starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-04 05:44:53 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

[PR #1962] fix DTVCC: Structural type confusion / OOB writes #2766

New Issue
Open
opened 2026-01-29 17:23:48 +00:00 by claunia · 0 comments
claunia commented 2026-01-29 17:23:48 +00:00
Owner
Copy Link

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1962

State: closed
Merged: No

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Title: [FIX] DTVCC: Structural type confusion / OOB writes (#1961)

Description:
This PR addresses a critical structural type confusion and out-of-bounds (OOB) write in the DTVCC (CEA-708) decoder.

Issue: #1961

Problem:
Malformed or malicious CEA-708 streams could define windows with row/column counts exceeding the maximums. This could lead to:

  • Heap buffer over-reads
  • Reading struct members as pointers (information leak)
  • Overwriting TV screen metadata
  • Undefined behavior during caption extraction

Fix implemented:

  • Added bounds checks for row_count and col_count in dtvcc_handle_DFx_DefineWindow.
  • Added safety checks for pen_row and pen_column in dtvcc_process_character and dtvcc_handle_SPL_SetPenLocation.
  • Added invariant check in dtvcc_window_copy_to_screen to reject windows exceeding maximum dimensions.
  • Logging added for invalid dimensions and pen positions for easier debugging.

Impact:

  • Prevents out-of-bounds memory access.
  • Ensures decoder robustness against malformed streams.

Testing:

  • Verified windows exceeding CCX_DTVCC_MAX_ROWS/COLUMNS are rejected.
  • Verified pen positions outside valid bounds are ignored safely.
  • Confirmed normal streams continue to work correctly with no regression.
**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1962 **State:** closed **Merged:** No --- <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- **Title:** `[FIX] DTVCC: Structural type confusion / OOB writes (#1961)` **Description:** This PR addresses a critical structural type confusion and out-of-bounds (OOB) write in the DTVCC (CEA-708) decoder. **Issue:** #1961 **Problem:** Malformed or malicious CEA-708 streams could define windows with row/column counts exceeding the maximums. This could lead to: - Heap buffer over-reads - Reading struct members as pointers (information leak) - Overwriting TV screen metadata - Undefined behavior during caption extraction **Fix implemented:** - Added bounds checks for `row_count` and `col_count` in `dtvcc_handle_DFx_DefineWindow`. - Added safety checks for `pen_row` and `pen_column` in `dtvcc_process_character` and `dtvcc_handle_SPL_SetPenLocation`. - Added invariant check in `dtvcc_window_copy_to_screen` to reject windows exceeding maximum dimensions. - Logging added for invalid dimensions and pen positions for easier debugging. **Impact:** - Prevents out-of-bounds memory access. - Ensures decoder robustness against malformed streams. **Testing:** - Verified windows exceeding `CCX_DTVCC_MAX_ROWS/COLUMNS` are rejected. - Verified pen positions outside valid bounds are ignored safely. - Confirmed normal streams continue to work correctly with no regression.
claunia added the pull-request label 2026-01-29 17:23:48 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2766
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?