Grassroot DICOM Out-of-Bounds Read Vulnerability in RLECodec

A vulnerability allowing out-of-bounds read has been identified in Grassroot DICOM version 3.024, specifically within the RLECodec::DecodeByStreams function. This vulnerability arises from improper size checks, enabling a specially crafted DICOM file to be processed in a way that leaks heap data. The issue occurs when the function fails to verify that memory accesses remain within the bounds of the source buffer, leading to potential exposure of sensitive information.

Impact

Exploitation of this vulnerability causes a segmentation fault, indicating a crash due to invalid memory access. However, the out-of-bounds read could be leveraged to read sensitive heap data, which may include private information or could be used in conjunction with other vulnerabilities to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using a DICOM file that has been crafted to manipulate the 'NumSegments' value in the RLE frame header. This can be done by creating a DICOM file that exceeds the expected segment count, causing the RLECodec::DecodeByStreams function to read memory out of bounds, ultimately leading to a crash and potential leakage of heap data.