Bug #1184: Odd-length attribute values with text VR are not always properly null terminated. - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1184

closed

Odd-length attribute values with text VR are not always properly null terminated.

Added by Marco Eichelberg 15 minutes ago. Updated 13 minutes ago.

Status:

Closed

Priority:

High

Assignee:

Marco Eichelberg

Category:

Library and Apps

Target version:

3.7.0

Start date:

2025-12-02

Due date:

% Done:

100%

Estimated time:

2:00 h

Module:

dcmdata

Operating System:

Compiler:

Description

When a dataset containing an illegal odd-length attribute with a text VR is read from file or received over a network connection,
accessing the attribute value may cause the terminating null byte to be overwritten by a space character (pad byte), causing the string to not be null terminated anymore.
Specifically, this happens in DcmByteString::makeDicomByteString(), which is called by getLength() and write(), for example.

When user code then accesses the attribute value using DcmElement::getString() and passes the char pointer to a C string function such as strlen() or strcpy(), these functions will read past the end of the string and may cause a segmentation fault.

Reported 2025-11-30 by Zou Dikai <zoudikai@outlook.com>, who also provided a proof of concept.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1184

Odd-length attribute values with text VR are not always properly null terminated.

Updated by Marco Eichelberg 13 minutes ago

Updated by Marco Eichelberg 13 minutes ago