starred/ccextractor
1
0
Fork 0
mirror of https://github.com/CCExtractor/ccextractor.git synced 2026-02-04 05:44:53 +00:00
Code Issues 1.5k Packages Projects Releases 20 Wiki Activity

[Bug] Heap-buffer-overflow in parse_PMT #905

New Issue
Closed
opened 2026-01-29 16:56:35 +00:00 by claunia · 0 comments
claunia commented 2026-01-29 16:56:35 +00:00
Owner
Copy Link

Originally created by @oneafter on GitHub (Jan 23, 2026).

Description

We discovered a Heap-buffer-overflow vulnerability in ccextractor. The crash occurs in the parse_PMT function when processing a malformed MPEG-TS file.

The ASAN report indicates a READ violation of size 1, occurring 101 bytes past the end of a 184-byte allocated region (standard TS payload buffer).

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Build Configuration: Release mode with ASan enabled.

Vulnerability Details

  • Target: CCExtractor
  • Vulnerability Type: CWE-125: Out-of-bounds Read
  • Function: parse_PMT
  • Location: src/lib_ccx/ts_tables.c:417
  • Root Cause Analysis: The buffer is allocated in ts_buffer_psi_packet with a size of 184 bytes. The function parse_PMT parses the Program Map Table. It reads length fields (likely section_length or descriptor lengths) from the packet and iterates based on these values.

The crash happens at line 417. The large offset (101 bytes overflow) suggests that the parser is blindly following a length field specified in the malicious packet header without verifying if it exceeds the actual available data (184 bytes) in the buffer.

Reproduce

  1. Build ccextractor with Release optimization and ASAN enabled.
  2. Run with the crashing file:
./build/ccextractor repro
ASAN report 
==42237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51000000115d at pc 0x55d4d05f9a42 bp 0x7ffda947d2b0 sp 0x7ffda947d2a8
READ of size 1 at 0x51000000115d thread T0
    #0 0x55d4d05f9a41 in parse_PMT /src/ccextractor/src/lib_ccx/ts_tables.c:417:74
    #1 0x55d4d05ecd66 in ts_readstream /src/ccextractor/src/lib_ccx/ts_functions.c:844:9
    #2 0x55d4d05efe1d in ts_get_more_data /src/ccextractor/src/lib_ccx/ts_functions.c:1092:9
    #3 0x55d4d0597b59 in general_loop /src/ccextractor/src/lib_ccx/general_loop.c:1374:9
    #4 0x55d4d026e2c3 in start_ccx /src/ccextractor/src/ccextractor.c:195:11
    #5 0x7f3c27f721c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #6 0x7f3c27f7228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #7 0x55d4d002f404 in _start (/src/ccextractor/build_afl/ccextractor+0xf2404) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)

0x51000000115d is located 101 bytes after 184-byte region [0x510000001040,0x5100000010f8)
allocated by thread T0 here:
    #0 0x55d4d00cf233 in malloc (/src/ccextractor/build_afl/ccextractor+0x192233) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
    #1 0x55d4d05fabf8 in ts_buffer_psi_packet /src/ccextractor/src/lib_ccx/ts_tables.c:563:46

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/ccextractor/src/lib_ccx/ts_tables.c:417:74 in parse_PMT
Shadow bytes around the buggy address:
  0x510000000e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x510000000f00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x510000000f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x510000001000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x510000001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x510000001100: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x510000001180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000001200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000001280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000001300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000001380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42237==ABORTING
Originally created by @oneafter on GitHub (Jan 23, 2026). ### Description We discovered a Heap-buffer-overflow vulnerability in ccextractor. The crash occurs in the parse_PMT function when processing a malformed MPEG-TS file. The ASAN report indicates a READ violation of size 1, occurring 101 bytes past the end of a 184-byte allocated region (standard TS payload buffer). ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: CCExtractor - Vulnerability Type: CWE-125: Out-of-bounds Read - Function: parse_PMT - Location: src/lib_ccx/ts_tables.c:417 - Root Cause Analysis: The buffer is allocated in ts_buffer_psi_packet with a size of 184 bytes. The function parse_PMT parses the Program Map Table. It reads length fields (likely section_length or descriptor lengths) from the packet and iterates based on these values. The crash happens at line 417. The large offset (101 bytes overflow) suggests that the parser is blindly following a length field specified in the malicious packet header without verifying if it exceeds the actual available data (184 bytes) in the buffer. ### Reproduce 1. Build ccextractor with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0123/blob/main/cc2/repro): ``` ./build/ccextractor repro ``` <details> <summary>ASAN report</summary> ``` ==42237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51000000115d at pc 0x55d4d05f9a42 bp 0x7ffda947d2b0 sp 0x7ffda947d2a8 READ of size 1 at 0x51000000115d thread T0 #0 0x55d4d05f9a41 in parse_PMT /src/ccextractor/src/lib_ccx/ts_tables.c:417:74 #1 0x55d4d05ecd66 in ts_readstream /src/ccextractor/src/lib_ccx/ts_functions.c:844:9 #2 0x55d4d05efe1d in ts_get_more_data /src/ccextractor/src/lib_ccx/ts_functions.c:1092:9 #3 0x55d4d0597b59 in general_loop /src/ccextractor/src/lib_ccx/general_loop.c:1374:9 #4 0x55d4d026e2c3 in start_ccx /src/ccextractor/src/ccextractor.c:195:11 #5 0x7f3c27f721c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #6 0x7f3c27f7228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #7 0x55d4d002f404 in _start (/src/ccextractor/build_afl/ccextractor+0xf2404) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) 0x51000000115d is located 101 bytes after 184-byte region [0x510000001040,0x5100000010f8) allocated by thread T0 here: #0 0x55d4d00cf233 in malloc (/src/ccextractor/build_afl/ccextractor+0x192233) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) #1 0x55d4d05fabf8 in ts_buffer_psi_packet /src/ccextractor/src/lib_ccx/ts_tables.c:563:46 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/ccextractor/src/lib_ccx/ts_tables.c:417:74 in parse_PMT Shadow bytes around the buggy address: 0x510000000e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x510000000f00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x510000000f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x510000001000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x510000001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa =>0x510000001100: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x510000001180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x510000001200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x510000001280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x510000001300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x510000001380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==42237==ABORTING ``` </details>
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
CEA-708
difficulty: easy
difficulty: hard
difficulty: medium
DTMB
DVB
enhancement
enhancement
Flutter GUI
GCI19
good-first-task
GSoC 2021
GSOC-2023
GSOC-2023
GSOC-2023
GSoC-related
Hacktoberfest
HardsubX
help wanted
invalid
JokerTV
Mac / OSX
more-info-needed
needs-commercial-sponsor
needs-commercial-sponsor
needs-commercial-sponsor
needs-confirmation-of-being-broken
OCR
pull-request
Mirrored from GitHub Pull Request
 Python
regression
Rust
teletext
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#905
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?