Project

General

Profile

Actions
Copy link

Bug #1099

closed

Decoders for compressed images may segfault with very large images

Added by Marco Eichelberg over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library and Apps
Target version:
3.7.1+
Start date:
2023-12-28
Due date:
% Done:

100%

Estimated time:
Module:
Operating System:
Compiler:

Description

The decoders for compressed images in DCMTK apparently do not properly check if the size of a decompressed frame, or, in the case of a multi-frame image, the size of the entire decompressed image is smaller than the maximum possible size for the PixelData attribute (2^32-2 bytes, ~ 4 GBytes). An integer overflow may occur in the calculation of the required element size that leads to an allocation of a small buffer, and in turn to a buffer overflow causing a segfault during the decompression process.

All decompression decoders in DCMTK are affected at least on some platforms:
  • dcmdjpeg (for JPEG)
  • dcmdrle (for RLE)
  • dcmdjpls (for JPEG-LS)
  • dcmdjp2k (for JPEG 2000, in the private DCMJP2K module).

The RLE and JPEG decoder are only affected when compiled as 32-bit code.

This issue is tracked as issue #1090 for the private DCMJP2K module.

Actions
Copy link
 #2

Updated by Marco Eichelberg over 1 year ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Fixed by commit #31ff413f9 for the public DCMTK, and by commit #f3446c907 for the private modules.

Actions
Copy link

Also available in: Atom PDF