Bug #793
closedoverflow error in calculation of decompressed image size
0%
Description
DcmPolymorphOBOW::createUint16Array() can create an array of incorrect size when a parameter is passed that would cause the creation of a buffer larger than 4 GBytes. The first parameter to this method is numWords, the number of 16-bit words to be allocated, as a Uint32 parameter. This means that it is possible to pass a value > 2^31, which would correspond to a buffer size > 4 GByte, which is not permitted in DICOM.
This is not properly checked in the call to createEmptyValue() in dcmdata/libsrc/dcvrpobw.cc:185, and in that case a buffer that is too small is silently allocated.
The problem can be demonstrated by running dcmj2pnm +Fa +op -O <infile> <outfile> on the sample file provided in /share/dicom/contrib/20170928_large_multiframe_confidential/A000