starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-03 21:23:48 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

MP4 & PS demuxer panics due to out-of-bounds/ underflow #899

New Issue
Closed
opened 2026-01-29 16:56:30 +00:00 by claunia · 2 comments
claunia commented 2026-01-29 16:56:30 +00:00
Owner
Copy Link

Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 7, 2026).

Description

The demuxer’s stream detection logic can panic when processing certain malformed or very small media files.

  1. PS probing underflow:

    • When the input buffer is very small (<3 bytes), the subtraction ctx.startbytes_avail - 3 underflows.
    • Causes undefined behavior / crash.

  2. MP4 box validation out-of-bounds:

    • The check for "moov" box assumes the buffer has at least 15 bytes beyond the position.
    • Small/invalid MP4 inputs can cause buffer[position + 12..14] to panic.

This can crash CCExtractor during normal demuxing.

Steps to Reproduce

# Trigger PS underflow
echo -n "00" > tiny.ps
./ccextractor tiny.ps

# Trigger MP4 out-of-bounds
echo -n "" > empty.mp4
./ccextractor empty.mp4

Expected Behavior

  • The demuxer should not panic on small or malformed files.
  • Instead, it should gracefully handle these inputs or return a clear error.
Originally created by @THE-Amrit-mahto-05 on GitHub (Jan 7, 2026). ### Description The demuxer’s stream detection logic can panic when processing certain malformed or very small media files. 1. **PS probing underflow:** - When the input buffer is very small (<3 bytes), the subtraction `ctx.startbytes_avail - 3` underflows. - Causes undefined behavior / crash. 2. **MP4 box validation out-of-bounds:** - The check for "moov" box assumes the buffer has at least 15 bytes beyond the position. - Small/invalid MP4 inputs can cause `buffer[position + 12..14]` to panic. This can crash CCExtractor during normal demuxing. --- ### Steps to Reproduce ```bash # Trigger PS underflow echo -n "00" > tiny.ps ./ccextractor tiny.ps # Trigger MP4 out-of-bounds echo -n "" > empty.mp4 ./ccextractor empty.mp4 ``` ### Expected Behavior - The demuxer should not panic on small or malformed files. - Instead, it should gracefully handle these inputs or return a clear error.
claunia commented 2026-01-29 16:56:31 +00:00
Author
Owner
Copy Link

@cfsmp3 commented on GitHub (Jan 8, 2026):

Please don't open a ticket for these things - PRs are OK, but issues are for users to report problems. If a developer sees a problem he/she just sends a PR.

@cfsmp3 commented on GitHub (Jan 8, 2026): Please don't open a ticket for these things - PRs are OK, but issues are for users to report problems. If a developer sees a problem he/she just sends a PR.
claunia commented 2026-01-29 16:56:32 +00:00
Author
Owner
Copy Link

@THE-Amrit-mahto-05 commented on GitHub (Jan 8, 2026):

@cfsmp3
Got it, thanks for clarifying 👍
I’ll submit fixes directly as PRs and avoid opening issues for developer identified problems.

@THE-Amrit-mahto-05 commented on GitHub (Jan 8, 2026): @cfsmp3 Got it, thanks for clarifying 👍 I’ll submit fixes directly as PRs and avoid opening issues for developer identified problems.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#899
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?