DCMTK

DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read when finishing decode of a crafted JPEG-LS bitstream.

DecoderStrategy::EndScan() in decodstr.h calls current_value() unconditionally after the compressed bitstream has been fully consumed, and current_value() reads (*_position)[_current_offset] with no bounds check. When a fragment is constructed so that decoding exhausts the buffer exactly, _current_offset equals the buffer length and the read goes one byte past the end of the heap allocation (CWE-125). In ASan builds this crashes the process; in production builds the adjacent heap byte is read silently and used in a branch before CharLS raises TooMuchCompressedData, so the out-of-bounds read occurs regardless. The issue is reachable from untrusted input via dcmdjpls, dcm2img, dcmj2pnm, and any application using DJLSDecoderRegistration or DicomImage.

Full analysis and proof-of-concept are in the attached report.

Thanks to Yiyi Wang for reporting this issue.