Project

General

Profile

Actions

Bug #1229

closed

Heap Overflow in DB_DuplicateElement (dcmqrdb)

Added by Michael Onken 14 days ago. Updated 7 days ago.

Status:
Closed
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
2026-06-19
Due date:
% Done:

0%

Estimated time:
Module:
dcmqrdb
Operating System:
Compiler:

Description

Using an int instead of size_t for computing the size of a buffer can make the int overflow and therefore create a much smaller buffer than actually needed.

Fix: Use a size_t cast (not int) for the malloc size so large ValueLength values can no longer truncate/sign-flip into an undersized buffer. Also run memset/memcpy only after the NULL check, avoiding a crash when the allocation fails.

Thanks to Dominik Blain for the report.

Actions #1

Updated by Michael Onken 14 days ago

Fixed with commit b2d33e.

Actions #2

Updated by Michael Onken 7 days ago

  • Status changed from New to Closed
  • Private changed from Yes to No
Actions

Also available in: Atom PDF