Project

General

Profile

Actions
Copy link

Bug #1184

closed

Odd-length attribute values with text VR are not always properly null terminated.

Added by Marco Eichelberg 10 minutes ago. Updated 7 minutes ago.

Status:
Closed
Priority:
High
Assignee:
Marco Eichelberg
Category:
Library and Apps
Target version:
3.7.0
Start date:
2025-12-02
Due date:
% Done:

100%

Estimated time:
2:00 h
Module:
dcmdata
Operating System:
Compiler:

Description

When a dataset containing an illegal odd-length attribute with a text VR is read from file or received over a network connection,
accessing the attribute value may cause the terminating null byte to be overwritten by a space character (pad byte), causing the string to not be null terminated anymore.
Specifically, this happens in DcmByteString::makeDicomByteString(), which is called by getLength() and write(), for example.

When user code then accesses the attribute value using DcmElement::getString() and passes the char pointer to a C string function such as strlen() or strcpy(), these functions will read past the end of the string and may cause a segmentation fault.

Reported 2025-11-30 by Zou Dikai <>, who also provided a proof of concept.

Actions
Copy link
 #1

Updated by Marco Eichelberg 8 minutes ago

  • % Done changed from 0 to 100
  • Estimated time set to 2:00 h

Closed by commit #4c0e5c100.

Actions
Copy link
 #2

Updated by Marco Eichelberg 7 minutes ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF