Fix/ts heap overflow #1953
Fix/ts heap overflow #1953
Conversation
cfsmp3
left a comment
cfsmp3
left a comment
There was a problem hiding this comment.
Thanks for working on these security fixes! The overflow checks are a good approach. However, I found an issue that needs to be fixed:
Bug in ts_functions.c
The casts to (int) are incorrect:
cinfo->capbufsize = (int)newcapbuflen; // Note: capbufsize is int in struct cap_info
cinfo->capbuflen = (int)newcapbuflen; // Note: capbuflen is int in struct cap_infoThe struct definition in ccx_demuxer.h shows these fields are actually int64_t:
int64_t capbufsize; // line 59
int64_t capbuflen; // line 61The (int) casts will truncate 64-bit values to 32-bit, which could cause bugs. Please remove the casts:
cinfo->capbufsize = newcapbuflen;
cinfo->capbuflen = newcapbuflen;Missing CHANGES.TXT entry
Please add an entry to docs/CHANGES.TXT documenting these security fixes.
Note about related PRs
Since this PR includes all the commits from #1951 and #1949, I'll close those as superseded once this is merged.
The EIA-608 and ISDB-CC fixes look good! Just need the TS fix corrected.
|
Thanks for the detailed review! I’ve addressed all the requested changes: Removed the incorrect (int) casts and now assign newcapbuflen directly to capbufsize and capbuflen (both int64_t as defined in ccx_demuxer.h). Added the security fix entries to docs/CHANGES.TXT documenting the Teletext and Transport Stream overflow fixes. The remaining checks are currently running. Please let me know if you’d like any further adjustments once CI completes. |
CCExtractor CI platform finished running the test files on linux. Below is a summary of the test results, when compared to test for commit 3529bb2...:
Your PR breaks these cases:
Congratulations: Merging this PR would fix the following tests:
It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you). Check the result page for more info. |
CCExtractor CI platform finished running the test files on windows. Below is a summary of the test results, when compared to test for commit 3529bb2...:
Your PR breaks these cases:
It seems that not all tests were passed completely. This is an indication that the output of some files is not as expected (but might be according to you). Check the result page for more info. |
cfsmp3
left a comment
cfsmp3
left a comment
There was a problem hiding this comment.
Thanks for the quick fix! The casts are removed and CHANGES.TXT is updated.
Build passes, tests show no regression.
Minor note: The comments still say "capbufsize is int" but the struct uses int64_t - not a blocker, just FYI.
Approving and merging.
|
@THE-Amrit-mahto-05 I've merged this, but TBH, since we're migrating to Rust, I don't think it's worth spending time on these things, particularly if they are purely theoretical problems... |
3 participants
[FIX]
In raising this pull request, I confirm the following (please check boxes):
My familiarity with the project is as follows (check one):
Description
Component: Transport Stream (TS) handling
File: src/lib_ccx/ts_functions.c
Function: copy_payload_to_capbuf
The Problem
The function
copy_payload_to_capbufgrows a capture buffer using:However, there was no check for integer overflow before this addition.
If a very large payload->length is combined with capbuflen, the sum can wrap around, resulting in a very small allocation passed to realloc.
This can cause a heap buffer overflow, potentially crashing the program or corrupting memory.
The Proposed Fix
Impact