Project

General

Profile

Actions

Bug #1242

closed

Out-of-bounds read decoding 3-component JPEG-LS images

Added by Michael Onken about 7 hours ago. Updated about 6 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
2026-07-03
Due date:
% Done:

0%

Estimated time:
Module:
dcmjpls
Operating System:
Compiler:

Description

As reported by quellsec.dev:

Summary

Heap out-of-bounds read in CharLS TransformLine: the SOS scan uses the SOF-declared _rect.Width as the per-line transform pixel count without bounding it against the allocated scanline buffer

Affected version

  • Target: dcmtk @ 7246c5a9ca64c2d4312774bf40d046e255c00a41

Root cause

On the JPEG-LS decode output path, the per-line color/sample transform is driven with the SOF-declared image width (_rect.Width) as the pixel count, but the source scanline buffer it reads from was allocated for the codec's internal width. A stream whose declared width is larger than the scanline buffer makes the transform read past the end of that buffer, an attacker-controlled heap over-read whose over-read bytes become decoded output pixels.

dcmjpls/libcharls/scan.h:767

bc(c). STRATEGY::OnLineEnd(_rect.Width, _currentLine + _rect.X - (components * pixelstride), pixelstride);

dcmjpls/libcharls/decodstr.h:63

bc(c). _processLine->NewLineDecoded(ptypeBuffer, pixelCount, pixelStride);

dcmjpls/libcharls/procline.h:191

bc(c). void NewLineDecoded(const void* pSrc, int pixelCount, int byteStride)

dcmjpls/libcharls/procline.h:197

bc(c). TransformLine((Triplet<SAMPLE>*)_pbyteOutput, (const Triplet<SAMPLE>*)pSrc, pixelCount, _inverseTransform);

dcmjpls/libcharls/procline.h:108

bc(c). pDest[i] = transform(pSrc[i].v1, pSrc[i].v2, pSrc[i].v3);

Proof of Concept

Self-contained. docker build clones the target at the pinned commit and builds it under AddressSanitizer + UndefinedBehaviorSanitizer; docker run feeds the crafted input and reproduces the fault. Save the files below into a poc/ directory and:

bc. docker build -t poc . && docker run --rm poc

Sanitizer output

.dockerignore (crafted input)

poc_transformline.jls (590-byte binary input

build.sh

run.sh

Dockerfile

harness.cc

Severity

medium -- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Actions #1

Updated by Michael Onken about 6 hours ago

  • Status changed from New to Closed

Fixed with commit 4c84db4702249593d2fb7f9bc3c90bc7185ababb.

Actions

Also available in: Atom PDF