Bug #1189
Updated by Jörg Riesmeier about 5 hours ago
Received by email from the IN-CYPHER OSS Security Team (2026-03-09):
> *Subject:* IC-DCMTK-0002: Double-Free in DcmJSONReader via decodeBase64()
> *Version:* DCMTK master 418274445 (DCMTK-3.7.0+64)
> *CWE:* CWE-415 (Double Free)
>
> This report details a double-free vulnerability in
> the JSON DICOM reader's inlineBinary processing path. When
> OFStandard::decodeBase64() receives invalid base64 input containing
> fewer than 4 valid characters, it internally frees the allocated output
> buffer at ofstd.cc:1892 but does not nullify the pointer. The calling
> code in parseElement() at dcjsonrd.cc:752 then unconditionally executes
> delete[] data, freeing the same memory a second time. A 43-byte JSON
> input with a single-character base64 value triggers this heap
> corruption.
>
> Please find the detailed report, proof-of-concept, and sanitizer output
> in the attachments.