[PR #1964] fix TS/ES: Integer overflow, stack overflow, heap over-read

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1964 **State:** closed **Merged:** No ---  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- **Description:** This PR addresses three critical and previously unreported vulnerabilities in CCExtractor's TS/ES decoders. **Issue:** #1963 **Problems fixed:** 1. **Integer Overflow in TS PSI buffer** (`ts_tables.c`) - Cause: 32-bit wrap-around during PSI buffer reallocation. - Fix: Added bounds checks to prevent `buffer_length + payload_length` from exceeding 1MB. - Impact: Prevents heap corruption or memory mismanagement. 2. **Stack Overflow in SCTE 20 parsing** (`es_userdata.c`) - Cause: Maximum caption count (31) could lead to 2-byte overflow in `cc_data` array. - Fix: Extended `cc_data` array and added termination for safety. - Impact: Prevents stack memory corruption from malformed SCTE 20 packets. 3. **Heap Buffer Over-read in GXF VBI parsing** (`es_userdata.c`) - Cause: `decode_vbi` reads 720 bytes unconditionally regardless of `udatalen`. - Fix: Checked `udatalen >= 720` before calling `decode_vbi`. - Impact: Prevents buffer over-read, crashes, or information leaks. **Testing:** - Verified PSI buffer does not overflow with large TS packets. - Verified SCTE 20 packets with maximum captions are handled safely. - Verified truncated GXF VBI packets are skipped safely. - Normal streams continue to work with no regressions. **Impact:** Prevents heap corruption, stack overflow, and buffer over-read in core decoders. Ensures robustness against malformed TS/ES streams.

claunia commented

2026-01-29 17:23:48 +00:00

Owner

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1964

State: closed
Merged: No

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I have never used CCExtractor.
I have used CCExtractor just a couple of times.
I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

Description:

This PR addresses three critical and previously unreported vulnerabilities in CCExtractor's TS/ES decoders.

Issue: #1963

Problems fixed:

Integer Overflow in TS PSI buffer (ts_tables.c)
- Cause: 32-bit wrap-around during PSI buffer reallocation.
- Fix: Added bounds checks to prevent buffer_length + payload_length from exceeding 1MB.
- Impact: Prevents heap corruption or memory mismanagement.
Stack Overflow in SCTE 20 parsing (es_userdata.c)
- Cause: Maximum caption count (31) could lead to 2-byte overflow in cc_data array.
- Fix: Extended cc_data array and added termination for safety.
- Impact: Prevents stack memory corruption from malformed SCTE 20 packets.
Heap Buffer Over-read in GXF VBI parsing (es_userdata.c)
- Cause: decode_vbi reads 720 bytes unconditionally regardless of udatalen.
- Fix: Checked udatalen >= 720 before calling decode_vbi.
- Impact: Prevents buffer over-read, crashes, or information leaks.

Testing:

Verified PSI buffer does not overflow with large TS packets.
Verified SCTE 20 packets with maximum captions are handled safely.
Verified truncated GXF VBI packets are skipped safely.
Normal streams continue to work with no regressions.

Impact:
Prevents heap corruption, stack overflow, and buffer over-read in core decoders. Ensures robustness against malformed TS/ES streams.

claunia added the pull-request label 2026-01-29 17:23:48 +00:00

[PR #1964] fix TS/ES: Integer overflow, stack overflow, heap over-read #2764