Bug #1197
Updated by Jörg Riesmeier 6 days ago
Received by email from the IN-CYPHER OSS Security Team (2026-03-24): > *Subject:* IC-DCMTK-0009 Uninitialized Memory Read in JSMN Token Array > *Version:* DCMTK master 418274445 (DCMTK-3.7.0+64) > *CWE:* CWE-908 (Use of Uninitialized Resource) > > This report describes a uninitialized memory > read in the JSON DICOM reader. > The reserveTokens() function allocates > tokenNum+1 JSMN tokens but the memset > at dcjsonrd.cc:200 only > initializes the first tokenNum elements. While the sentinel token's > sentinel token's start, end, and size fields are explicitly set, the type > field is left > containing heap garbage. When malformed JSON causes the token pointer to > pointer to advance into the sentinel position, the uninitialized type field is read > is read in a switch statement, causing undefined behavior. UBSan confirms the > the issue, reporting invalid enum values. A 40-byte PoC triggers this bug. > > Please find the detailed report, proof-of-concept, and sanitizer output > in the attachments.