Bug #1213: RLE decodeFrame() Heap-OOB Read - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1213

closed

RLE decodeFrame() Heap-OOB Read

Added by Marco Eichelberg 2 days ago. Updated about 16 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library and Apps

Target version:

Start date:

2026-05-23

Due date:

% Done:

100%

Estimated time:

Module:

dcmdata

Operating System:

Compiler:

Description

DcmRLECodecDecoder::decodeFrame() (dcmdata/libsrc/dcrleccd.cc:583) calls memcpy(rleHeader, rleData, 64) without validating that the pixel fragment is at least 64 bytes. The sibling decode() function has this guard at line 193 but decodeFrame() does not. An 8-byte crafted RLE fragment causes ASan to confirm a heap-buffer-overflow READ of size 64, leaking up to 56 bytes of adjacent heap memory. Affects all third-party consumers of DcmPixelData::getUncompressedFrame().

The issue can be demonstrated with the attached PoC file: dcm2img -d rle_crash.dcm rle_crash.bmp

Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.

Files

rle_crash.dcm (682 Bytes) rle_crash.dcm

PoC file

Marco Eichelberg, 2026-05-23 18:02

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1213

RLE decodeFrame() Heap-OOB Read

Updated by Marco Eichelberg 2 days ago

Updated by Marco Eichelberg about 16 hours ago

Updated by Marco Eichelberg about 16 hours ago