Project

General

Profile

Actions
Copy link

Bug #1193

closed

Heap OOB Read in DcmJSONReader getTokenContent

Added by Jörg Riesmeier 21 days ago. Updated about 19 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library
Target version:
3.7.1
Start date:
2026-03-10
Due date:
% Done:

100%

Estimated time:
1:00 h
Module:
dcmdata
Operating System:
Compiler:

Description

Received by email from the IN-CYPHER OSS Security Team (2026-03-09):

Subject: IC-DCMTK-0006 Heap OOB Read in DcmJSONReader getTokenContent
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-122 (Heap-based Buffer Overflow)

This report details a heap buffer overflow in `DcmJSONReader::getTokenContent()` at `dcjsonrd.cc:221`.
The JSMN tokenizer's two-pass parsing mechanism can produce a sentinel token (with `start=INT_MAX, end=INT_MAX`)
when the code reads past the allocated token array. The `getTokenContent()` function uses these unvalidated
position fields to index into the JSON input buffer, causing out-of-bounds heap reads and writes. A malformed
JSON input as small as 8 bytes triggers this vulnerability without requiring any special flags — the default
`json2dcm` invocation crashes immediately.

Please find the detailed report, proof-of-concept, and sanitizer output in the attachments.

Files

Download all files
IC-DCMTK-0006_crash_output.txt (1.65 KB) IC-DCMTK-0006_crash_output.txt Jörg Riesmeier, 2026-03-10 23:46
IC-DCMTK-0006_poc.json (19 Bytes) IC-DCMTK-0006_poc.json Jörg Riesmeier, 2026-03-10 23:46
IC-DCMTK-0006_REPORT.md (3.65 KB) IC-DCMTK-0006_REPORT.md Jörg Riesmeier, 2026-03-10 23:46

Related issues 2 (0 open2 closed)

Related to DCMTK - Bug #1195: Heap OOB Read via PersonName Path in DcmJSONReaderClosedMarco Eichelberg2026-03-25

Actions
Related to DCMTK - Bug #1196: SEGV via OOB Read in DcmJSONReader getTokenContentClosedMarco Eichelberg2026-03-25

Actions
Actions
Copy link

Also available in: Atom PDF