DCMTK

DCMTK's bundled IJG JPEG library (dcmjpeg/libijg8, and the identical libijg12/libijg16 copies) contains a Huffman-table validation bug that leads to an out-of-bounds read when decoding a crafted JPEG-compressed DICOM image.

The DC Huffman table validation in jdhuff.c accepts a symbol value of 16, but the extend_test[] lookup array used during coefficient decoding only has 16 valid entries (indices 0–15). A JPEG containing a DC Huffman code mapped to symbol 16 therefore causes the decoder to read one element past the end of extend_test[], a global-buffer-overflow (CWE-125). The same validation flaw triggers crashes in all three decoder variants — sequential, lossless, and progressive — and is reachable from untrusted input through any tool or application that decodes JPEG, including dcmdjpeg, dcm2img, dcmj2pnm, and anything using DJDecoderRegistration or DicomImage.

Full analysis, proof-of-concept, and a patch proposed by the original sender are in the attached report.

Thanks to Yiyi Wang for reporting this issue.