starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-16 21:23:35 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

[BUG]Heap buffer overflow when parsing TS format #698

New Issue
Closed
opened 2026-01-29 16:51:30 +00:00 by claunia · 9 comments
claunia commented 2026-01-29 16:51:30 +00:00
Owner
Copy Link

Originally created by @Me19m4 on GitHub (Mar 23, 2022).

CCExtractor version:
Version: 0.94

  • I have read and understood the contributors guide.

  • I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.

  • I have checked that the issue I'm posting isn't already reported.

  • I have checked that the issue I'm porting isn't already solved and no duplicates exist in closed issues and in opened issues

  • I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.

  • I have used the latest available version of CCExtractor to verify this issue exists.

  • I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text.

  • What were the used arguments? `{replace with the arguments}

./ccextractor example.ts

  • What platform did you use? {Window/Linux/Mac}

    Ubuntu21.10

Additional information

==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368
READ of size 1 at 0x610000001028 thread T0
    #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74
    #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9
    #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9
    #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9
    #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11
    #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18
    #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3
    #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604)

0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8)
allocated by thread T0 here:
    #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd)
    #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT
Shadow bytes around the buggy address:
  0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

example.ts link :

https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Originally created by @Me19m4 on GitHub (Mar 23, 2022). CCExtractor version: Version: 0.94 - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present. - [x] I have checked that the issue I'm posting isn't already reported. - [x] I have checked that the issue I'm porting isn't already solved and no duplicates exist in [closed issues](https://github.com/CCExtractor/ccextractor/issues?q=is%3Aissue+is%3Aclosed) and in [opened issues](https://github.com/CCExtractor/ccextractor/issues) - [ ] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion. - [x] I have used the latest available version of CCExtractor to verify this issue exists. - [x] I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text. - What were the used arguments? `{replace with the arguments} `./ccextractor example.ts` - What platform did you use? {Window/Linux/Mac} `Ubuntu21.10` # Additional information ``` ==3373803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000001028 at pc 0x000001759399 bp 0x7ffd08ca8370 sp 0x7ffd08ca8368 READ of size 1 at 0x610000001028 thread T0 #0 0x1759398 in parse_PMT /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 #1 0x174bec1 in ts_readstream /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:752:9 #2 0x175002a in ts_get_more_data /home/moqi/ccextractor/src/lib_ccx/ts_functions.c:980:9 #3 0x16801ae in general_loop /home/moqi/ccextractor/src/lib_ccx/general_loop.c:894:9 #4 0x1107d55 in api_start /home/moqi/ccextractor/src/ccextractor.c:205:11 #5 0x110bed3 in main /home/moqi/ccextractor/src/ccextractor.c:463:18 #6 0x7f166a67bfcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f166a67c07c in __libc_start_main csu/../csu/libc-start.c:409:3 #8 0x58c604 in _start (/home/moqi/ccextractor/src/build/ccextractor+0x58c604) 0x610000001028 is located 48 bytes to the right of 184-byte region [0x610000000f40,0x610000000ff8) allocated by thread T0 here: #0 0x608dbd in malloc (/home/moqi/ccextractor/src/build/ccextractor+0x608dbd) #1 0x175b2c0 in ts_buffer_psi_packet /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:503:46 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moqi/ccextractor/src/lib_ccx/ts_tables.c:310:74 in parse_PMT Shadow bytes around the buggy address: 0x0c207fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c207fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c207fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa =>0x0c207fff8200: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c207fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ``` example.ts link : https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing
claunia added the GSOC-2023 label 2026-01-29 16:51:30 +00:00
claunia commented 2026-01-29 16:51:31 +00:00
Author
Owner
Copy Link

@Unknownsentinel193 commented on GitHub (Mar 31, 2023):

Hi, Can I work on this problem?, I am a security enthusiast with some knowledge of buffer overflows. According to the given AddressSanitizer tool log, the error occurred in function "parse_PMT", which is located in file ts tables.c. The same file's function "ts_buffer_psi_packet" used the "malloc" function to allocate a region of 184 bytes, and the error occurred 48 bytes beyond the end of this allocated region. I'd appreciate some additional guidance on this as this is my first time working with C/C++.I am comfortable with Python.

