[PR #1975] [MERGED] Fix OOB read/write and length handling in CEA-608/708 decoders

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/1975 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/3/2026 **Status:** ✅ Merged **Merged:** 1/5/2026 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/cea-608-708-oob` --- ### 📝 Commits (1) - [`51cae1c`](https://github.com/CCExtractor/ccextractor/commit/51cae1c2f02ee327995f66cc97d56d6c07dd0fe5) Fix OOB read/write and length handling in CEA-608/708 decoders ### 📊 Changes **2 files changed** (+27 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `src/lib_ccx/ccx_decoders_608.c` (+7 -0) 📝 `src/lib_ccx/ccx_decoders_708.c` (+20 -3) </details> ### 📄 Description  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### description This change addresses multiple robustness and security issues in the CEA-608 and CEA-708 caption decoders. The issues were triggered by malformed or truncated caption streams and could lead to out-of-bounds memory access or decoder desynchronization. These issues did not appear to be previously reported. ### Issues Identified 1. CEA-608 Decoder — Out-of-Bounds Write File: src/lib_ccx/ccx_decoders_608.c - write_char() could write to the screen buffer without validating cursor_row and cursor_column. - delete_to_end_of_row() could access invalid rows if cursor state became inconsistent. - Malformed input could desynchronize cursor state and cause memory corruption. Impact: Potential out-of-bounds write → memory corruption and crashes. 2. CEA-708 Decoder — Out-of-Bounds Read (EXT1, P16) File: src/lib_ccx/ccx_decoders_708.c - dtvcc_handle_extended_char() assumed at least one byte of data was available. - dtvcc_handle_C0() processed P16 commands without verifying sufficient remaining data. - Malformed packets could cause 1-byte heap buffer over-reads. Impact: Out-of-bounds read → crashes or processing of garbage data. 3. CEA-708 Decoder — Logic Error (Length Propagation) File: src/lib_ccx/ccx_decoders_708.c - dtvcc_process_service_block() passed incorrect remaining lengths to sub-handlers. - This amplified OOB read conditions and could desynchronize decoder state. Impact: Increased likelihood of OOB reads and incorrect parsing behavior. ### Fixes Implemented CEA-608 Decoder - Added strict bounds checks for cursor_row and cursor_column before writing to screen buffers. - Added early exit in delete_to_end_of_row() when cursor row is invalid. CEA-708 Decoder - Added minimum length validation for EXT1 and P16 commands. - Fixed remaining-length calculation passed to extended character handlers. Safely skip malformed EXT1 sequences without reading past buffer bounds. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia commented

2026-01-29 17:23:50 +00:00

Owner

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/1975
Author: @THE-Amrit-mahto-05
Created: 1/3/2026
Status: ✅ Merged
Merged: 1/5/2026
Merged by: @cfsmp3

Base: master ← Head: fix/cea-608-708-oob

📝 Commits (1)

51cae1c Fix OOB read/write and length handling in CEA-608/708 decoders

📊 Changes

2 files changed (+27 additions, -3 deletions)

View changed files

📝 src/lib_ccx/ccx_decoders_608.c (+7 -0)
📝 src/lib_ccx/ccx_decoders_708.c (+20 -3)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I have never used CCExtractor.
I have used CCExtractor just a couple of times.
I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

description

This change addresses multiple robustness and security issues in the CEA-608 and CEA-708 caption decoders.
The issues were triggered by malformed or truncated caption streams and could lead to out-of-bounds memory access or decoder desynchronization.

These issues did not appear to be previously reported.

Issues Identified

CEA-608 Decoder — Out-of-Bounds Write

File: src/lib_ccx/ccx_decoders_608.c

write_char() could write to the screen buffer without validating cursor_row and cursor_column.
delete_to_end_of_row() could access invalid rows if cursor state became inconsistent.
Malformed input could desynchronize cursor state and cause memory corruption.

Impact:
Potential out-of-bounds write → memory corruption and crashes.

CEA-708 Decoder — Out-of-Bounds Read (EXT1, P16)

File: src/lib_ccx/ccx_decoders_708.c

dtvcc_handle_extended_char() assumed at least one byte of data was available.
dtvcc_handle_C0() processed P16 commands without verifying sufficient remaining data.
Malformed packets could cause 1-byte heap buffer over-reads.

Impact:
Out-of-bounds read → crashes or processing of garbage data.

CEA-708 Decoder — Logic Error (Length Propagation)

dtvcc_process_service_block() passed incorrect remaining lengths to sub-handlers.
This amplified OOB read conditions and could desynchronize decoder state.

Impact:
Increased likelihood of OOB reads and incorrect parsing behavior.

Fixes Implemented

CEA-608 Decoder

Added strict bounds checks for cursor_row and cursor_column before writing to screen buffers.
Added early exit in delete_to_end_of_row() when cursor row is invalid.

CEA-708 Decoder

Added minimum length validation for EXT1 and P16 commands.
Fixed remaining-length calculation passed to extended character handlers.

Safely skip malformed EXT1 sequences without reading past buffer bounds.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

claunia added the pull-request label 2026-01-29 17:23:50 +00:00

[PR #1975] [MERGED] Fix OOB read/write and length handling in CEA-608/708 decoders #2773