Critical TS/ES Decoder Vulnerabilities: Integer Overflow, Stack Overflow, Heap Over-read #883

New Issue

Closed

opened 2026-01-29 16:56:06 +00:00 by claunia · 1 comment

claunia commented 2026-01-29 16:56:06 +00:00

Owner

Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

I have discovered three critical and previously unreported vulnerabilities in CCExtractor's Transport Stream (TS) and Elementary Stream (ES) decoders:

1. Integer Overflow in TS PSI buffer (ts_tables.c)

   • Cause: 32-bit wrap-around during PSI buffer reallocation (ts_buffer_psi_packet).
   • Impact: Heap corruption or memory mismanagement.
   • Trigger: Large TS PSI packets exceeding 1MB combined buffer size.

2. Stack Overflow in SCTE 20 parsing (es_userdata.c)

   • Cause: Maximum caption count (31) can lead to 2-byte overflow in cc_data array.
   • Impact: Stack memory corruption.
   • Trigger: Malformed SCTE 20 user_data packet with max captions.

3. Heap Buffer Over-read in GXF VBI parsing (es_userdata.c)

   • Cause: decode_vbi reads 720 bytes unconditionally regardless of udatalen.
   • Impact: Heap buffer over-read, potential information leak or crash.
   • Trigger: Malformed or truncated GXF VBI packet.

Affected functions/files:

• ts_tables.c → ts_buffer_psi_packet
• es_userdata.c → SCTE 20 handling / GXF VBI handling

Proposed Fixes (ready to implement in separate branch):

• Bounds checking for PSI buffer reallocation to prevent integer overflow.
• Extend cc_data array and add termination for SCTE 20 stack safety.
• Verify udatalen >= 720 before calling decode_vbi to prevent over-read.

Impact if unpatched:

• Heap corruption, stack overflow, and buffer over-read in core decoders.
• Potential crashes or undefined behavior for malformed streams.

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). I have discovered three critical and previously unreported vulnerabilities in CCExtractor's Transport Stream (TS) and Elementary Stream (ES) decoders: 1. **Integer Overflow in TS PSI buffer (`ts_tables.c`)** - Cause: 32-bit wrap-around during PSI buffer reallocation (`ts_buffer_psi_packet`). - Impact: Heap corruption or memory mismanagement. - Trigger: Large TS PSI packets exceeding 1MB combined buffer size. 2. **Stack Overflow in SCTE 20 parsing (`es_userdata.c`)** - Cause: Maximum caption count (31) can lead to 2-byte overflow in `cc_data` array. - Impact: Stack memory corruption. - Trigger: Malformed SCTE 20 user_data packet with max captions. 3. **Heap Buffer Over-read in GXF VBI parsing (`es_userdata.c`)** - Cause: `decode_vbi` reads 720 bytes unconditionally regardless of `udatalen`. - Impact: Heap buffer over-read, potential information leak or crash. - Trigger: Malformed or truncated GXF VBI packet. **Affected functions/files:** - `ts_tables.c` → `ts_buffer_psi_packet` - `es_userdata.c` → SCTE 20 handling / GXF VBI handling **Proposed Fixes (ready to implement in separate branch):** - Bounds checking for PSI buffer reallocation to prevent integer overflow. - Extend `cc_data` array and add termination for SCTE 20 stack safety. - Verify `udatalen >= 720` before calling `decode_vbi` to prevent over-read. **Impact if unpatched:** - Heap corruption, stack overflow, and buffer over-read in core decoders. - Potential crashes or undefined behavior for malformed streams.

claunia closed this issue 2026-01-29 16:56:06 +00:00

claunia commented 2026-01-29 16:56:08 +00:00

Author

Owner

Copy Link

@cfsmp3 commented on GitHub (Jan 2, 2026):

This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem).

I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

@cfsmp3 commented on GitHub (Jan 2, 2026): This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem). I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

claunia referenced this issue 2026-01-29 17:18:12 +00:00

[PR #883] [CLOSED] Revert 4 revert 3 revert 2 revert 1 kvdd patch 1 #1725

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#883