Bug #858
closed
Buffer overflow in DcmRLEDecoder::decompress()
100%
Description
As a part of medical infrastructure security research, the DeteAct Team started to perform fuzzing of various open source medical data processing libraries.
During fuzzing of the dcm2pnm utility, a memory corruption (buffer overflow) bug was found, which occurs in DcmRLEDecoder::decompress() (file dcrledec.h, line 122). Attached are three sample files that trigger the (same) bug when processed with either dcm2pnm or dcmdrle.
Reported 2018-11-27 by Omar Ganiev <beched@deteact.com>, DeteAct Team, Open Medical Infrastructure Security Project.
Files
Updated by Marco Eichelberg almost 7 years ago
- File dcm2pnm_case_1 dcm2pnm_case_1 added
- File dcm2pnm_case_2 dcm2pnm_case_2 added
- File dcm2pnm_case_3 dcm2pnm_case_3 added
Updated by Marco Eichelberg almost 7 years ago
- Status changed from New to Closed
- Assignee set to Marco Eichelberg
- % Done changed from 0 to 100
Closed by commit #40917614e.
Updated by
Updated by Marco Eichelberg 11 months ago
- Status changed from Closed to Reopened
According to a report, the bug is still present if pixel data is accessed frame-by-frame:
The DcmRLEDecoder::decompress() function is fixed when called from the DcmRLECodeDecoder::decode() function, but not when called from the DcmRLECodeDecoder::decompress() function. When I try to load an image using the DcmPixelData::getUncompressedFrameSize() function, a buffer overflow occurs in the DcmRLEDecoder::decompress() function.
Reported 2024-10-15 by Kosuke Yoshinaga <kosuke.yoshinaga@goodmankk.com>.
Updated by Marco Eichelberg 10 months ago
- Status changed from Reopened to Closed
Closed by commit #f93cf77f1.