[BUG]Heap buffer overflow when parsing TS format #698

Closed
opened 2026-01-29 16:51:30 +00:00 by claunia · 9 comments
Owner

Originally created by @Me19m4 on GitHub (Mar 23, 2022).

CCExtractor version:
Version: 0.94

  • I have read and understood the contributors guide.

  • I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.

  • I have checked that the issue I'm posting isn't already reported.

  • I have checked that the issue I'm porting isn't already solved and no duplicates exist in closed issues and in opened issues

  • I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.

  • I have used the latest available version of CCExtractor to verify this issue exists.

  • I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text.

  • What were the used arguments? `{replace with the arguments}

./ccextractor example.ts

  • What platform did you use? {Window/Linux/Mac}

    Ubuntu21.10

Additional information

==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368
READ of size 1 at 0x610000001028 thread T0
    #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74
    #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9
    #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9
    #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9
    #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11
    #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18
    #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3
    #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604)

0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8)
allocated by thread T0 here:
    #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd)
    #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT
Shadow bytes around the buggy address:
  0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

example.ts link :

https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Originally created by @Me19m4 on GitHub (Mar 23, 2022). CCExtractor version: Version: 0.94 - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present. - [x] I have checked that the issue I'm posting isn't already reported. - [x] I have checked that the issue I'm porting isn't already solved and no duplicates exist in [closed issues](https://github.com/CCExtractor/ccextractor/issues?q=is%3Aissue+is%3Aclosed) and in [opened issues](https://github.com/CCExtractor/ccextractor/issues) - [ ] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion. - [x] I have used the latest available version of CCExtractor to verify this issue exists. - [x] I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text. - What were the used arguments? `{replace with the arguments} `./ccextractor example.ts` - What platform did you use? {Window/Linux/Mac} `Ubuntu21.10` # Additional information ``` ==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368 READ of size 1 at 0x610000001028 thread T0 #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9 #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9 #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9 #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11 #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18 #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3 #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604) 0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8) allocated by thread T0 here: #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd) #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT Shadow bytes around the buggy address: 0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa =>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ``` example.ts link : https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing
claunia added the GSOC-2023 label 2026-01-29 16:51:30 +00:00
Author
Owner

@Unknownsentinel193 commented on GitHub (Mar 31, 2023):

Hi, Can I work on this problem?, I am a security enthusiast with some knowledge of buffer overflows. According to the given AddressSanitizer tool log, the error occurred in function "parse_PMT", which is located in file ts tables.c. The same file's function "ts_buffer_psi_packet" used the "malloc" function to allocate a region of 184 bytes, and the error occurred 48 bytes beyond the end of this allocated region. I'd appreciate some additional guidance on this as this is my first time working with C/C++.I am comfortable with Python.

@Unknownsentinel193 commented on GitHub (Mar 31, 2023): Hi, Can I work on this problem?, I am a security enthusiast with some knowledge of buffer overflows. According to the given AddressSanitizer tool log, the error occurred in function "parse_PMT", which is located in file ts tables.c. The same file's function "ts_buffer_psi_packet" used the "malloc" function to allocate a region of 184 bytes, and the error occurred 48 bytes beyond the end of this allocated region. I'd appreciate some additional guidance on this as this is my first time working with C/C++.I am comfortable with Python.
Author
Owner

@cfsmp3 commented on GitHub (Mar 31, 2023):

Go for it, but after a preliminary look it looked like we'd need to rewrite the whole function.

If this is your first contact with C you might want to tackle an easier bug.

@cfsmp3 commented on GitHub (Mar 31, 2023): Go for it, but after a preliminary look it looked like we'd need to rewrite the whole function. If this is your first contact with C you might want to tackle an easier bug.
Author
Owner

@Unknownsentinel193 commented on GitHub (Mar 31, 2023):

Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try

@Unknownsentinel193 commented on GitHub (Mar 31, 2023): Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try
Author
Owner

@cfsmp3 commented on GitHub (Mar 31, 2023):

Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try

Godspeed!

@cfsmp3 commented on GitHub (Mar 31, 2023): > Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try Godspeed!
Author
Owner

@NDFA-with-epsilon commented on GitHub (Apr 11, 2023):

Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.

@NDFA-with-epsilon commented on GitHub (Apr 11, 2023): Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.
Author
Owner

@cfsmp3 commented on GitHub (Apr 12, 2023):

Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.

Sure 👍

@cfsmp3 commented on GitHub (Apr 12, 2023): > Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix. Sure 👍
Author
Owner

@IshanGrover2004 commented on GitHub (Jan 23, 2024):

example.ts link :
https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Hey @Me19m4 can you provide the working link of video

@IshanGrover2004 commented on GitHub (Jan 23, 2024): > example.ts link : > https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing Hey @Me19m4 can you provide the working link of video
Author
Owner

@Me19m4 commented on GitHub (Jan 23, 2024):

example.ts link :
https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Hey @Me19m4 can you provide the working link of video

Sorry, test environment has been destroyed,It's been too long.

@Me19m4 commented on GitHub (Jan 23, 2024): > > example.ts link : > > https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing > > Hey @Me19m4 can you provide the working link of video Sorry, test environment has been destroyed,It's been too long.
Author
Owner

@Z-xus commented on GitHub (Dec 1, 2024):

Sorry, test environment has been destroyed,It's been too long.

I think this issue should be closed if not possible to replicate

@Z-xus commented on GitHub (Dec 1, 2024): > Sorry, test environment has been destroyed,It's been too long. I think this issue should be closed if not possible to replicate
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#698