Bug #1195
Updated by Jörg Riesmeier 6 days ago
Received by email from the IN-CYPHER OSS Security Team (2026-03-24): > *Subject:* IC-DCMTK-0007 Heap OOB Read via PersonName Path in DcmJSONReader > *Version:* DCMTK master 418274445 `418274445` (DCMTK-3.7.0+64) > *CWE:* CWE-125 (Out-of-bounds Read) > > This report describes a heap buffer overflow in > getTokenContent() reached through the PersonName (PN VR) processing path > in parseElementValueArray() at dcjsonrd.cc:1022. While this shares the same > JSMN two-pass root cause as IC-DCMTK-0006, it is reached through a third, > independent call site that a fix addressing only the parseElement() call > sites would miss. This variant requires the --ignore-errors flag (setting > stopOnErrorPolicy_ to OFFalse), which is why we rate it as high rather than > critical. A 44-byte JSON input triggers the out-of-bounds read. > > Please find the detailed report, proof-of-concept, and sanitizer output > in the attachments. Follow-up message: > This bug shares the JSMN two-pass root cause with IC-DCMTK-0006 but is > reached through a third independent call site that a targeted fix would > miss. Our PoC currently requires --ignore-errors; we report it preemptively > since the code path lacks bounds validation regardless of error policy.