Project

General

Profile

Actions
Copy link

Bug #1190

closed

Infinite Loop in JPEG Segment Parser TEM Marker

Added by Jörg Riesmeier 4 days ago. Updated 2 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Jörg Riesmeier
Category:
Library
Target version:
3.7.1
Start date:
2026-03-10
Due date:
% Done:

100%

Estimated time:
1:00 h
Module:
dcmjpeg
Operating System:
Compiler:

Description

Received by email from the IN-CYPHER OSS Security Team (2026-03-09):

Subject: IC-DCMTK-0004 Infinite Loop in JPEG Segment Parser TEM Marker
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-835 (Loop with Unreachable Exit Condition)

This report describes a infinite loop in
DJCodecDecoder::scanJpegDataForBitDepth() at djcodecd.cc:852. The
function's JPEG marker parsing loop handles over 30 marker types, with
each case advancing the parsing offset -- except the TEM marker
(0xFF01), whose case contains only a break without incrementing the
offset. This causes the parser to re-read the same TEM marker
indefinitely, consuming 100% CPU with no timeout or iteration limit. A
526-byte DICOM file with a JPEG stream containing a TEM marker triggers
this hang. The fix is a single line: adding offset += 2; before the
break.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.

Files

Download all files
IC-DCMTK-0004_poc.dcm (526 Bytes) IC-DCMTK-0004_poc.dcm Jörg Riesmeier, 2026-03-10 19:21
IC-DCMTK-0004_crash_output.txt (913 Bytes) IC-DCMTK-0004_crash_output.txt Jörg Riesmeier, 2026-03-10 19:21
IC-DCMTK-0004_REPORT.md (2.86 KB) IC-DCMTK-0004_REPORT.md Jörg Riesmeier, 2026-03-10 19:21
Actions
Copy link

Also available in: Atom PDF