DCMTK

DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read in its near-lossless decoder (NEAR > 0) when decoding a crafted image. The gradient bounds check in DoLine() (scan.h) uses a strict > instead of >= when comparing a gradient difference against RANGE_UPPER = 1 << bpp. A gradient difference exactly equal to RANGE_UPPER therefore passes the check and reaches QuantizeGratient(), which indexes _pquant[RANGE_UPPER] — one element past the end of the dynamically-allocated quantization table, which is valid only for indices [-RANGE, RANGE-1] (CWE-125). The read is reachable from untrusted input through any tool or application that decodes near-lossless JPEG-LS, including dcmdjpls, dcm2img, dcmj2pnm, and anything using DJLSDecoderRegistration or DicomImage.

Full analysis and proof-of-concept are in the attached report.

Thanks to Yiyi Wang for reporting this issue.