DCMTK

The decoders for compressed images in DCMTK apparently do not properly check if the size of a decompressed frame, or, in the case of a multi-frame image, the size of the entire decompressed image is smaller than the maximum possible size for the PixelData attribute (2^32-2 bytes, ~ 4 GBytes). An integer overflow may occur in the calculation of the required element size that leads to an allocation of a small buffer, and in turn to a buffer overflow causing a segfault during the decompression process.

All decompression decoders in DCMTK are affected at least on some platforms:

• dcmdjpeg (for JPEG)
• dcmdrle (for RLE)
• dcmdjpls (for JPEG-LS)
• dcmdjp2k (for JPEG 2000, in the private DCMJP2K module).

The RLE and JPEG decoder are only affected when compiled as 32-bit code.

This issue is tracked as issue #1090 for the private DCMJP2K module.