{"id":27138230,"url":"https://github.com/r1b/dicom-fuzz","last_synced_at":"2026-02-08T11:35:05.912Z","repository":{"id":76002886,"uuid":"222339343","full_name":"r1b/dicom-fuzz","owner":"r1b","description":"Fuzzing the DICOM format \u0026 network protocol","archived":false,"fork":false,"pushed_at":"2019-11-20T07:01:24.000Z","size":7,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-10T19:25:23.453Z","etag":null,"topics":["afl-fuzz","dcmtk","dicom","research","security-audit"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/r1b.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-11-18T01:32:46.000Z","updated_at":"2024-03-03T11:29:31.000Z","dependencies_parsed_at":"2023-07-03T21:26:25.776Z","dependency_job_id":null,"html_url":"https://github.com/r1b/dicom-fuzz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/r1b/dicom-fuzz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r1b%2Fdicom-fuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r1b%2Fdicom-fuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r1b%2Fdicom-fuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r1b%2Fdicom-fuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/r1b","download_url":"https://codeload.github.com/r1b/dicom-fuzz/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r1b%2Fdicom-fuzz/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267707148,"owners_count":24131337,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-29T02:00:12.549Z","response_time":2574,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afl-fuzz","dcmtk","dicom","research","security-audit"],"created_at":"2025-04-08T04:46:01.967Z","updated_at":"2026-02-08T11:35:05.882Z","avatar_url":"https://github.com/r1b.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# dicom-fuzz\n\nFuzzing [DCMTK](https://dicom.offis.de/dcmtk.php.en) with [afl-fuzz](http://lcamtuf.coredump.cx/afl/).\n\nThe high level procedure is as follows:\n\n1. Select a target binary\n2. Select or generate a small set of testcases\n3. Run afl-fuzz for a day or so on $(($(nproc) - 1)) cores\n4. Run afl-cov\n5. Review coverage output for gaps\n6. Goto 2\n\n## File Format\n\nTargeting `dcmdump`.\n\n### Corpus\n\nI'm starting out with a small set of testcases from [go-dicom](https://github.com/grailbio/go-dicom/tree/master/examples). I plan to try out some files from [TCIA](https://www.cancerimagingarchive.net/). I also plan to write some tools to generate my own files that include particular Value Representations and encoding schemes.\n\n### Method\n\n1. Remove `PixelData` and `OverlayData` tags. We don't care about how third-party libraries parse imaging data - we just want to hit the parser. This also significantly reduces the size of the testcases.\n\n```bash\ndcmodify -ea PixelData -ea OverlayData $INPUT_TESTCASES/*.dcm\n```\n\n2. Minimize\n\n```bash\nafl-cmin -i $INPUT_TESTCASES -o $OUTPUT_TESTCASES -- /usr/local/bin/dcmdump @@\n```\n\nTODO: Use `afl-tmin` to further reduce the size of the testcases.\n\n3. Fuzz\n\n```bash\nafl-fuzz -i $TESTCASES_DIR -o $FINDINGS_DIR -x dicom.dict /usr/local/bin/dcmdump @@\n```\n\n`dicom.dict` is included in this repository - it includes the definitions of all known Value Representations. I could include a tag dictionary as well but idk if it will be all that useful.\n\n### Findings\n\no.O\n\n#### Infinite loop when parsing a malformed DICOMDIR\n\nStill triaging this one - there is some hardcoded autocorrection that causes DCMTK to repeatedly remove bytes from a Directory Record. It's not clear if this has security implications.\n\n#### Suspicious hang when removing spaces from UI tags\n\n## Network Protocol\n\nTargeting several binaries - probably `storescp` and `storescu` to start.\n\nTBD - will need to do some weird instrumentation to get this to work with afl-fuzz.\n\n## Using afl-cov\n\nMake a copy of the `dcmtk` sources and compile with profiling enabled. After the\n`project` entry in CMakeLists.txt add the following:\n\n```cmake\nset(CMAKE_C_FLAGS \"${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage\")\nset(CMAKE_CXX_FLAGS \"${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage\")\nset(CMAKE_EXE_LINKER_FLAGS \"${CMAKE_EXE_LINKER_FLAGS} -fprofile-arcs -ftest-coverage\")\n```\n\nFIXME: I don't think you need `-ftest-coverage` in the linker\n\nRun afl-cov as follows:\n\n```bash\npython2 $AFL_COV_BIN -d $FINDINGS_DIR --code-dir $DCMTK_SRC --coverage-cmd $DCMTK_SRC/$BUILDDIR/bin/dcmdump AFL_FILE --lcov-web-all --overwrite\n```\n\nFIXME: This takes a LONG TIME holy moly. Multiprocessing support??? Python3???\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr1b%2Fdicom-fuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fr1b%2Fdicom-fuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr1b%2Fdicom-fuzz/lists"}