Skip to content

Prevent integer overflow in EIA-608 screen buffer reallocation #1949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
THE-Amrit-mahto-05 wants to merge 1 commit into from
Closed

Prevent integer overflow in EIA-608 screen buffer reallocation #1949

THE-Amrit-mahto-05 wants to merge 1 commit into from

Conversation

@THE-Amrit-mahto-05
Copy link
Contributor

@THE-Amrit-mahto-05 THE-Amrit-mahto-05 commented Jan 1, 2026
edited
Loading

In raising this pull request, I confirm the following (please check boxes):

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.
  • I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

  • I absolutely love CCExtractor, but have not contributed previously.
  • I am an active contributor to CCExtractor.

[FIX] Prevent integer overflow in EIA-608 screen buffer allocation

Description

This PR fixes a potential integer overflow in the EIA-608 decoder, which could lead to a heap buffer overflow when processing malformed subtitle input.

Component: EIA-608 decoder
File: src/lib_ccx/ccx_decoders_608.c
Functions: write_cc_buffer, write_cc_line

Problem

The screen buffer was being reallocated using:

(sub->nb_data + 1) * sizeof(struct eia608_screen)

without checking for integer overflow. If sub->nb_data is extremely large (due to a malformed or crafted subtitle), this multiplication could wrap around, causing a tiny buffer allocation and heap overflow on subsequent writes.

Fix

  • Added an overflow guard before allocation:
if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen))
  • Calculated allocation size explicitly using size_t new_size
  • Ensured safe handling of realloc() failure (log error and return safely)

Impact

  • Prevents heap memory corruption
  • Prevents program crashes
  • Keeps normal behavior unchanged

Fixes #1948

@ccextractor-bot
Copy link
Collaborator

ccextractor-bot commented Jan 1, 2026

CCExtractor CI platform finished running the test files on linux. Below is a summary of the test results, when compared to test for commit 3529bb2...:
Report Name Tests Passed
Broken 13/13
CEA-708 14/14
DVB 7/7
DVD 3/3
DVR-MS 2/2
General 25/27
Hardsubx 1/1
Hauppage 3/3
MP4 3/3
NoCC 10/10
Options 81/86
Teletext 21/21
WTV 13/13
XDS 34/34

Your PR breaks these cases:

  • ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65...
  • ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b...
  • ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...

Congratulations: Merging this PR would fix the following tests:

  • ccextractor --autoprogram --out=srt --latin1 --quant 0 85271be4d2..., Last passed: Never

It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you).

Check the result page for more info.

@ccextractor-bot
Copy link
Collaborator

ccextractor-bot commented Jan 1, 2026

CCExtractor CI platform finished running the test files on windows. Below is a summary of the test results, when compared to test for commit 3529bb2...:
Report Name Tests Passed
Broken 13/13
CEA-708 14/14
DVB 6/7
DVD 3/3
DVR-MS 2/2
General 25/27
Hardsubx 1/1
Hauppage 3/3
MP4 3/3
NoCC 10/10
Options 80/86
Teletext 21/21
WTV 13/13
XDS 34/34

Your PR breaks these cases:

  • ccextractor --autoprogram --out=srt --latin1 --quant 0 85271be4d2...
  • ccextractor --autoprogram --out=ttxt --latin1 --ucla dab1c1bd65...
  • ccextractor --out=srt --latin1 --autoprogram 29e5ffd34b...
  • ccextractor --out=spupng c83f765c66...
  • ccextractor --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotbefore 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsnotafter 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatleast 1 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...
  • ccextractor --startcreditsforatmost 2 --startcreditstext "CCextractor Start crdit Testing" c4dd893cb9...

It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you).

Check the result page for more info.

@cfsmp3 cfsmp3 mentioned this pull request Jan 1, 2026
Open
8 tasks
@cfsmp3
Copy link
Contributor

cfsmp3 commented Jan 1, 2026

Closing as superseded by #1953, which includes all the commits from this PR.

@cfsmp3 cfsmp3 closed this Jan 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integer overflow in EIA-608 screen buffer allocation may lead to heap buffer overflow

3 participants

@THE-Amrit-mahto-05 @ccextractor-bot @cfsmp3