Out-of-bounds read in H.264 SEI parsing on malformed input #882

New Issue

claunia · 2026-01-29T16:56:04Z

claunia commented

2026-01-29 16:56:04 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

Description

While parsing H.264 SEI (Supplemental Enhancement Information) NAL units, CCExtractor can perform an out-of-bounds read when handling FF-extended payload_type and payload_size fields.

The issue occurs in sei_message() when the SEI message is truncated or malformed and contains a sequence of 0xFF bytes without a terminating byte.

Affected code

File: src/lib_ccx/avc_functions.c

Function:

unsigned char *sei_message(struct avc_ctx *ctx,
                           unsigned char *seibuf,
                           unsigned char *seiend)

Problematic logic:

while (*seibuf == 0xff) {
    payload_type += 255;
    seibuf++;
}

and similarly for payload_size.

Root cause

The parsing loops dereference *seibuf without verifying that seibuf < seiend.
If the SEI NAL unit is truncated or padded with 0xFF bytes, the parser reads past the end of the SEI buffer until a non-0xFF byte is encountered, leading to undefined behavior.

Impact

Out-of-bounds read
Deterministic crash (segmentation fault) on malformed input
Undefined behavior during H.264 caption extraction
This can be triggered by small, malformed SEI NAL units and affects AVC/H.264 inputs.

Steps to reproduce

Create a minimal H.264 stream containing an SEI NAL unit with FF-extension bytes and no terminating byte, for example:
00 00 00 01 06 FF FF FF FF

Run CCExtractor on the file.
Observe a crash or undefined behavior.

Suggested fix

Add bounds checks (seibuf < seiend) inside the FF-extension parsing loops and abort parsing if the SEI message is truncated.

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). ### Description While parsing H.264 SEI (Supplemental Enhancement Information) NAL units, CCExtractor can perform an out-of-bounds read when handling FF-extended payload_type and payload_size fields. The issue occurs in sei_message() when the SEI message is truncated or malformed and contains a sequence of 0xFF bytes without a terminating byte. ### Affected code File: src/lib_ccx/avc_functions.c ### Function: ```c unsigned char *sei_message(struct avc_ctx *ctx, unsigned char *seibuf, unsigned char *seiend) ``` ### Problematic logic: ```c while (*seibuf == 0xff) { payload_type += 255; seibuf++; } ``` and similarly for payload_size. ### Root cause The parsing loops dereference *seibuf without verifying that seibuf < seiend. If the SEI NAL unit is truncated or padded with 0xFF bytes, the parser reads past the end of the SEI buffer until a non-0xFF byte is encountered, leading to undefined behavior. ### Impact - Out-of-bounds read - Deterministic crash (segmentation fault) on malformed input - Undefined behavior during H.264 caption extraction - This can be triggered by small, malformed SEI NAL units and affects AVC/H.264 inputs. ### Steps to reproduce Create a minimal H.264 stream containing an SEI NAL unit with FF-extension bytes and no terminating byte, for example: 00 00 00 01 06 FF FF FF FF Run CCExtractor on the file. Observe a crash or undefined behavior. ### Suggested fix Add bounds checks (seibuf < seiend) inside the FF-extension parsing loops and abort parsing if the SEI message is truncated.

claunia closed this issue

2026-01-29 16:56:04 +00:00

claunia referenced this issue

2026-01-29 17:18:10 +00:00

[PR #882] Patch 2 #1722

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#882