DCMTK

DcmItem::search() returns the search result in the form of a stack of pointers to DcmObject instances.
In most cases, the code that performs a search performs a typecast after a successful search.
Apparently, in some places the code does not check the type of the search result before performing the typecast.
This can lead to a segmentation fault if a DICOM object containing elements with incorrect VR is processed.
For example, the attached sample file will cause a segmentation fault when the following command is executed:

dcmpsmk sample.dcm output.dcm

The reason for the segfault is this element in the dataset:

(0028,3010) CS [00]                                     #   2, 1 VOILUTSequence

Code in module dcmpstat will cast the DcmObject * returned by DcmItem::search(), which in fact points to an instance of DcmCodeString, to DcmSequenceOfItems and then call a method of class DcmSequenceOfItems, causing the segfault.
All instances in the toolkit where the result of DcmItem::search() is typecasted must perform a check of the class to be casted to, e.g. using DcmObject::ident(). This should be checked in all cases.

Reported 2024-04-08 by Cisco Talos as Security Advisory TALOS-2024-1957.