Bug #1221
closedOut-of-bounds read in bundled IJG JPEG Huffman decoder
100%
Description
DCMTK's bundled IJG JPEG library (dcmjpeg/libijg8, and the identical libijg12/libijg16 copies) contains a Huffman-table validation bug that leads to an out-of-bounds read when decoding a crafted JPEG-compressed DICOM image.
The DC Huffman table validation in jdhuff.c accepts a symbol value of 16, but the extend_test[] lookup array used during coefficient decoding only has 16 valid entries (indices 0–15). A JPEG containing a DC Huffman code mapped to symbol 16 therefore causes the decoder to read one element past the end of extend_test[], a global-buffer-overflow (CWE-125). The same validation flaw triggers crashes in all three decoder variants — sequential, lossless, and progressive — and is reachable from untrusted input through any tool or application that decodes JPEG, including dcmdjpeg, dcm2img, dcmj2pnm, and anything using DJDecoderRegistration or DicomImage.
Full analysis, proof-of-concept, and a patch proposed by the original sender are in the attached report.
Thanks to Yiyi Wang for reporting this issue.
Files
Updated by Michael Onken 22 days ago
Fixed with commit d6ae1bc8d5b9ae9c7300013c8c85cc2ea0fd8cf5.
Updated by Michael Onken 21 days ago
- Status changed from New to Closed
- Private changed from Yes to No
Updated by Marco Eichelberg 16 days ago
- % Done changed from 0 to 100
This issue was also reported on 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin. It has been registered as CVE-2026-44038.