Bug #1195 » IC-DCMTK-0007_REPORT.md
IC-DCMTK-0007: Heap OOB Read via PersonName Path in DcmJSONReader
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-125 (Out-of-bounds Read)
Description
A heap buffer overflow (out-of-bounds read) exists in DcmJSONReader::getTokenContent() (dcmdata/libsrc/dcjsonrd.cc:221), reached through the PersonName ("PN") processing path in parseElementValueArray() at line 1022. This is a distinct call site from IC-DCMTK-0006 -- a fix that only addresses the parseElement() call sites (lines 604, 642) would miss this independently reachable path.
The bug is triggered when stopOnErrorPolicy_ is OFFalse (i.e., json2dcm --ignore-errors). JSMN's two-pass tokenizer counts tokens in pass 1 without bracket-match validation, then fails in pass 2 when it detects a bracket mismatch, returning JSMN_ERROR_INVAL. The already-allocated token array contains partially-initialized tokens with end=-1. When --ignore-errors swallows this error at line 1204, parsing continues with corrupted tokens.
When parseElementValueArray() processes a PersonName value array entry using one of these corrupted tokens, getTokenContent() computes size = end - start = -1 - 37 = -38 and accesses jsonDataset_[-1], reading 1 byte before the heap allocation:
// dcjsonrd.cc:1018-1025
if (newElem->ident() == EVR_PN)
{
OFString tokenValue;
getTokenContent(tokenValue, current); // LINE 1022: corrupted token
// t->end == -1, so size = -1 - start → negative
// → accesses jsonDataset_[start + size] → heap-buffer-overflow
}
Reproduction
echo -n '{"00100010":{"vr":"PN","Value":[null,{[}]}}}' > poc.json
export DCMDICTPATH=/path/to/dcmtk/dcmdata/data/dicom.dic
./bin/json2dcm --ignore-errors poc.json /dev/null
Actual output:
E: parse error in JSON file
=================================================================
==2185611==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c3ff6f54d4f at pc 0x55555578760c bp 0x7fffffffbd60 sp 0x7fffffffbd58
READ of size 1 at 0x7c3ff6f54d4f thread T0
#0 0x55555578760b in DcmJSONReader::getTokenContent(OFString&, jsmntok*) dcmdata/libsrc/dcjsonrd.cc:221:14
#1 0x55555579aafd in DcmJSONReader::parseElementValueArray(DcmElement*&, jsmntok*&) dcmdata/libsrc/dcjsonrd.cc:1022:13
#2 0x55555579405b in DcmJSONReader::parseElement(DcmItem*, DcmItem*, jsmntok*&) dcmdata/libsrc/dcjsonrd.cc:784:22
#3 0x555555797e03 in DcmJSONReader::parseDataSet(DcmItem*, DcmItem*, jsmntok*&) dcmdata/libsrc/dcjsonrd.cc:923:18
#4 0x5555557a19c7 in DcmJSONReader::readAndConvertJSONFile(DcmFileFormat&, char const*) dcmdata/libsrc/dcjsonrd.cc:1279:18
#5 0x55555571339b in main dcmdata/apps/json2dcm.cc:435:25
0x7c3ff6f54d4f is located 1 bytes before 45-byte region [0x7c3ff6f54d50,0x7c3ff6f54d7d)
allocated by thread T0 here:
#0 0x55555570c4dd in operator new[](unsigned long, std::nothrow_t const&) (build-asan/bin/json2dcm+0x1b84dd)
#1 0x5555557859ed in DcmJSONReader::readJSONFile(char const*) dcmdata/libsrc/dcjsonrd.cc:95:24
#2 0x55555579f4c5 in DcmJSONReader::readAndConvertJSONFile(DcmFileFormat&, char const*) dcmdata/libsrc/dcjsonrd.cc:1195:23
#3 0x55555571339b in main dcmdata/apps/json2dcm.cc:435:25
SUMMARY: AddressSanitizer: heap-buffer-overflow dcmdata/libsrc/dcjsonrd.cc:221:14 in DcmJSONReader::getTokenContent(OFString&, jsmntok*)
==2185611==ABORTING
Fix
Add bounds validation in getTokenContent() to reject tokens whose boundaries extend beyond the JSON input buffer:
void DcmJSONReader::getTokenContent(OFString& value, OFJsmnTokenPtr t)
{
int size = t->end - t->start;
if (t->start < 0 || t->end < 0 || t->start + size < 0 ||
static_cast<size_t>(t->start + size) >= jsonDatasetLen_)
{
value = "";
return;
}
char c = jsonDataset_[t->start+size];
jsonDataset_[t->start+size] = '\0';
value = jsonDataset_ + t->start;
jsonDataset_[t->start+size] = c;
}
- « Previous
- 1
- 2
- 3
- Next »