Bug #1197: Uninitialized Memory Read in JSMN Token Array - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1197

closed

Uninitialized Memory Read in JSMN Token Array

Added by Jörg Riesmeier 6 days ago. Updated about 19 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library

Target version:

3.7.1

Start date:

2026-03-25

Due date:

% Done:

100%

Estimated time:

0:00 h

Module:

dcmdata

Operating System:

Compiler:

Description

Received by email from the IN-CYPHER OSS Security Team (2026-03-24):

Subject: IC-DCMTK-0009 Uninitialized Memory Read in JSMN Token Array
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-908 (Use of Uninitialized Resource)

This report describes a uninitialized memory read in the JSON DICOM reader.
The reserveTokens() function allocates tokenNum+1 JSMN tokens but the memset
at dcjsonrd.cc:200 only initializes the first tokenNum elements. While the
sentinel token's start, end, and size fields are explicitly set, the type
field is left containing heap garbage. When malformed JSON causes the token
pointer to advance into the sentinel position, the uninitialized type field
is read in a switch statement, causing undefined behavior. UBSan confirms
the issue, reporting invalid enum values. A 40-byte PoC triggers this bug.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.

Files

Download all files

IC-DCMTK-0009_crash_output.txt (1.39 KB) IC-DCMTK-0009_crash_output.txt		Jörg Riesmeier, 2026-03-25 10:09
IC-DCMTK-0009_poc.json (40 Bytes) IC-DCMTK-0009_poc.json		Jörg Riesmeier, 2026-03-25 10:09
IC-DCMTK-0009_REPORT.md (2.61 KB) IC-DCMTK-0009_REPORT.md		Jörg Riesmeier, 2026-03-25 10:09

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1197

Uninitialized Memory Read in JSMN Token Array

Updated by Jörg Riesmeier 6 days ago

Updated by Marco Eichelberg 2 days ago

Updated by Marco Eichelberg about 19 hours ago