Skip to content

prevent heap buffer overflow in Teletext demux path #1934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
THE-Amrit-mahto-05 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

prevent heap buffer overflow in Teletext demux path #1934

THE-Amrit-mahto-05 wants to merge 1 commit into from
+7 −0

Conversation

@THE-Amrit-mahto-05
Copy link

@THE-Amrit-mahto-05 THE-Amrit-mahto-05 commented Dec 30, 2025
edited
Loading

[FIX] Prevent heap buffer overflow in Teletext demux path

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I have never used CCExtractor.
  • I have used CCExtractor just a couple of times.
  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

Summary

This pull request fixes a heap buffer overflow in the Teletext demux path
(CCX_CODEC_TELETEXT) in the function copy_capbuf_demux_data
in src/lib_ccx/ts_functions.c.

Details

Previously, the code copied cinfo->capbuf into the destination buffer
without verifying that there was enough space remaining:

memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);

If capbuflen exceeded the remaining buffer space, this caused a heap
buffer overflow, potentially leading to memory corruption or crash.

The generic PES/DVB path already performed a bounds check, but the
Teletext path was missing this validation.

Fix
A bou
nds check is added before copying the Teletext data:

if (cinfo->capbuflen > BUFSIZE - ptr->len) {
    fatal(CCX_COMMON_EXIT_BUG_BUG,
          "Teletext packet (%ld) larger than remaining buffer (%lld).\n",
          cinfo->capbuflen, BUFSIZE - ptr->len);
}
memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);
ptr->len += cinfo->capbuflen;

Fixes #1933

@ccextractor-bot
Copy link
Collaborator

ccextractor-bot commented Dec 30, 2025

CCExtractor CI platform finished running the test files on linux. Below is a summary of the test results, when compared to test for commit a9413a2...:
Report Name Tests Passed
Broken 13/13
CEA-708 14/14
DVB 7/7
DVD 3/3
DVR-MS 2/2
General 25/27
Hardsubx 1/1
Hauppage 3/3
MP4 3/3
NoCC 10/10
Options 80/86
Teletext 21/21
WTV 13/13
XDS 34/34

Your PR breaks these cases:

  • ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65...
  • ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b...
  • ccextractor --parsePMT --out=srt c83f765c66...
  • ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...

It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you).

Check the result page for more info.

@ccextractor-bot
Copy link
Collaborator

ccextractor-bot commented Dec 30, 2025

CCExtractor CI platform finished running the test files on windows. Below is a summary of the test results, when compared to test for commit a9413a2...:
Report Name Tests Passed
Broken 13/13
CEA-708 14/14
DVB 7/7
DVD 3/3
DVR-MS 2/2
General 27/27
Hardsubx 1/1
Hauppage 3/3
MP4 3/3
NoCC 10/10
Options 86/86
Teletext 21/21
WTV 13/13
XDS 34/34

Congratulations: Merging this PR would fix the following tests:

  • ccextractor --autoprogram --out=srt --latin1 --quant 0 85271be4d2..., Last passed: Never
  • ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65..., Last passed: Never
  • ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b..., Last passed: Never
  • ccextractor --out=spupng c83f765c66..., Last passed: Never
  • ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
  • ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
  • ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
  • ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
  • ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never

All tests passed completely.

Check the result page for more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Heap buffer overflow when handling Teletext data in copy_capbuf_demux_data

2 participants

@THE-Amrit-mahto-05 @ccextractor-bot