Critical DTVCC (CEA-708) Structural Type Confusion / OOB Write

[THE-Amrit-mahto-05]

Description

While parsing DTVCC (CEA-708) streams, the decoder can encounter a structural type confusion due to mismatched constants for rows/columns. This leads to:

• Out-of-bounds writes to window->rows and window->pen_attribs
• Heap buffer over-reads
• Potential information leak or remote code execution primitive on malformed streams

Affected Code

src/lib_ccx/ccx_decoders_708.c

Functions:

dtvcc_window_copy_to_screen()

dtvcc_process_character()

dtvcc_handle_DFx_DefineWindow()

dtvcc_handle_SPL_SetPenLocation()

Steps to Reproduce

Create a DTVCC stream with a window definition exceeding 15 rows or 64 columns (or maliciously set pen positions).

Pass it to CCExtractor.
Observe OOB access / crashes in memory tools (like AddressSanitizer).

Impact

• Deterministic crash on malformed streams
• Heap/stack corruption
• Potential information leaks

Suggested Fix

• Clamp window sizes to CCX_DTVCC_MAX_ROWS and CCX_DTVCC_MAX_COLUMNS
• Validate pen positions before writing
• Log invalid dimensions instead of writing

[cfsmp3]

This is not critical unless you provide an example file that shows the problem (fine if you create it yourself, but it must hit the code path that shows the problem).

I'm going to close all these small issues with theoretical problems - they add a lot of overhead to my workload.