DCMTK

DcmPolymorphOBOW::createUint16Array() can create an array of incorrect size when a parameter is passed that would cause the creation of a buffer larger than 4 GBytes. The first parameter to this method is numWords, the number of 16-bit words to be allocated, as a Uint32 parameter. This means that it is possible to pass a value > 2^31, which would correspond to a buffer size > 4 GByte, which is not permitted in DICOM.

This is not properly checked in the call to createEmptyValue() in dcmdata/libsrc/dcvrpobw.cc:185, and in that case a buffer that is too small is silently allocated.

The problem can be demonstrated by running dcmj2pnm +Fa +op -O <infile> <outfile> on the sample file provided in /share/dicom/contrib/20170928_large_multiframe_confidential/A000