DCMTK

Received by email from the IN-CYPHER OSS Security Team (2026-03-24):

Subject: IC-DCMTK-0008 SEGV via OOB Read in DcmJSONReader getTokenContent
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-125 (Out-of-bounds Read)

This report describes a SEGV crash in `DcmJSONReader::getTokenContent()`, sharing
the same JSMN two-pass token mismatch root cause as IC-DCMTK-0006 but manifesting
differently. In this variant, the corrupted token offsets compute to addresses that
fall in unmapped virtual memory pages, causing a hard SIGSEGV regardless of sanitizer
instrumentation.

Note: Like IC-DCMTK-0007, our current PoC requires the `--ignore-errors` flag to
reproduce. We have not yet constructed a PoC that bypasses this requirement, but we
report this issue out of caution because the underlying `getTokenContent()` function
lacks bounds validation regardless of the error policy setting. We report this
separately from IC-DCMTK-0006 because without ASan, IC-DCMTK-0006's heap OOB may
silently succeed, while this variant always crashes. A 25-byte malformed JSON input
triggers immediate process termination.

Please find the detailed report, proof-of-concept, and sanitizer output in the
attachments.