From 7526da884c42b1877f7186eaaca87b30a51b5672 Mon Sep 17 00:00:00 2001 From: Amrit kumar Mahto Date: Thu, 1 Jan 2026 23:20:25 +0530 Subject: [PATCH 1/2] Prevent integer overflow in EIA-608 screen buffer reallocation --- src/lib_ccx/ccx_decoders_608.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/lib_ccx/ccx_decoders_608.c b/src/lib_ccx/ccx_decoders_608.c index 37a057e83..c2b0a0aea 100644 --- a/src/lib_ccx/ccx_decoders_608.c +++ b/src/lib_ccx/ccx_decoders_608.c @@ -316,10 +316,20 @@ int write_cc_buffer(ccx_decoder_608_context *context, struct cc_subtitle *sub) if (!data->empty && context->output_format != CCX_OF_NULL) { - struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data)); + size_t new_size; + + if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) + { + ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n"); + return 0; + } + + new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen); + + struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size); if (!new_data) { - ccx_common_logging.log_ftn("No Memory left"); + ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n"); return 0; } sub->data = new_data; @@ -386,10 +396,20 @@ int write_cc_line(ccx_decoder_608_context *context, struct cc_subtitle *sub) if (!data->empty) { - struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data)); + size_t new_size; + + if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) + { + ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n"); + return 0; + } + + new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen); + + struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size); if (!new_data) { - ccx_common_logging.log_ftn("No Memory left"); + ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n"); return 0; } sub->data = new_data; From 64484af49ecb40291b1d6e4c8c0e399c6d321863 Mon Sep 17 00:00:00 2001 From: Amrit kumar Mahto Date: Fri, 2 Jan 2026 00:40:07 +0530 Subject: [PATCH 2/2] [FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi --- src/lib_ccx/ccx_decoders_isdb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib_ccx/ccx_decoders_isdb.c b/src/lib_ccx/ccx_decoders_isdb.c index 5a1f5f588..5a54340df 100644 --- a/src/lib_ccx/ccx_decoders_isdb.c +++ b/src/lib_ccx/ccx_decoders_isdb.c @@ -724,16 +724,17 @@ static int parse_csi(ISDBSubContext *ctx, const uint8_t *buf, int len) // Copy buf in arg for (i = 0; *buf != 0x20; i++) { - if (i >= (sizeof(arg)) + 1) + if (i >= sizeof(arg) - 1) { - isdb_log("UnExpected CSI %d >= %d", sizeof(arg) + 1, i); + isdb_log("UnExpected CSI: too long"); break; } arg[i] = *buf; buf++; } /* ignore terminating 0x20 character */ - arg[i] = *buf++; + if (i < sizeof(arg)) + arg[i] = *buf++; switch (*buf) {