fix(security): Add bounds checks for buffer overflow vulnerabilities

cfsmp3 · claude · cfsmp3 · commit 9fddaab3b0fc · 2025-12-20T19:34:22.000+01:00
Fixes two buffer overflow vulnerabilities reported in issues #1427 and #1428: - #1428 (Global buffer overflow in slice_header): The slice_type value read from H.264 exp-golomb data was used to index slice_types[] array without bounds checking. Valid values are 0-9 per H.264 spec Table 7-6. Now validates slice_type < 10 before use. - #1427 (Heap buffer overflow in parse_PMT): ES_info_length from PMT descriptor data was trusted without validation against buffer bounds. Malformed PMT with excessive ES_info_length could read past buffer end. Now validates ES_info_length and descriptor lengths against buffer. Both issues were discovered using AddressSanitizer with crafted TS files. Fixes #1427 Fixes #1428 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/lib_ccx/avc_functions.c b/src/lib_ccx/avc_functions.c
@@ -954,6 +954,15 @@ void slice_header(struct encoder_ctx *enc_ctx, struct lib_cc_decode *dec_ctx, un
 	dvprint("first_mb_in_slice=     % 4lld (%#llX)\n", tmp, tmp);
 	slice_type = read_exp_golomb_unsigned(&q1);
 	dvprint("slice_type=            % 4llX\n", slice_type);
+
+	// Validate slice_type to prevent buffer overflow in slice_types[] array
+	// Valid H.264 slice_type values are 0-9 (H.264 spec Table 7-6)
+	if (slice_type >= 10)
+	{
+		mprint("Invalid slice_type %lld in slice header, skipping.\n", slice_type);
+		return;
+	}
+
 	tmp = read_exp_golomb_unsigned(&q1);
 	dvprint("pic_parameter_set_id=  % 4lld (%#llX)\n", tmp, tmp);
 
diff --git a/src/lib_ccx/ts_tables.c b/src/lib_ccx/ts_tables.c
@@ -254,7 +254,9 @@ int parse_PMT(struct ccx_demuxer *ctx, unsigned char *buf, int len, struct progr
 		ctx->PIDs_programs[elementary_PID]->printable_stream_type = get_printable_stream_type(stream_type);
 		dbg_print(CCX_DMT_VERBOSE, "%6u | %3X (%3u) | %s\n", elementary_PID, stream_type, stream_type,
 			  desc[ctx->PIDs_programs[elementary_PID]->printable_stream_type]);
-		process_ccx_mpeg_descriptor(buf + i + 5, ES_info_length);
+		// Validate ES_info_length against buffer bounds to prevent heap overflow
+		if (i + 5 + ES_info_length <= len)
+			process_ccx_mpeg_descriptor(buf + i + 5, ES_info_length);
 		i += ES_info_length;
 	}
 	dbg_print(CCX_DMT_VERBOSE, "---\n");
@@ -275,12 +277,28 @@ int parse_PMT(struct ccx_demuxer *ctx, unsigned char *buf, int len, struct progr
 			continue;
 		}
 
+		// Validate ES_info_length against buffer bounds to prevent heap overflow
+		if (i + 5 + ES_info_length > len)
+		{
+			dbg_print(CCX_DMT_GENERIC_NOTICES, "Warning: ES_info_length exceeds buffer, skipping.\n");
+			break;
+		}
+
 		unsigned char *es_info = buf + i + 5;
-		for (desc_len = 0; (buf + i + 5 + ES_info_length) > es_info; es_info += desc_len)
+		unsigned char *es_info_end = buf + i + 5 + ES_info_length;
+		for (desc_len = 0; es_info_end > es_info; es_info += desc_len)
 		{
+			// Need at least 2 bytes for descriptor_tag and desc_len
+			if (es_info + 2 > es_info_end)
+				break;
+
 			enum ccx_mpeg_descriptor descriptor_tag = (enum ccx_mpeg_descriptor)(*es_info++);
 			desc_len = (*es_info++);
 
+			// Validate desc_len doesn't exceed remaining buffer
+			if (es_info + desc_len > es_info_end)
+				break;
+
 			if (descriptor_tag == CCX_MPEG_DSC_DVB_SUBTITLE)
 			{
 				int k = 0;
@@ -324,12 +342,29 @@ int parse_PMT(struct ccx_demuxer *ctx, unsigned char *buf, int len, struct progr
 		if (stream_type == CCX_STREAM_TYPE_PRIVATE_MPEG2 &&
 		    ES_info_length)
 		{
+			// Validate ES_info_length against buffer bounds to prevent heap overflow
+			if (i + 5 + ES_info_length > len)
+			{
+				dbg_print(CCX_DMT_GENERIC_NOTICES, "Warning: ES_info_length exceeds buffer, skipping.\n");
+				break;
+			}
+
 			unsigned char *es_info = buf + i + 5;
-			for (desc_len = 0; (buf + i + 5 + ES_info_length) > es_info; es_info += desc_len)
+			unsigned char *es_info_end = buf + i + 5 + ES_info_length;
+			for (desc_len = 0; es_info_end > es_info; es_info += desc_len)
 			{
 				void *ptr;
+				// Need at least 2 bytes for descriptor_tag and desc_len
+				if (es_info + 2 > es_info_end)
+					break;
+
 				enum ccx_mpeg_descriptor descriptor_tag = (enum ccx_mpeg_descriptor)(*es_info++);
 				desc_len = (*es_info++);
+
+				// Validate desc_len doesn't exceed remaining buffer
+				if (es_info + desc_len > es_info_end)
+					break;
+
 				if (CCX_MPEG_DESC_DATA_COMP == descriptor_tag)
 				{
 					int16_t component_id = 0;
