starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-04-17 11:33:12 +00:00
Code Issues 1.5k Packages Projects Releases 21 Wiki Activity

[PR #1966] fix: Critical Teletext Decoder Vulnerabilities: Out-of-Bounds Read/Write and Loop Overflow #2768

New Issue
Open
opened 2026-01-29 17:23:48 +00:00 by claunia · 0 comments
claunia commented 2026-01-29 17:23:48 +00:00
Owner
Copy Link

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/1966

State: closed
Merged: No

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Description

Issues Fixed:

  1. Out-of-Bounds Read in tlt_process_pes_packet: minimal size checks on PES header allowed truncated packets to trigger reads past buffer end.
  2. Out-of-Bounds Write in payload reversal loop: a malformed packet could specify data_unit_len causing a write past buffer end.
  3. Potential Infinite Loop / Buffer Overflow due to uint16_t wrap-around of the loop index.

Fixes Implemented:

  • Changed loop index i from uint16_tuint32_t to avoid wrap-around.
  • Added size checks to ensure PES packet is long enough before reading header fields.
  • Added boundary check for data_unit_len to prevent OOB writes.
  • Logging added for truncated or malformed packets.

Impact:

  • Prevents crashes, buffer over-reads, and memory corruption.
  • Ensures Teletext decoder robustness against malformed DVB-TS streams.
  • Normal Teletext streams continue to work with no regression.

Testing:

  • Verified with truncated PES packets: safely ignored.
  • Verified payload length exceeding buffer: OOB writes prevented.
  • Verified loop termination even with max uint16_t values.

Issue Reference: #1965

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/1966 **State:** closed **Merged:** No --- <!-- Please prefix your pull request with one of the following: **[FEATURE]** **[FIX]** **[IMPROVEMENT]**. --> **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### **Description** **Issues Fixed:** 1. **Out-of-Bounds Read** in `tlt_process_pes_packet`: minimal size checks on PES header allowed truncated packets to trigger reads past buffer end. 2. **Out-of-Bounds Write** in payload reversal loop: a malformed packet could specify `data_unit_len` causing a write past buffer end. 3. **Potential Infinite Loop / Buffer Overflow** due to `uint16_t` wrap-around of the loop index. **Fixes Implemented:** - Changed loop index `i` from `uint16_t` → `uint32_t` to avoid wrap-around. - Added size checks to ensure PES packet is long enough before reading header fields. - Added boundary check for `data_unit_len` to prevent OOB writes. - Logging added for truncated or malformed packets. **Impact:** - Prevents crashes, buffer over-reads, and memory corruption. - Ensures Teletext decoder robustness against malformed DVB-TS streams. - Normal Teletext streams continue to work with no regression. **Testing:** - Verified with truncated PES packets: safely ignored. - Verified payload length exceeding buffer: OOB writes prevented. - Verified loop termination even with max uint16_t values. **Issue Reference:** #1965
claunia added the pull-request label 2026-01-29 17:23:48 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#2768
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?