Integer overflow in Transport Stream buffer allocation may lead to heap buffer overflow (ts_functions.c) #878

New Issue

claunia · 2026-01-29T16:55:57Z

claunia commented

2026-01-29 16:55:57 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026).

Description:

Component: Transport Stream (TS) handling
File: src/lib_ccx/ts_functions.c
Function: copy_payload_to_capbuf

Problem

The function copy_payload_to_capbuf grows a capture buffer using:

newcapbuflen = cinfo->capbuflen + payload->length;

However, there was no check for integer overflow before this addition.
If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc.
This can cause a heap buffer overflow when data is copied into the buffer, potentially crashing the program or corrupting memory.

Proposed Fix

Changed newcapbuflen to int64_t to handle large sums safely.
Added an explicit overflow guard:

if (payload->length > INT64_MAX - cinfo->capbuflen)
{
    mprint("Error: capbuf size overflow\n");
    return -1;
}

Used size_t cast safely in the realloc call.
Ensured program logs an error and returns safely if allocation fails.

Impact

Prevents heap memory corruption
Prevents crashes caused by malformed TS data
Maintains normal functionality for valid input

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 1, 2026). ### Description: Component: Transport Stream (TS) handling File: src/lib_ccx/ts_functions.c Function: copy_payload_to_capbuf ### Problem The function copy_payload_to_capbuf grows a capture buffer using: ```c newcapbuflen = cinfo->capbuflen + payload->length; ``` However, there was no check for integer overflow before this addition. If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc. This can cause a heap buffer overflow when data is copied into the buffer, potentially crashing the program or corrupting memory. ### Proposed Fix - Changed newcapbuflen to int64_t to handle large sums safely. - Added an explicit overflow guard: ```c if (payload->length > INT64_MAX - cinfo->capbuflen) { mprint("Error: capbuf size overflow\n"); return -1; } ``` - Used size_t cast safely in the realloc call. - Ensured program logs an error and returns safely if allocation fails. ### Impact - Prevents heap memory corruption - Prevents crashes caused by malformed TS data - Maintains normal functionality for valid input

claunia closed this issue

2026-01-29 16:55:58 +00:00

claunia referenced this issue

2026-01-29 17:18:09 +00:00

[PR #878] [CLOSED] [FEATURE] Added -man parameter to generate manual page for ccextractor using help2man #1716

claunia referenced this issue

2026-01-29 17:18:10 +00:00

[PR #878] [FEATURE] Added -man parameter to generate manual page for ccextractor using help2man #1719

Sign in to join this conversation.