Skip to content

Fix/ts heap overflow #1953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cfsmp3 merged 5 commits into from
Jan 2, 2026
Merged

Fix/ts heap overflow #1953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7526da8
Prevent integer overflow in EIA-608 screen buffer reallocation
Jan 1, 2026
64484af
[FIX] Prevent stack buffer overflow in ISDB-CC decoder parse_csi
Jan 1, 2026
e43a6b5
Fix TS Heap Buffer Overflow in copy_payload_to_capbuf (ts_functions.c)
Jan 1, 2026
07f1ddc
Fix capbufsize and capbuflen assignments to use size_t
THE-Amrit-mahto-05 Jan 1, 2026
774c3a0
Update CHANGES.TXT
THE-Amrit-mahto-05 Jan 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/CHANGES.TXT
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- Fix: 32-bit build failures on i686 and armv7l architectures
- Fix: Legacy command-line argument compatibility (-1, -2, -12, --sc, --svc)
- Fix: Prevent heap buffer overflow in Teletext processing (security fix)
- Fix: Prevent integer overflow leading to heap buffer overflow in Transport Stream handling (security fix)
- Fix: Lazy OCR initialization - only initialize when first DVB subtitle is encountered
- Build: Optimized Windows CI workflow for faster builds
- Fix: Updated GUI with version 0.7.1. A blind attempt to fix a hang on start on some Windows.
Expand Down
28 changes: 24 additions & 4 deletions src/lib_ccx/ccx_decoders_608.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,10 +316,20 @@ int write_cc_buffer(ccx_decoder_608_context *context, struct cc_subtitle *sub)

if (!data->empty && context->output_format != CCX_OF_NULL)
{
struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data));
size_t new_size;

if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen))
{
ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n");
return 0;
}

new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen);

struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size);
if (!new_data)
{
ccx_common_logging.log_ftn("No Memory left");
ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n");
return 0;
}
sub->data = new_data;
Expand Down Expand Up @@ -386,10 +396,20 @@ int write_cc_line(ccx_decoder_608_context *context, struct cc_subtitle *sub)

if (!data->empty)
{
struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data));
size_t new_size;

if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen))
{
ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n");
return 0;
}

new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen);

struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size);
if (!new_data)
{
ccx_common_logging.log_ftn("No Memory left");
ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n");
return 0;
}
sub->data = new_data;
Expand Down
7 changes: 4 additions & 3 deletions src/lib_ccx/ccx_decoders_isdb.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -724,16 +724,17 @@ static int parse_csi(ISDBSubContext *ctx, const uint8_t *buf, int len)
// Copy buf in arg
for (i = 0; *buf != 0x20; i++)
{
if (i >= (sizeof(arg)) + 1)
if (i >= sizeof(arg) - 1)
{
isdb_log("UnExpected CSI %d >= %d", sizeof(arg) + 1, i);
isdb_log("UnExpected CSI: too long");
break;
}
arg[i] = *buf;
buf++;
}
/* ignore terminating 0x20 character */
arg[i] = *buf++;
if (i < sizeof(arg))
arg[i] = *buf++;

switch (*buf)
{
Expand Down
16 changes: 10 additions & 6 deletions src/lib_ccx/ts_functions.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,7 +670,6 @@ void cinfo_cremation(struct ccx_demuxer *ctx, struct demuxer_data **data)

int copy_payload_to_capbuf(struct cap_info *cinfo, struct ts_payload *payload)
{
int newcapbuflen;

if (cinfo->ignore == CCX_TRUE &&
((cinfo->stream != CCX_STREAM_TYPE_VIDEO_MPEG2 &&
Expand All @@ -696,17 +695,22 @@ int copy_payload_to_capbuf(struct cap_info *cinfo, struct ts_payload *payload)
}

// copy payload to capbuf
newcapbuflen = cinfo->capbuflen + payload->length;
if (newcapbuflen > cinfo->capbufsize)
if (payload->length > INT64_MAX - cinfo->capbuflen)
{
unsigned char *new_capbuf = (unsigned char *)realloc(cinfo->capbuf, newcapbuflen);
mprint("Error: capbuf size overflow\n");
return -1;
}
int64_t newcapbuflen = (int64_t)cinfo->capbuflen + payload->length;
if (newcapbuflen > (int64_t)cinfo->capbufsize)
{
unsigned char *new_capbuf = (unsigned char *)realloc(cinfo->capbuf, (size_t)newcapbuflen);
if (!new_capbuf)
return -1;
cinfo->capbuf = new_capbuf;
cinfo->capbufsize = newcapbuflen;
cinfo->capbufsize = newcapbuflen; // Note: capbufsize is int in struct cap_info
}
memcpy(cinfo->capbuf + cinfo->capbuflen, payload->start, payload->length);
cinfo->capbuflen = newcapbuflen;
cinfo->capbuflen = newcapbuflen; // Note: capbuflen is int in struct cap_info

return CCX_OK;
}
Expand Down
Loading