[BUG]Heap buffer overflow when parsing TS format #695

New Issue

claunia · 2026-01-29T16:51:23Z

claunia commented

2026-01-29 16:51:23 +00:00

Originally created by @Me19m4 on GitHub (Mar 23, 2022).

CCExtractor version:
Version: 0.94

I have read and understood the contributors guide.
I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.
I have checked that the issue I'm posting isn't already reported.
I have checked that the issue I'm porting isn't already solved and no duplicates exist in closed issues and in opened issues
I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.
I have used the latest available version of CCExtractor to verify this issue exists.
I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text.
What were the used arguments? `{replace with the arguments}

./ccextractor example.ts

What platform did you use? {Window/Linux/Mac}

Ubuntu21.10

Additional information

==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368
READ of size 1 at 0x610000001028 thread T0
    #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74
    #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9
    #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9
    #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9
    #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11
    #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18
    #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3
    #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604)

0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8)
allocated by thread T0 here:
    #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd)
    #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT
Shadow bytes around the buggy address:
  0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

example.ts link :

https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Originally created by @Me19m4 on GitHub (Mar 23, 2022). CCExtractor version: Version: 0.94 - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present. - [x] I have checked that the issue I'm posting isn't already reported. - [x] I have checked that the issue I'm porting isn't already solved and no duplicates exist in [closed issues](https://github.com/CCExtractor/ccextractor/issues?q=is%3Aissue+is%3Aclosed) and in [opened issues](https://github.com/CCExtractor/ccextractor/issues) - [ ] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion. - [x] I have used the latest available version of CCExtractor to verify this issue exists. - [x] I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text. - What were the used arguments? `{replace with the arguments} `./ccextractor example.ts` - What platform did you use? {Window/Linux/Mac} `Ubuntu21.10` # Additional information ``` ==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368 READ of size 1 at 0x610000001028 thread T0 #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9 #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9 #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9 #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11 #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18 #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3 #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604) 0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8) allocated by thread T0 here: #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd) #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT Shadow bytes around the buggy address: 0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa =>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ``` example.ts link : https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

claunia added the GSOC-2023 label 2026-01-29 16:51:23 +00:00

claunia referenced this issue

2026-01-29 17:16:56 +00:00

[PR #697] [MERGED] Sync Teletext to Private Stream 1 instead of all streams #1523

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#695