DCMTK

Received by email from the IN-CYPHER OSS Security Team (2026-03-24):

Subject: IC-DCMTK-0007 Heap OOB Read via PersonName Path in DcmJSONReader
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-125 (Out-of-bounds Read)

This report describes a heap buffer overflow in
getTokenContent() reached through the PersonName (PN VR) processing path
in parseElementValueArray() at dcjsonrd.cc:1022. While this shares the same
JSMN two-pass root cause as IC-DCMTK-0006, it is reached through a third,
independent call site that a fix addressing only the parseElement() call
sites would miss. This variant requires the --ignore-errors flag (setting
stopOnErrorPolicy_ to OFFalse), which is why we rate it as high rather than
critical. A 44-byte JSON input triggers the out-of-bounds read.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.

Follow-up message:

This bug shares the JSMN two-pass root cause with IC-DCMTK-0006 but is
reached through a third independent call site that a targeted fix would
miss. Our PoC currently requires --ignore-errors; we report it preemptively
since the code path lacks bounds validation regardless of error policy.