Bug #1190: Infinite Loop in JPEG Segment Parser TEM Marker - DCMTK - OFFIS DCMTK and DICOM Projects

Bug #1190

Received by email from the IN-CYPHER OSS Security Team (2026-03-09): 

 > *Subject:* IC-DCMTK-0004 Infinite Loop in JPEG Segment Parser TEM Marker 
 > *Version:* DCMTK master 418274445 (DCMTK-3.7.0+64) 
 > *CWE:* CWE-835 (Loop with Unreachable Exit Condition)  
 >  
 > This report describes a infinite loop in 
 > DJCodecDecoder::scanJpegDataForBitDepth() at djcodecd.cc:852. The 
 > function's JPEG marker parsing loop handles over 30 marker types, with 
 > each case advancing the parsing offset -- except the TEM marker 
 > (0xFF01), whose case contains only a break without incrementing the 
 > offset. This causes the parser to re-read the same TEM marker 
 > indefinitely, consuming 100% CPU with no timeout or iteration limit. A 
 > 526-byte DICOM file with a JPEG stream containing a TEM marker triggers 
 > this hang. The fix is a single line: adding offset += 2; before the 
 > break. 
 >  
 > Please find the detailed report, proof-of-concept, and sanitizer output 
 > in the attachments.

Back

Project

General

Profile

DCMTK

Bug #1190