Bug #1206
closed
Remote Heap Buffer Overflow in dcmqrscp
100%
Description
In the function deleteOldestImages() , an array named StudyArray is allocated on the heap with a fixed size of MAX_NUMBER_OF_IMAGES (defined as 10000 in dcmqridx.h ).
The code then enters an unbounded loop to populate this array by iterating through the index database. There is no bounds check on the counter ( nbimages ) before writing to the array.
If a study contains more than 10000 images and the storage quota ( maxBytesPerStudy , defined in dcmqrscp's configuration file) is exceeded, the function writes past the end of the StudyArray buffer, leading to a buffer overflow on the heap.
Reported 2026-03-29 by DCMTK user 'elp3pinill0'.
Updated by Marco Eichelberg 18 days ago
- Status changed from New to Closed
- % Done changed from 0 to 100
- Estimated time set to 1:00 h
Updated by Marco Eichelberg 16 days ago
This issue was apparently logged twice. See issue 1199: http://support.dcmtk.org/redmine/issues/1199
Updated by Jörg Riesmeier 16 days ago
- Is duplicate of Bug #1199: Security Vulnerability Report: Remote Heap Buffer Overflow in dcmqrscp (deleteOldestImages) added