Bug #1223
closedOut-of-bounds read in CharLS JPEG-LS QuantizeGratient()
0%
Description
DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read in its near-lossless decoder (NEAR > 0) when decoding a crafted image. The gradient bounds check in DoLine() (scan.h) uses a strict > instead of >= when comparing a gradient difference against RANGE_UPPER = 1 << bpp. A gradient difference exactly equal to RANGE_UPPER therefore passes the check and reaches QuantizeGratient(), which indexes _pquant[RANGE_UPPER] — one element past the end of the dynamically-allocated quantization table, which is valid only for indices [-RANGE, RANGE-1] (CWE-125). The read is reachable from untrusted input through any tool or application that decodes near-lossless JPEG-LS, including dcmdjpls, dcm2img, dcmj2pnm, and anything using DJLSDecoderRegistration or DicomImage.
Full analysis and proof-of-concept are in the attached report.
Thanks to Yiyi Wang for reporting this issue.
Files
Updated by Michael Onken 22 days ago
Fixed with commit b6691c7a0fdfd261c20c2509c2ac16966bd37763
Updated by Michael Onken 21 days ago
- Status changed from New to Closed
- Private changed from Yes to No