Heap buffer overflow when handling Teletext data in copy_capbuf_demux_data #869

New Issue

Closed

opened 2026-01-29 16:55:46 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 16:55:46 +00:00

Owner

Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Dec 29, 2025).

Summary

There is a heap buffer overflow vulnerability in the Teletext demux path
in src/lib_ccx/ts_functions.c, function copy_capbuf_demux_data.

Details

When processing Teletext data (CCX_CODEC_TELETEXT), the code copies
cinfo->capbuf into ptr->buffer without verifying that there is enough
space remaining in the destination buffer (BUFSIZE):

memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);

If capbuflen exceeds the remaining buffer space, this results in a write
past the end of the heap buffer

The generic PES/DVB path in the same function performs a bounds check,
but the Teletext path was missing this validation.

Impact

• Heap buffer overflow
• Memory corruption
• Crash on malformed or oversized Teletext input

Proposed Fix

Add a bounds check before copying Teletext data, similar to the generic path:

if (cinfo->capbuflen > BUFSIZE - ptr->len) {
   fatal(...);
}

I have prepared a PR that adds this check.
Environment
Affected file: src/lib_ccx/ts_functions.c
Function: copy_capbuf_demux_data

Originally created by @THE-Amrit-mahto-05 on GitHub (Dec 29, 2025). ### Summary There is a heap buffer overflow vulnerability in the Teletext demux path in `src/lib_ccx/ts_functions.c`, function `copy_capbuf_demux_data`. ### Details When processing Teletext data (`CCX_CODEC_TELETEXT`), the code copies `cinfo->capbuf` into `ptr->buffer` without verifying that there is enough space remaining in the destination buffer (`BUFSIZE`): ```c memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen); ``` If capbuflen exceeds the remaining buffer space, this results in a write past the end of the heap buffer The generic PES/DVB path in the same function performs a bounds check, but the Teletext path was missing this validation. ### Impact - Heap buffer overflow - Memory corruption - Crash on malformed or oversized Teletext input ### Proposed Fix Add a bounds check before copying Teletext data, similar to the generic path: ```c if (cinfo->capbuflen > BUFSIZE - ptr->len) { fatal(...); } ``` I have prepared a PR that adds this check. Environment Affected file: src/lib_ccx/ts_functions.c Function: copy_capbuf_demux_data

claunia closed this issue 2026-01-29 16:55:46 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#869