Critical DTVCC (CEA-708) Structural Type Confusion / OOB Write #881

Closed
opened 2026-01-29 16:56:03 +00:00 by claunia · 1 comment
Owner

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

Description

While parsing DTVCC (CEA-708) streams, the decoder can encounter a structural type confusion due to mismatched constants for rows/columns. This leads to:

  • Out-of-bounds writes to window->rows and window->pen_attribs
  • Heap buffer over-reads
  • Potential information leak or remote code execution primitive on malformed streams

Affected Code

src/lib_ccx/ccx_decoders_708.c

Functions:

dtvcc_window_copy_to_screen()

dtvcc_process_character()

dtvcc_handle_DFx_DefineWindow()

dtvcc_handle_SPL_SetPenLocation()

Steps to Reproduce

Create a DTVCC stream with a window definition exceeding 15 rows or 64 columns (or maliciously set pen positions).

Pass it to CCExtractor.
Observe OOB access / crashes in memory tools (like AddressSanitizer).

Impact

  • Deterministic crash on malformed streams
  • Heap/stack corruption
  • Potential information leaks

Suggested Fix

  • Clamp window sizes to CCX_DTVCC_MAX_ROWS and CCX_DTVCC_MAX_COLUMNS
  • Validate pen positions before writing
  • Log invalid dimensions instead of writing
Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). ### Description While parsing DTVCC (CEA-708) streams, the decoder can encounter a structural type confusion due to mismatched constants for rows/columns. This leads to: - Out-of-bounds writes to window->rows and window->pen_attribs - Heap buffer over-reads - Potential information leak or remote code execution primitive on malformed streams ### Affected Code src/lib_ccx/ccx_decoders_708.c ## Functions: ```c dtvcc_window_copy_to_screen() dtvcc_process_character() dtvcc_handle_DFx_DefineWindow() dtvcc_handle_SPL_SetPenLocation() ``` ### Steps to Reproduce Create a DTVCC stream with a window definition exceeding 15 rows or 64 columns (or maliciously set pen positions). Pass it to CCExtractor. Observe OOB access / crashes in memory tools (like AddressSanitizer). ### Impact - Deterministic crash on malformed streams - Heap/stack corruption - Potential information leaks ### Suggested Fix - Clamp window sizes to CCX_DTVCC_MAX_ROWS and CCX_DTVCC_MAX_COLUMNS - Validate pen positions before writing - Log invalid dimensions instead of writing
Author
Owner

@cfsmp3 commented on GitHub (Jan 2, 2026):

This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem).

I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

@cfsmp3 commented on GitHub (Jan 2, 2026): This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem). I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#881