Bug #1189: Double-Free in DcmJSONReader via decodeBase64() - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1189

closed

Double-Free in DcmJSONReader via decodeBase64()

Added by Jörg Riesmeier 1 day ago. Updated about 5 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Library

Target version:

3.7.1

Start date:

2026-03-09

Due date:

% Done:

100%

Estimated time:

2:00 h

Module:

ofstd, dcmdata

Operating System:

Compiler:

Description

Received by email from the IN-CYPHER OSS Security Team (2026-03-09):

Subject: IC-DCMTK-0002: Double-Free in DcmJSONReader via decodeBase64()
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-415 (Double Free)

This report details a double-free vulnerability in
the JSON DICOM reader's inlineBinary processing path. When
OFStandard::decodeBase64() receives invalid base64 input containing
fewer than 4 valid characters, it internally frees the allocated output
buffer at ofstd.cc:1892 but does not nullify the pointer. The calling
code in parseElement() at dcjsonrd.cc:752 then unconditionally executes
delete[] data, freeing the same memory a second time. A 43-byte JSON
input with a single-character base64 value triggers this heap
corruption.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.

Files

Download all files

IC-DCMTK-0002_poc.json (43 Bytes) IC-DCMTK-0002_poc.json		Jörg Riesmeier, 2026-03-09 16:54
IC-DCMTK-0002_crash_output.txt (2.77 KB) IC-DCMTK-0002_crash_output.txt		Jörg Riesmeier, 2026-03-09 16:54
IC-DCMTK-0002_REPORT.md (3.54 KB) IC-DCMTK-0002_REPORT.md		Jörg Riesmeier, 2026-03-09 16:54

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1189

Double-Free in DcmJSONReader via decodeBase64()

Updated by Jörg Riesmeier 1 day ago

Updated by Jörg Riesmeier about 18 hours ago

Updated by Jörg Riesmeier about 5 hours ago

Updated by Jörg Riesmeier about 5 hours ago