Integer overflow in EIA-608 screen buffer allocation may lead to heap buffer overflow #873

New Issue

claunia · 2026-01-29T16:55:52Z

claunia commented

2026-01-29 16:55:52 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026).

Description

Component: EIA-608 decoder
File: src/lib_ccx/ccx_decoders_608.c
Function: write_cc_buffer, write_cc_line

The Problem

The EIA-608 decoder dynamically grows its screen buffer using realloc based on the number of subtitle screens processed:

(sub->nb_data + 1) * sizeof(struct eia608_screen)

However, there is no check for integer overflow. If a malformed or crafted input triggers a very high number of screen updates, this calculation can wrap around, resulting in a very small buffer allocation. Subsequent writes then cause a heap buffer overflow, potentially crashing the program or corrupting memory.

The Proposed Fix

Added an overflow guard:

if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen))

Calculated allocation size explicitly using size_t new_size
Ensured safe handling of realloc failure (log and return without corrupting memory)
This prevents the heap overflow caused by integer overflow while keeping behavior unchanged for normal input.

Impact

Processing malformed EIA-608 subtitle data will no longer result in:

Heap memory corruption
Program crashes

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026). ### Description Component: EIA-608 decoder File: src/lib_ccx/ccx_decoders_608.c Function: write_cc_buffer, write_cc_line ### The Problem The EIA-608 decoder dynamically grows its screen buffer using realloc based on the number of subtitle screens processed: ```c (sub->nb_data + 1) * sizeof(struct eia608_screen) ``` However, there is no check for integer overflow. If a malformed or crafted input triggers a very high number of screen updates, this calculation can wrap around, resulting in a very small buffer allocation. Subsequent writes then cause a heap buffer overflow, potentially crashing the program or corrupting memory. ### The Proposed Fix Added an overflow guard: ```c if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) ``` Calculated allocation size explicitly using size_t new_size Ensured safe handling of realloc failure (log and return without corrupting memory) This prevents the heap overflow caused by integer overflow while keeping behavior unchanged for normal input. ### Impact Processing malformed EIA-608 subtitle data will no longer result in: - Heap memory corruption - Program crashes

claunia closed this issue

2026-01-29 16:55:53 +00:00

claunia referenced this issue

2026-01-29 17:18:06 +00:00

[PR #873] [MERGED] Change contributor guide link #1708

claunia referenced this issue

2026-01-29 17:18:07 +00:00

[PR #873] Change contributor guide link #1713

Sign in to join this conversation.