@Unknownsentinel193 commented on GitHub (Mar 31, 2023): Hi, Can I work on this problem?, I am a security enthusiast with some knowledge of buffer overflows. According to the given AddressSanitizer tool log, the error occurred in function "parse_PMT", which is located in file ts tables.c. The same file's function "ts_buffer_psi_packet" used the "malloc" function to allocate a region of 184 bytes, and the error occurred 48 bytes beyond the end of this allocated region. I'd appreciate some additional guidance on this as this is my first time working with C/C++.I am comfortable with Python.
claunia commented 2026-01-29 16:51:31 +00:00
Author
Owner
Copy Link

@cfsmp3 commented on GitHub (Mar 31, 2023):

Go for it, but after a preliminary look it looked like we'd need to rewrite the whole function.

If this is your first contact with C you might want to tackle an easier bug.

@cfsmp3 commented on GitHub (Mar 31, 2023): Go for it, but after a preliminary look it looked like we'd need to rewrite the whole function. If this is your first contact with C you might want to tackle an easier bug.
claunia commented 2026-01-29 16:51:31 +00:00
Author
Owner
Copy Link

@Unknownsentinel193 commented on GitHub (Mar 31, 2023):

Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try

@Unknownsentinel193 commented on GitHub (Mar 31, 2023): Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try
claunia commented 2026-01-29 16:51:32 +00:00
Author
Owner
Copy Link

@cfsmp3 commented on GitHub (Mar 31, 2023):

Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try

Godspeed!

@cfsmp3 commented on GitHub (Mar 31, 2023): > Thank You for your response, it is my first time with C and after having a look at the function(big) It is very tough to solve, but I shall try Godspeed!
claunia commented 2026-01-29 16:51:32 +00:00
Author
Owner
Copy Link

@NDFA-with-epsilon commented on GitHub (Apr 11, 2023):

Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.

@NDFA-with-epsilon commented on GitHub (Apr 11, 2023): Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.
claunia commented 2026-01-29 16:51:32 +00:00
Author
Owner
Copy Link

@cfsmp3 commented on GitHub (Apr 12, 2023):

Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix.

Sure 👍

@cfsmp3 commented on GitHub (Apr 12, 2023): > Hi, Can I work on this issue ? I have a good amount of experience with C and Valgrind. I think I can apply that knowledge here and work on a fix. Sure 👍
claunia commented 2026-01-29 16:51:33 +00:00
Author
Owner
Copy Link

@IshanGrover2004 commented on GitHub (Jan 23, 2024):

example.ts link :
https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Hey @Me19m4 can you provide the working link of video

@IshanGrover2004 commented on GitHub (Jan 23, 2024): > example.ts link : > https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing Hey @Me19m4 can you provide the working link of video
claunia commented 2026-01-29 16:51:33 +00:00
Author
Owner
Copy Link

@Me19m4 commented on GitHub (Jan 23, 2024):

example.ts link :
https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing

Hey @Me19m4 can you provide the working link of video

Sorry, test environment has been destroyed,It's been too long.

@Me19m4 commented on GitHub (Jan 23, 2024): > > example.ts link : > > https://drive.google.com/file/d/11hV7Uf_lA3vlFr-EWZdOJ3Q9eQCKGIY_/view?usp=sharing > > Hey @Me19m4 can you provide the working link of video Sorry, test environment has been destroyed,It's been too long.
claunia commented 2026-01-29 16:51:34 +00:00
Author
Owner
Copy Link

@Z-xus commented on GitHub (Dec 1, 2024):

Sorry, test environment has been destroyed,It's been too long.

I think this issue should be closed if not possible to replicate

@Z-xus commented on GitHub (Dec 1, 2024): > Sorry, test environment has been destroyed,It's been too long. I think this issue should be closed if not possible to replicate
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label GSOC-2023
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#698
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?