Stack Buffer Overflow in ISDB-CC decoder parse_csi (ccx_decoders_isdb.c) #874

New Issue

Open

opened 2026-01-29 16:55:53 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 16:55:53 +00:00

Owner

Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026).

Description

A stack buffer overflow exists in the ISDB-CC decoder.

Component: ISDB-CC decoder
File: src/lib_ccx/ccx_decoders_isdb.c
Function: parse_csi

Problem

The function parse_csi uses a small stack buffer uint8_t arg[10] to store CSI command arguments.
The original code had a dangerous off-by-one error:

if (i >= (sizeof(arg)) + 1)

This allows writing 11 bytes into a 10-byte buffer, causing a stack buffer overflow.
An attacker or malformed subtitle could crash the program or corrupt memory.

Proposed Fix

• Corrected the loop boundary:

if (i >= sizeof(arg) - 1)

• Added a final bounds check:

if (i < sizeof(arg))
    arg[i] = *buf++;

• Improved logging for malformed CSI commands.

Impact

• Prevents stack memory corruption
• Prevents program crashes
• Keeps normal functionality intact

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026). ### Description A stack buffer overflow exists in the ISDB-CC decoder. **Component:** ISDB-CC decoder **File:** src/lib_ccx/ccx_decoders_isdb.c **Function:** parse_csi ### Problem The function `parse_csi` uses a small stack buffer `uint8_t arg[10]` to store CSI command arguments. The original code had a dangerous off-by-one error: ```c if (i >= (sizeof(arg)) + 1) ``` This allows writing 11 bytes into a 10-byte buffer, causing a stack buffer overflow. An attacker or malformed subtitle could crash the program or corrupt memory. ### Proposed Fix - Corrected the loop boundary: ```c if (i >= sizeof(arg) - 1) ``` - Added a final bounds check: ```c if (i < sizeof(arg)) arg[i] = *buf++; ``` - Improved logging for malformed CSI commands. ### Impact - Prevents stack memory corruption - Prevents program crashes - Keeps normal functionality intact

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#874