Bug #1222
closedOut-of-bounds read in CharLS JPEG-LS EndScan()
0%
Description
DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read when finishing decode of a crafted JPEG-LS bitstream.
DecoderStrategy::EndScan() in decodstr.h calls current_value() unconditionally after the compressed bitstream has been fully consumed, and current_value() reads (*_position)[_current_offset] with no bounds check. When a fragment is constructed so that decoding exhausts the buffer exactly, _current_offset equals the buffer length and the read goes one byte past the end of the heap allocation (CWE-125). In ASan builds this crashes the process; in production builds the adjacent heap byte is read silently and used in a branch before CharLS raises TooMuchCompressedData, so the out-of-bounds read occurs regardless. The issue is reachable from untrusted input via dcmdjpls, dcm2img, dcmj2pnm, and any application using DJLSDecoderRegistration or DicomImage.
Full analysis and proof-of-concept are in the attached report.
Thanks to Yiyi Wang for reporting this issue.
Files
Updated by Michael Onken 23 days ago
Updated by Michael Onken 22 days ago
Fixed with commit b818c19720bd3c5c273f7c0578fef3990333af22
Updated by Michael Onken 21 days ago
- Status changed from New to Closed
- Private changed from Yes to No