Bug #1193: Heap OOB Read in DcmJSONReader getTokenContent - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1193

closed

Heap OOB Read in DcmJSONReader getTokenContent

Added by Jörg Riesmeier 21 days ago. Updated about 19 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library

Target version:

3.7.1

Start date:

2026-03-10

Due date:

% Done:

100%

Estimated time:

1:00 h

Module:

dcmdata

Operating System:

Compiler:

Description

Received by email from the IN-CYPHER OSS Security Team (2026-03-09):

Subject: IC-DCMTK-0006 Heap OOB Read in DcmJSONReader getTokenContent
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-122 (Heap-based Buffer Overflow)

This report details a heap buffer overflow in `DcmJSONReader::getTokenContent()` at `dcjsonrd.cc:221`.
The JSMN tokenizer's two-pass parsing mechanism can produce a sentinel token (with `start=INT_MAX, end=INT_MAX`)
when the code reads past the allocated token array. The `getTokenContent()` function uses these unvalidated
position fields to index into the JSON input buffer, causing out-of-bounds heap reads and writes. A malformed
JSON input as small as 8 bytes triggers this vulnerability without requiring any special flags — the default
`json2dcm` invocation crashes immediately.

Please find the detailed report, proof-of-concept, and sanitizer output in the attachments.

Files

Download all files

IC-DCMTK-0006_crash_output.txt (1.65 KB) IC-DCMTK-0006_crash_output.txt		Jörg Riesmeier, 2026-03-10 23:46
IC-DCMTK-0006_poc.json (19 Bytes) IC-DCMTK-0006_poc.json		Jörg Riesmeier, 2026-03-10 23:46
IC-DCMTK-0006_REPORT.md (3.65 KB) IC-DCMTK-0006_REPORT.md		Jörg Riesmeier, 2026-03-10 23:46