Critical DTVCC (CEA-708) Vulnerabilities: Heap Overflow & Out-of-Bounds Read #885

New Issue

claunia · 2026-01-29T16:56:09Z

claunia commented

2026-01-29 16:56:09 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

Description:

I have discovered multiple critical and previously unreported vulnerabilities in CCExtractor’s DTVCC (CEA-708) decoder:

Heap Buffer Overflows in dtvcc_process_data:

The code uses a fixed-size 128-byte buffer but allows a current_packet_length up to CCX_DTVCC_MAX_PACKET_LENGTH (255+), which can overwrite heap memory.
Triggered by any malformed CEA-708 stream with excessively long packets.

Out-of-Bounds Read in dtvcc_process_current_packet:

Improper handling of extended headers (service number 7) can read past the end of the packet buffer.
May lead to undefined behavior or crashes during caption extraction.

Affected Files/Functions:

src/lib_ccx/ccx_dtvcc.c → dtvcc_process_data
src/lib_ccx/ccx_decoders_708.c → dtvcc_process_current_packet

Impact if unpatched:

Heap memory corruption and OOB reads in the core decoder logic.
Potential crashes or undefined behavior when parsing malformed CEA-708 streams.

Proposed Fix :

Added bounds checks in dtvcc_process_data to prevent heap overflow.
Added safety check in dtvcc_process_current_packet to prevent OOB read on truncated extended headers.
Logging added for illegal packet sizes and truncated headers for easier debugging.

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). ### Description: I have discovered multiple critical and previously unreported vulnerabilities in CCExtractor’s DTVCC (CEA-708) decoder: 1. Heap Buffer Overflows in dtvcc_process_data: - The code uses a fixed-size 128-byte buffer but allows a current_packet_length up to CCX_DTVCC_MAX_PACKET_LENGTH (255+), which can overwrite heap memory. - Triggered by any malformed CEA-708 stream with excessively long packets. 2. Out-of-Bounds Read in dtvcc_process_current_packet: - Improper handling of extended headers (service number 7) can read past the end of the packet buffer. - May lead to undefined behavior or crashes during caption extraction. ### Affected Files/Functions: - src/lib_ccx/ccx_dtvcc.c → dtvcc_process_data - src/lib_ccx/ccx_decoders_708.c → dtvcc_process_current_packet ### Impact if unpatched: - Heap memory corruption and OOB reads in the core decoder logic. - Potential crashes or undefined behavior when parsing malformed CEA-708 streams. ### Proposed Fix : - Added bounds checks in dtvcc_process_data to prevent heap overflow. - Added safety check in dtvcc_process_current_packet to prevent OOB read on truncated extended headers. - Logging added for illegal packet sizes and truncated headers for easier debugging.

claunia closed this issue

2026-01-29 16:56:09 +00:00

claunia commented

2026-01-29 16:56:11 +00:00

@cfsmp3 commented on GitHub (Jan 2, 2026):

This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem).

I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

@cfsmp3 commented on GitHub (Jan 2, 2026): This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem). I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

claunia referenced this issue

2026-01-29 17:18:12 +00:00

[PR #885] [CLOSED] YoungSheldon #1723

claunia referenced this issue

2026-01-29 17:18:12 +00:00

[PR #885] YoungSheldon #1726

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#885