Description

Issues Fixed:

1. Out-of-Bounds Read in tlt_process_pes_packet: minimal size checks on PES header allowed truncated packets to trigger reads past buffer end.
2. Out-of-Bounds Write in payload reversal loop: a malformed packet could specify data_unit_len causing a write past buffer end.
3. Potential Infinite Loop / Buffer Overflow due to uint16_t wrap-around of the loop index.

Fixes Implemented:

• Changed loop index i from uint16_t → uint32_t to avoid wrap-around.
• Added size checks to ensure PES packet is long enough before reading header fields.
• Added boundary check for data_unit_len to prevent OOB writes.
• Logging added for truncated or malformed packets.

Impact:

• Prevents crashes, buffer over-reads, and memory corruption.
• Ensures Teletext decoder robustness against malformed DVB-TS streams.
• Normal Teletext streams continue to work with no regression.

Testing:

• Verified with truncated PES packets: safely ignored.
• Verified payload length exceeding buffer: OOB writes prevented.
• Verified loop termination even with max uint16_t values.

Issue Reference: #1965

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1966 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/2/2026 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/teletext-critical-bugs` --- ### 📝 Commits (4) - [`5dc8292`](https://github.com/CCExtractor/ccextractor/commit/5dc8292dd22c5fc523b2d11a69990ab8e4b23112) Fix out-of-bounds read in H.264 SEI parsing - [`82109e6`](https://github.com/CCExtractor/ccextractor/commit/82109e6cd9c16c558868de8f75f299eade0cad70) Fix DTVCC structural type confusion and OOB writes (#1961) - [`3e1424c`](https://github.com/CCExtractor/ccextractor/commit/3e1424cda80b7b6f863aed0c27eb749d76981e78) Fix TS/ES: Integer overflow, stack overflow, heap over-read - [`cc7a43b`](https://github.com/CCExtractor/ccextractor/commit/cc7a43b5e2187d56caa26419cda20983ec34df43) [FIX] Teletext decoder: fix OOB read/write and loop overflow (#1965) ### 📊 Changes **5 files changed** (+82 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/avc_functions.c` (+8 -2) 📝 `src/lib_ccx/ccx_decoders_708.c` (+38 -0) 📝 `src/lib_ccx/es_userdata.c` (+6 -2) 📝 `src/lib_ccx/telxcc.c` (+21 -4) 📝 `src/lib_ccx/ts_tables.c` (+9 -0) </details> ### 📄 Description <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### **Description** **Issues Fixed:** 1. **Out-of-Bounds Read** in `tlt_process_pes_packet`: minimal size checks on PES header allowed truncated packets to trigger reads past buffer end. 2. **Out-of-Bounds Write** in payload reversal loop: a malformed packet could specify `data_unit_len` causing a write past buffer end. 3. **Potential Infinite Loop / Buffer Overflow** due to `uint16_t` wrap-around of the loop index. **Fixes Implemented:** - Changed loop index `i` from `uint16_t` → `uint32_t` to avoid wrap-around. - Added size checks to ensure PES packet is long enough before reading header fields. - Added boundary check for `data_unit_len` to prevent OOB writes. - Logging added for truncated or malformed packets. **Impact:** - Prevents crashes, buffer over-reads, and memory corruption. - Ensures Teletext decoder robustness against malformed DVB-TS streams. - Normal Teletext streams continue to work with no regression. **Testing:** - Verified with truncated PES packets: safely ignored. - Verified payload length exceeding buffer: OOB writes prevented. - Verified loop termination even with max uint16_t values. **Issue Reference:** #1965 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

claunia added the pull-request label 2026-01-29 17:23:48 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2763