Bug #1215: Unbounded recursion in DcmDicomDir::moveRecordToTree() - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1215

closed

Unbounded recursion in DcmDicomDir::moveRecordToTree()

Added by Marco Eichelberg 26 days ago. Updated about 4 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library and Apps

Target version:

Start date:

2026-05-24

Due date:

% Done:

100%

Estimated time:

2:00 h

Module:

dcmdata

Operating System:

Compiler:

Description

The method DcmDicomDir::moveRecordToTree() (dcmdata/libsrc/dcdicdir.cc) recurses on each child directory record without a depth limit. A maliciously crafted DICOMDIR with 10,000+ chained records exhausts the stack.

The issue can be demonstrated by compiling DCMTK with -fsanitize=address and then running the following command in a directory where the two PoC files are present: dcmmkdir --append IMAGE

Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.

Files

Download all files

IMAGE (1.05 KB) IMAGE	image file	Marco Eichelberg, 2026-05-24 19:38
DICOMDIR (742 KB) DICOMDIR	crafted DICOMDIR PoC file	Marco Eichelberg, 2026-05-24 19:38

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1215

Unbounded recursion in DcmDicomDir::moveRecordToTree()

Updated by Marco Eichelberg 25 days ago

Updated by Marco Eichelberg about 4 hours ago