Stack Buffer Overflow in ISDB-CC decoder parse_csi (ccx_decoders_isdb.c)

### Description

A stack buffer overflow exists in the ISDB-CC decoder.

**Component:** ISDB-CC decoder  
**File:** src/lib_ccx/ccx_decoders_isdb.c  
**Function:** parse_csi  

### Problem

The function `parse_csi` uses a small stack buffer `uint8_t arg[10]` to store CSI command arguments.  
The original code had a dangerous off-by-one error:

```c
if (i >= (sizeof(arg)) + 1)
```
This allows writing 11 bytes into a 10-byte buffer, causing a stack buffer overflow.
An attacker or malformed subtitle could crash the program or corrupt memory.

### Proposed Fix

- Corrected the loop boundary:
```c
if (i >= sizeof(arg) - 1)
```
- Added a final bounds check:
```c
if (i < sizeof(arg))
    arg[i] = *buf++;
```
- Improved logging for malformed CSI commands.

### Impact

- Prevents stack memory corruption
- Prevents program crashes
- Keeps normal functionality intact

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Stack Buffer Overflow in ISDB-CC decoder parse_csi (ccx_decoders_isdb.c) #1950

Description

Problem

Proposed Fix

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Stack Buffer Overflow in ISDB-CC decoder parse_csi (ccx_decoders_isdb.c) #1950

Description

Description

Problem

Proposed Fix

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions