Bug #1189
Updated by Jörg Riesmeier about 5 hours ago
Received by email from the IN-CYPHER OSS Security Team IG Singapore (2026-03-09): > *Subject:* IC-DCMTK-0002: Double-Free in DcmJSONReader via decodeBase64() > > This report details a double-free vulnerability in > the JSON DICOM reader's inlineBinary processing path. When > OFStandard::decodeBase64() receives invalid base64 input containing > fewer than 4 valid characters, it internally frees the allocated output > buffer at ofstd.cc:1892 but does not nullify the pointer. The calling > code in parseElement() at dcjsonrd.cc:752 then unconditionally executes > delete[] data, freeing the same memory a second time. A 43-byte JSON > input with a single-character base64 value triggers this heap > corruption. > > Please find the detailed report, proof-of-concept, and sanitizer output > in the attachments.