Project

General

Profile

Actions
Copy link

Bug #1213

closed

RLE decodeFrame() Heap-OOB Read

Added by Marco Eichelberg 2 days ago. Updated about 16 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library and Apps
Target version:
-
Start date:
2026-05-23
Due date:
% Done:

100%

Estimated time:
Module:
dcmdata
Operating System:
Compiler:

Description

DcmRLECodecDecoder::decodeFrame() (dcmdata/libsrc/dcrleccd.cc:583) calls memcpy(rleHeader, rleData, 64) without validating that the pixel fragment is at least 64 bytes. The sibling decode() function has this guard at line 193 but decodeFrame() does not. An 8-byte crafted RLE fragment causes ASan to confirm a heap-buffer-overflow READ of size 64, leaking up to 56 bytes of adjacent heap memory. Affects all third-party consumers of DcmPixelData::getUncompressedFrame().

The issue can be demonstrated with the attached PoC file: dcm2img -d rle_crash.dcm rle_crash.bmp

Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.

Files

rle_crash.dcm (682 Bytes) rle_crash.dcm PoC file Marco Eichelberg, 2026-05-23 18:02
Actions
Copy link
 #1

Updated by Marco Eichelberg 2 days ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Closed by commit #45469f3c3.

Actions
Copy link
 #2

Updated by Marco Eichelberg about 16 hours ago

This issue has been registered as CVE-2026-44034.

Actions
Copy link
 #3

Updated by Marco Eichelberg about 16 hours ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF