Bug #1193
Updated by Jörg Riesmeier 21 days ago
Received by email from the IN-CYPHER OSS Security Team IG Singapore (2026-03-09): > *Subject:* IC-DCMTK-0006 Heap OOB Read in DcmJSONReader getTokenContent > > This report details a heap buffer overflow in `DcmJSONReader::getTokenContent()` at `dcjsonrd.cc:221`. > The JSMN tokenizer's two-pass parsing mechanism can produce a sentinel token (with `start=INT_MAX, end=INT_MAX`) > when the code reads past the allocated token array. The `getTokenContent()` function uses these unvalidated > position fields to index into the JSON input buffer, causing out-of-bounds heap reads and writes. A malformed > JSON input as small as 8 bytes triggers this vulnerability without requiring any special flags — the default > `json2dcm` invocation crashes immediately. > > Please find the detailed report, proof-of-concept, and sanitizer output in the attachments.