Teletext decoder: OOB read/write in remap_g0_charset on malformed input #889

New Issue

claunia · 2026-01-29T16:56:16Z

claunia commented

2026-01-29 16:56:16 +00:00

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 4, 2026).

description

While reviewing the Teletext decoder, I noticed that remap_g0_charset(uint8_t c) uses the c value as an index into G0_LATIN_NATIONAL_SUBSETS_MAP (size 56) without bounds checking.

The result of that lookup is then used as an index into another table (size 14), also without bounds validation.

Since c is a uint8_t, malformed input can trigger out-of-bounds reads/writes, leading to memory corruption of global tables.

I have a small defensive fix ready that adds bounds checks and early returns.

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 4, 2026). ### description While reviewing the Teletext decoder, I noticed that remap_g0_charset(uint8_t c) uses the c value as an index into G0_LATIN_NATIONAL_SUBSETS_MAP (size 56) without bounds checking. The result of that lookup is then used as an index into another table (size 14), also without bounds validation. Since c is a uint8_t, malformed input can trigger out-of-bounds reads/writes, leading to memory corruption of global tables. I have a small defensive fix ready that adds bounds checks and early returns.

claunia closed this issue

2026-01-29 16:56:16 +00:00

claunia referenced this issue

2026-01-29 17:18:14 +00:00

[PR #889] [CLOSED] Patch 9 #1731

claunia referenced this issue

2026-01-29 17:18:14 +00:00

[PR #889] Patch 9 #1733

Sign in to join this conversation.