Critical Teletext Decoder Vulnerabilities: Out-of-Bounds Read/Write and Loop Overflow #884

New Issue

claunia · 2026-01-29T16:56:08Z

claunia commented

2026-01-29 16:56:08 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

I have discovered a cluster of critical and previously unreported vulnerabilities in CCExtractor's Teletext decoder (telxcc.c).

Vulnerabilities Identified:

Out-of-Bounds Reads in tlt_process_pes_packet
- Cause: Minimal PES packet size checks allow truncated packets to trigger reads past the buffer end.
- Impact: Heap/stack corruption, undefined behavior.
- Trigger: Malformed DVB-TS Teletext streams with truncated PES packets.
Out-of-Bounds Write in payload reversal loop
- Cause: data_unit_len can exceed remaining PES packet size.
- Impact: Heap corruption, memory overwrite.
- Trigger: Malformed Teletext data unit length.
Potential Infinite Loop / Loop Counter Overflow
- Cause: i was declared as uint16_t and can wrap-around for large PES packets.
- Impact: Infinite loop or memory corruption.
- Trigger: Large or malformed PES packets.

Affected Files/Functions:

telxcc.c → tlt_process_pes_packet

Proposed Fixes (ready to implement in a PR):

Added minimum PES packet size checks before processing headers.
Ensure data_unit_len does not exceed remaining packet length.
Changed loop counter i to uint32_t to prevent wrap-around.
Added debug messages for oversized data units for safer decoding.

Impact if Unpatched:

Heap or stack corruption
Decoder crashes or undefined behavior
Security vulnerabilities for malicious Teletext streams

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). I have discovered a cluster of critical and previously unreported vulnerabilities in CCExtractor's Teletext decoder (telxcc.c). **Vulnerabilities Identified:** 1. **Out-of-Bounds Reads in tlt_process_pes_packet** - Cause: Minimal PES packet size checks allow truncated packets to trigger reads past the buffer end. - Impact: Heap/stack corruption, undefined behavior. - Trigger: Malformed DVB-TS Teletext streams with truncated PES packets. 2. **Out-of-Bounds Write in payload reversal loop** - Cause: `data_unit_len` can exceed remaining PES packet size. - Impact: Heap corruption, memory overwrite. - Trigger: Malformed Teletext data unit length. 3. **Potential Infinite Loop / Loop Counter Overflow** - Cause: `i` was declared as `uint16_t` and can wrap-around for large PES packets. - Impact: Infinite loop or memory corruption. - Trigger: Large or malformed PES packets. **Affected Files/Functions:** - `telxcc.c` → `tlt_process_pes_packet` **Proposed Fixes (ready to implement in a PR):** - Added minimum PES packet size checks before processing headers. - Ensure `data_unit_len` does not exceed remaining packet length. - Changed loop counter `i` to `uint32_t` to prevent wrap-around. - Added debug messages for oversized data units for safer decoding. **Impact if Unpatched:** - Heap or stack corruption - Decoder crashes or undefined behavior - Security vulnerabilities for malicious Teletext streams

claunia referenced this issue

2026-01-29 17:18:12 +00:00

[PR #884] [CLOSED] DesignatedSurvivor #1724

claunia referenced this issue

2026-01-29 17:18:12 +00:00

[PR #884] DesignatedSurvivor #1728

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#884