starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-04 05:44:53 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

[PR #1968] [MERGED] fix DTVCC: Heap Buffer Overflow & Out-of-Bounds Read #2765

New Issue
Open
opened 2026-01-29 17:23:48 +00:00 by claunia · 0 comments
claunia commented 2026-01-29 17:23:48 +00:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1968
Author: @THE-Amrit-mahto-05
Created: 1/2/2026
Status: Merged
Merged: 1/3/2026
Merged by: @cfsmp3

Base: masterHead: fix/dtvcc-critical-bugs

📝 Commits (7)

  • 5dc8292 Fix out-of-bounds read in H.264 SEI parsing
  • 82109e6 Fix DTVCC structural type confusion and OOB writes (#1961)
  • 3e1424c Fix TS/ES: Integer overflow, stack overflow, heap over-read
  • cc7a43b [FIX] Teletext decoder: fix OOB read/write and loop overflow (#1965)
  • 028ce9d [FIX] DTVCC: Heap Overflow & OOB Read
  • 1255b31 [FIX] Remove dead safety checks per reviewer feedback
  • 44eb665 chore: apply clang-format fixes

📊 Changes

6 files changed (+66 additions, -10 deletions)

View changed files

📝 src/lib_ccx/avc_functions.c (+6 -2)
📝 src/lib_ccx/ccx_decoders_708.c (+22 -0)
📝 src/lib_ccx/ccx_dtvcc.c (+2 -2)
📝 src/lib_ccx/es_userdata.c (+6 -2)
📝 src/lib_ccx/telxcc.c (+21 -4)
📝 src/lib_ccx/ts_tables.c (+9 -0)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Description

fixed critical vulnerabilities in the DTVCC (CEA-708) decoder

Issues Fixed:

  1. Heap Buffer Overflow in dtvcc_process_data

    • Trigger: Malformed CEA-708 streams with packet length > 128.
    • Fix: Added bounds check using CCX_DTVCC_MAX_PACKET_LENGTH.

  2. Out-of-Bounds Read in dtvcc_process_current_packet

    • Trigger: Extended header (service_number 7) read beyond packet buffer.
    • Fix: Added length check to stop processing truncated extended headers.

Impact if unpatched:

  • Heap memory corruption.
  • Undefined behavior while processing malformed DTVCC streams.
  • Potential crash during caption extraction.

Testing:

  • Verified packets exceeding CCX_DTVCC_MAX_PACKET_LENGTH are safely ignored.
  • Verified truncated extended headers do not cause memory over-read.
  • Confirmed normal streams continue to decode correctly with no regression.

fixed #1966

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1968 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/2/2026 **Status:** ✅ Merged **Merged:** 1/3/2026 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/dtvcc-critical-bugs` --- ### 📝 Commits (7) - [`5dc8292`](https://github.com/CCExtractor/ccextractor/commit/5dc8292dd22c5fc523b2d11a69990ab8e4b23112) Fix out-of-bounds read in H.264 SEI parsing - [`82109e6`](https://github.com/CCExtractor/ccextractor/commit/82109e6cd9c16c558868de8f75f299eade0cad70) Fix DTVCC structural type confusion and OOB writes (#1961) - [`3e1424c`](https://github.com/CCExtractor/ccextractor/commit/3e1424cda80b7b6f863aed0c27eb749d76981e78) Fix TS/ES: Integer overflow, stack overflow, heap over-read - [`cc7a43b`](https://github.com/CCExtractor/ccextractor/commit/cc7a43b5e2187d56caa26419cda20983ec34df43) [FIX] Teletext decoder: fix OOB read/write and loop overflow (#1965) - [`028ce9d`](https://github.com/CCExtractor/ccextractor/commit/028ce9d0b59fc4f078b6d6754177648b3e2dc90f) [FIX] DTVCC: Heap Overflow & OOB Read - [`1255b31`](https://github.com/CCExtractor/ccextractor/commit/1255b318aec913c05f4157175b429be8f1a33d5e) [FIX] Remove dead safety checks per reviewer feedback - [`44eb665`](https://github.com/CCExtractor/ccextractor/commit/44eb665cd8a3e629a664b83be051a0d14e1f07af) chore: apply clang-format fixes ### 📊 Changes **6 files changed** (+66 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/avc_functions.c` (+6 -2) 📝 `src/lib_ccx/ccx_decoders_708.c` (+22 -0) 📝 `src/lib_ccx/ccx_dtvcc.c` (+2 -2) 📝 `src/lib_ccx/es_userdata.c` (+6 -2) 📝 `src/lib_ccx/telxcc.c` (+21 -4) 📝 `src/lib_ccx/ts_tables.c` (+9 -0) </details> ### 📄 Description <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description fixed critical vulnerabilities in the DTVCC (CEA-708) decoder **Issues Fixed:** 1. **Heap Buffer Overflow in `dtvcc_process_data`** - Trigger: Malformed CEA-708 streams with packet length > 128. - Fix: Added bounds check using `CCX_DTVCC_MAX_PACKET_LENGTH`. 2. **Out-of-Bounds Read in `dtvcc_process_current_packet`** - Trigger: Extended header (service_number 7) read beyond packet buffer. - Fix: Added length check to stop processing truncated extended headers. **Impact if unpatched:** - Heap memory corruption. - Undefined behavior while processing malformed DTVCC streams. - Potential crash during caption extraction. **Testing:** - Verified packets exceeding `CCX_DTVCC_MAX_PACKET_LENGTH` are safely ignored. - Verified truncated extended headers do not cause memory over-read. - Confirmed normal streams continue to decode correctly with no regression. fixed #1966 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
claunia added the pull-request label 2026-01-29 17:23:48 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2765
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?