[PR #1960] Fix out-of-bounds read in H.264 SEI parsing

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1960 **State:** closed **Merged:** No ---  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [ ] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description Fixes #1959. This PR fixes an out-of-bounds read in the H.264 SEI (Supplemental Enhancement Information) parser when handling FF-extended `payload_type` and `payload_size` fields. Malformed or truncated SEI NAL units containing a sequence of `0xFF` bytes without a terminating byte could cause `sei_message()` to read past the end of the SEI buffer, leading to undefined behavior or a crash. ### Changes made - Added bounds checks (`seibuf < seiend`) while parsing FF-extended SEI fields. - Safely abort SEI parsing when encountering truncated SEI payloads. - Propagate parsing failure to the caller to avoid invalid pointer reuse. ### Impact - Prevents out-of-bounds reads on malformed H.264 streams. - Improves robustness of AVC caption extraction. - No behavior change for valid inputs. ### Notes This change does not modify output for valid SEI data and has no performance impact.

claunia commented

2026-01-29 17:23:48 +00:00

Owner

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1960

State: closed
Merged: No

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I have never used CCExtractor.
I have used CCExtractor just a couple of times.
I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

Description

Fixes #1959.

This PR fixes an out-of-bounds read in the H.264 SEI (Supplemental Enhancement Information) parser when handling FF-extended payload_type and payload_size fields.

Malformed or truncated SEI NAL units containing a sequence of 0xFF bytes without a terminating byte could cause sei_message() to read past the end of the SEI buffer, leading to undefined behavior or a crash.

Changes made

Added bounds checks (seibuf < seiend) while parsing FF-extended SEI fields.
Safely abort SEI parsing when encountering truncated SEI payloads.
Propagate parsing failure to the caller to avoid invalid pointer reuse.

Impact

Prevents out-of-bounds reads on malformed H.264 streams.
Improves robustness of AVC caption extraction.
No behavior change for valid inputs.

Notes

This change does not modify output for valid SEI data and has no performance impact.

claunia added the pull-request label 2026-01-29 17:23:48 +00:00

[PR #1960] Fix out-of-bounds read in H.264 SEI parsing #2767

Description

Changes made

Impact

Notes