From 7526da884c42b1877f7186eaaca87b30a51b5672 Mon Sep 17 00:00:00 2001 From: Amrit kumar Mahto Date: Thu, 1 Jan 2026 23:20:25 +0530 Subject: [PATCH] Prevent integer overflow in EIA-608 screen buffer reallocation --- src/lib_ccx/ccx_decoders_608.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/lib_ccx/ccx_decoders_608.c b/src/lib_ccx/ccx_decoders_608.c index 37a057e83..c2b0a0aea 100644 --- a/src/lib_ccx/ccx_decoders_608.c +++ b/src/lib_ccx/ccx_decoders_608.c @@ -316,10 +316,20 @@ int write_cc_buffer(ccx_decoder_608_context *context, struct cc_subtitle *sub) if (!data->empty && context->output_format != CCX_OF_NULL) { - struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data)); + size_t new_size; + + if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) + { + ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n"); + return 0; + } + + new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen); + + struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size); if (!new_data) { - ccx_common_logging.log_ftn("No Memory left"); + ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n"); return 0; } sub->data = new_data; @@ -386,10 +396,20 @@ int write_cc_line(ccx_decoder_608_context *context, struct cc_subtitle *sub) if (!data->empty) { - struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, (sub->nb_data + 1) * sizeof(*data)); + size_t new_size; + + if (sub->nb_data + 1 > SIZE_MAX / sizeof(struct eia608_screen)) + { + ccx_common_logging.log_ftn("Too many screens, cannot allocate more memory.\n"); + return 0; + } + + new_size = (sub->nb_data + 1) * sizeof(struct eia608_screen); + + struct eia608_screen *new_data = (struct eia608_screen *)realloc(sub->data, new_size); if (!new_data) { - ccx_common_logging.log_ftn("No Memory left"); + ccx_common_logging.log_ftn("Out of memory while reallocating screen buffer\n"); return 0; } sub->data = new_data;