starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-04 05:44:53 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

Critical Rust memory safety bug: returning pointer to stack-allocated PMTEntry #894

New Issue
Closed
opened 2026-01-29 16:56:24 +00:00 by claunia · 1 comment
claunia commented 2026-01-29 16:56:24 +00:00
Owner
Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 6, 2026).

Description

While reviewing the Rust FFI layer, I found a use-after-scope (dangling pointer) bug in ctorust.rs.

An implementation of FromCType<*mut PMT_entry> returns a raw pointer derived from a stack-allocated Rust value, which becomes invalid immediately after the function returns.

This is undefined behavior in Rust, independent of C-side invariants, test coverage, or calling order.

Affected File: src/rust/src/ctorust.rs

Problematic Code

let mut pmt_entry = PMTEntry {
    program_number,
    elementary_pid,
    stream_type,
    printable_stream_type,
};

Some(&mut pmt_entry as *mut PMTEntry)

here

  • pmt_entry is allocated on the stack
  • A pointer to it is returned
  • The function returns
  • The stack frame is destroyed
  • The returned pointer now points to invalid memory

Proposed Fix

let pmt_entry = PMTEntry { ... };
Some(Box::into_raw(Box::new(pmt_entry)))
Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 6, 2026). ### Description While reviewing the Rust FFI layer, I found a use-after-scope (dangling pointer) bug in ctorust.rs. An implementation of FromCType<*mut PMT_entry> returns a raw pointer derived from a stack-allocated Rust value, which becomes invalid immediately after the function returns. This is undefined behavior in Rust, independent of C-side invariants, test coverage, or calling order. Affected File: src/rust/src/ctorust.rs ### Problematic Code ```rust let mut pmt_entry = PMTEntry { program_number, elementary_pid, stream_type, printable_stream_type, }; Some(&mut pmt_entry as *mut PMTEntry) ``` here - pmt_entry is allocated on the stack - A pointer to it is returned - The function returns - The stack frame is destroyed - The returned pointer now points to invalid memory ### Proposed Fix ```rust let pmt_entry = PMTEntry { ... }; Some(Box::into_raw(Box::new(pmt_entry))) ```
claunia commented 2026-01-29 16:56:25 +00:00
Author
Owner
Copy Link

@cfsmp3 commented on GitHub (Jan 8, 2026):

Please don't open a ticket for these things - PRs are OK, but issues are for users to report problems. If a developer sees a problem he/she just sends a PR.

@cfsmp3 commented on GitHub (Jan 8, 2026): Please don't open a ticket for these things - PRs are OK, but issues are for users to report problems. If a developer sees a problem he/she just sends a PR.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#894
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?