Heap buffer overflow when handling Teletext data in copy_capbuf_demux_data #1933
Description
Summary
There is a heap buffer overflow vulnerability in the Teletext demux path
in src/lib_ccx/ts_functions.c, function copy_capbuf_demux_data.
Details
When processing Teletext data (CCX_CODEC_TELETEXT), the code copies
cinfo->capbuf into ptr->buffer without verifying that there is enough
space remaining in the destination buffer (BUFSIZE):
memcpy(ptr->buffer + ptr->len, cinfo->capbuf, cinfo->capbuflen);If capbuflen exceeds the remaining buffer space, this results in a write
past the end of the heap buffer
The generic PES/DVB path in the same function performs a bounds check,
but the Teletext path was missing this validation.
Impact
- Heap buffer overflow
- Memory corruption
- Crash on malformed or oversized Teletext input
Proposed Fix
Add a bounds check before copying Teletext data, similar to the generic path:
if (cinfo->capbuflen > BUFSIZE - ptr->len) {
fatal(...);
}I have prepared a PR that adds this check.
Environment
Affected file: src/lib_ccx/ts_functions.c
Function: copy_capbuf_demux_data