Critical Teletext Decoder Vulnerabilities: Out-of-Bounds Read/Write and Loop Overflow #887

New Issue

Closed

opened 2026-01-29 16:56:12 +00:00 by claunia · 1 comment

claunia commented 2026-01-29 16:56:12 +00:00

Owner

Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026).

I have discovered a cluster of critical and previously unreported vulnerabilities in CCExtractor's Teletext decoder (telxcc.c).

Vulnerabilities Identified:

1. Out-of-Bounds Reads in tlt_process_pes_packet

   • Cause: Minimal PES packet size checks allow truncated packets to trigger reads past the buffer end.
   • Impact: Heap/stack corruption, undefined behavior.
   • Trigger: Malformed DVB-TS Teletext streams with truncated PES packets.

2. Out-of-Bounds Write in payload reversal loop

   • Cause: data_unit_len can exceed remaining PES packet size.
   • Impact: Heap corruption, memory overwrite.
   • Trigger: Malformed Teletext data unit length.

3. Potential Infinite Loop / Loop Counter Overflow

   • Cause: i was declared as uint16_t and can wrap-around for large PES packets.
   • Impact: Infinite loop or memory corruption.
   • Trigger: Large or malformed PES packets.

Affected Files/Functions:

• telxcc.c → tlt_process_pes_packet

Proposed Fixes (ready to implement in a PR):

• Added minimum PES packet size checks before processing headers.
• Ensure data_unit_len does not exceed remaining packet length.
• Changed loop counter i to uint32_t to prevent wrap-around.
• Added debug messages for oversized data units for safer decoding.

Impact if Unpatched:

• Heap or stack corruption
• Decoder crashes or undefined behavior
• Security vulnerabilities for malicious Teletext streams

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 2, 2026). I have discovered a cluster of critical and previously unreported vulnerabilities in CCExtractor's Teletext decoder (telxcc.c). **Vulnerabilities Identified:** 1. **Out-of-Bounds Reads in tlt_process_pes_packet** - Cause: Minimal PES packet size checks allow truncated packets to trigger reads past the buffer end. - Impact: Heap/stack corruption, undefined behavior. - Trigger: Malformed DVB-TS Teletext streams with truncated PES packets. 2. **Out-of-Bounds Write in payload reversal loop** - Cause: `data_unit_len` can exceed remaining PES packet size. - Impact: Heap corruption, memory overwrite. - Trigger: Malformed Teletext data unit length. 3. **Potential Infinite Loop / Loop Counter Overflow** - Cause: `i` was declared as `uint16_t` and can wrap-around for large PES packets. - Impact: Infinite loop or memory corruption. - Trigger: Large or malformed PES packets. **Affected Files/Functions:** - `telxcc.c` → `tlt_process_pes_packet` **Proposed Fixes (ready to implement in a PR):** - Added minimum PES packet size checks before processing headers. - Ensure `data_unit_len` does not exceed remaining packet length. - Changed loop counter `i` to `uint32_t` to prevent wrap-around. - Added debug messages for oversized data units for safer decoding. **Impact if Unpatched:** - Heap or stack corruption - Decoder crashes or undefined behavior - Security vulnerabilities for malicious Teletext streams

claunia closed this issue 2026-01-29 16:56:12 +00:00

claunia commented 2026-01-29 16:56:13 +00:00

Author

Owner

Copy Link

@cfsmp3 commented on GitHub (Jan 2, 2026):

This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem).

I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

@cfsmp3 commented on GitHub (Jan 2, 2026): This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem). I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.

claunia referenced this issue 2026-01-29 17:18:12 +00:00

[PR #887] Revert 5 revert 4 revert 3 revert 2 revert 1 kvdd patch 1 #1729

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#887