Bug - Double free on `dcm_dataset_insert` · Issue #82 · ImagingDataCommons/libdicom

We discussed this vulnerability during Episode 244 on 20 February 2024

A common code pattern for double free (and other issues) is incorrect life-time management along error paths. Sometimes this will result in use-after-frees but in this case its a double free. During the parse_meta_element_create function it will create an element object for what was just parsed, and then try to insert it into the relevant dataset using dcm_dataset_insert. This makes sense, and the code checks if dcm_dataset_insert was successful, if it wasn’t it’ll destroy/free the newly created element believing that it still has ownership over that pointer since the function didn’t complete successfully.

However dcm_dataset_insert also believes it has ownership over that pointer. So the insertion function does its thing first by checking if the dataset already contains an element with the same tag, if so it returns a failure, but not before it destroys the object also. Along this error path in insert it will free the element, and the caller will free the same element, both believing they have ownership over it.