OFFIS DCMTK Memory Corruption Vulnerability in DcmByteString Function

A memory corruption vulnerability has been identified in OFFIS DCMTK versions through 3.6.9. The issue arises in the DcmByteString::makeDicomByteString function within the dcmdata/libsrc/dcbytstr.cc file. When a dataset containing an illegal odd-length attribute with a text Value Representation (VR) is processed, the function may overwrite the terminating null byte of the string with a padding character. This improper handling can lead to strings being incorrectly null-terminated. As a result, remote attackers could exploit this vulnerability by crafting specific datasets that cause the application to read beyond the intended memory boundaries, potentially leading to application crashes or other undefined behaviors.

Impact

Exploitation of this vulnerability causes memory corruption, which can disrupt normal application operation and potentially be exploited to execute arbitrary code.

Reproduction

To reproduce this vulnerability, create a DICOM dataset that includes an illegal odd-length attribute with a text VR. When this dataset is read by the application, the DcmByteString::makeDicomByteString function will be invoked. Due to the odd-length attribute, the string value will not be properly null-terminated. If the application then processes this string using standard C string functions, such as strlen() or strcpy(), it will inadvertently read past the end of the string, leading to a segmentation fault.

Remediation

Users are advised to upgrade OFFIS DCMTK to version 3.7.0, which addresses this vulnerability. The patch is available on the DCMTK GitHub repository.