Fix OOB read/write and length handling in CEA-608/708 decoders

[THE-Amrit-mahto-05]

In raising this pull request, I confirm the following (please check boxes):

• I have read and understood the contributors guide.
• I have checked that another pull request for this purpose does not exist.
• I have considered, and confirmed that this submission will be valuable to others.
• I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
• I give this submission freely, and claim no ownership to its content.
• I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

• I have never used CCExtractor.
• I have used CCExtractor just a couple of times.
• I absolutely love CCExtractor, but have not contributed previously.
• I am an active contributor to CCExtractor.

---

description

This change addresses multiple robustness and security issues in the CEA-608 and CEA-708 caption decoders.
The issues were triggered by malformed or truncated caption streams and could lead to out-of-bounds memory access or decoder desynchronization.

These issues did not appear to be previously reported.

Issues Identified

1. CEA-608 Decoder — Out-of-Bounds Write

File: src/lib_ccx/ccx_decoders_608.c

• write_char() could write to the screen buffer without validating cursor_row and cursor_column.
• delete_to_end_of_row() could access invalid rows if cursor state became inconsistent.
• Malformed input could desynchronize cursor state and cause memory corruption.

Impact:
Potential out-of-bounds write → memory corruption and crashes.

2. CEA-708 Decoder — Out-of-Bounds Read (EXT1, P16)

File: src/lib_ccx/ccx_decoders_708.c

• dtvcc_handle_extended_char() assumed at least one byte of data was available.
• dtvcc_handle_C0() processed P16 commands without verifying sufficient remaining data.
• Malformed packets could cause 1-byte heap buffer over-reads.

Impact:
Out-of-bounds read → crashes or processing of garbage data.

3. CEA-708 Decoder — Logic Error (Length Propagation)

File: src/lib_ccx/ccx_decoders_708.c

• dtvcc_process_service_block() passed incorrect remaining lengths to sub-handlers.
• This amplified OOB read conditions and could desynchronize decoder state.

Impact:
Increased likelihood of OOB reads and incorrect parsing behavior.

Fixes Implemented

CEA-608 Decoder

• Added strict bounds checks for cursor_row and cursor_column before writing to screen buffers.
• Added early exit in delete_to_end_of_row() when cursor row is invalid.

CEA-708 Decoder

• Added minimum length validation for EXT1 and P16 commands.
• Fixed remaining-length calculation passed to extended character handlers.

Safely skip malformed EXT1 sequences without reading past buffer bounds.

[ccextractor-bot]

CCExtractor CI platform finished running the test files on linux. Below is a summary of the test results, when compared to test for commit dfaebd5...:

Report Name	Tests Passed
Broken	13/13
CEA-708	14/14
DVB	6/7
DVD	3/3
DVR-MS	2/2
General	27/27
Hardsubx	1/1
Hauppage	3/3
MP4	3/3
NoCC	10/10
Options	86/86
Teletext	21/21
WTV	13/13
XDS	34/34

Your PR breaks these cases:

• ccextractor --autoprogram --out=srt --latin1 --quant 0 85271be4d2...

Congratulations: Merging this PR would fix the following tests:

• ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65..., Last passed: Never
• ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b..., Last passed: Never
• ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never

It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you).

Check the result page for more info.

[ccextractor-bot]

CCExtractor CI platform finished running the test files on windows. Below is a summary of the test results, when compared to test for commit dfaebd5...:

Report Name	Tests Passed
Broken	13/13
CEA-708	14/14
DVB	7/7
DVD	3/3
DVR-MS	2/2
General	27/27
Hardsubx	1/1
Hauppage	3/3
MP4	3/3
NoCC	10/10
Options	86/86
Teletext	21/21
WTV	13/13
XDS	34/34

Congratulations: Merging this PR would fix the following tests:

• ccextractor --autoprogram --out=srt --latin1 --quant 0 85271be4d2..., Last passed: Never
• ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65..., Last passed: Never
• ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b..., Last passed: Never
• ccextractor --out=spupng c83f765c66..., Last passed: Never
• ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never
• ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9..., Last passed: Never

All tests passed completely.

Check the result page for more info.

[THE-Amrit-mahto-05]

@cfsmp3 please , review this PR