This description is extracted from https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214
126. class RLEHeader
127. {
128. public:
129. uint32_t NumSegments;
130. uint32_t Offset[15];
131.
132. void Print(std::ostream &os)
133. {
134. os << "NumSegments:" << NumSegments << "\n";
135. for(int i=0; i<15; ++i)
136. {
137. os << i << ":" << Offset[i] << "\n";
138. }
139. }
140. };
We can observe that Offset is a fixed-size array of uint32_t with a length of 15. If the NumSegments variable—sourced from frame.Header.NumSegments at LINE 11—is set to a value larger than the maximum number of entries in the Offset array LINE 130, this leads to an out-of-bounds access and causes the crash. A malformed DICOM file can manipulate the value of NumSegments to control the behavior of the for-loop, potentially resulting in the exposure of sensitive information.
Log in to post a comment.
