Bug #1193
Updated by Jörg Riesmeier 21 days ago
Received by email from the IN-CYPHER OSS Security Team (2026-03-09):
> *Subject:* IC-DCMTK-0006 Heap OOB Read in DcmJSONReader getTokenContent
> *Version:* DCMTK master 418274445 (DCMTK-3.7.0+64)
> *CWE:* CWE-122 (Heap-based Buffer Overflow)
>
> This report details a heap buffer overflow in `DcmJSONReader::getTokenContent()` at `dcjsonrd.cc:221`.
> The JSMN tokenizer's two-pass parsing mechanism can produce a sentinel token (with `start=INT_MAX, end=INT_MAX`)
> when the code reads past the allocated token array. The `getTokenContent()` function uses these unvalidated
> position fields to index into the JSON input buffer, causing out-of-bounds heap reads and writes. A malformed
> JSON input as small as 8 bytes triggers this vulnerability without requiring any special flags — the default
> `json2dcm` invocation crashes immediately.
>
> Please find the detailed report, proof-of-concept, and sanitizer output in the attachments.