From 5c704a1944cb0ce9d8ef563d6c0b37ebf02fab0b Mon Sep 17 00:00:00 2001
From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Sat, 25 Oct 2014 12:30:45 +0000
Subject: [PATCH] Fix last value in dicom_info and added missing != NULL check.

Fix a buffer overflow in dcm reader by checking the dcm file.
This problem was discovered by fuzzing some dcm file.

This is fix for the dcm format for TEMP-0000000-77B6EF aka CVE-2014-8562.

forwarded: yes
Bug-debian: http://bugs.debian.org/767240
Applied-Upstream: 6.8.9.9
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16794 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
---
 coders/dcm.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/coders/dcm.c b/coders/dcm.c
index 450cdbe..5c1cde7 100644
--- a/coders/dcm.c
+++ b/coders/dcm.c
@@ -2608,7 +2608,7 @@ static const DicomInfo
     { 0xfffe, 0xe000, "!!", "Item" },
     { 0xfffe, 0xe00d, "!!", "Item Delimitation Item" },
     { 0xfffe, 0xe0dd, "!!", "Sequence Delimitation Item" },
-    { 0xffff, 0xffff, "xs", "" }
+    { 0xffff, 0xffff, "xs", (char *) NULL }
   };
 
 /*
@@ -3342,17 +3342,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
           if ((group == (long) dicom_info[i].group) &&
               (element == (long) dicom_info[i].element))
             break;
-        attribute=AcquireString("dcm:");
-        (void) ConcatenateString(&attribute,dicom_info[i].description);
-        for (i=0; i < (long) MagickMax(length,4); i++)
-          if (isprint((int) data[i]) == MagickFalse)
-            break;
-        if ((i == (long) length) || (length > 4))
+        if (dicom_info[i].description != (char *) NULL)
           {
-            (void) SubstituteString(&attribute," ","");
-            (void) SetImageProperty(image,attribute,(char *) data);
+            attribute=AcquireString("dcm:");
+            (void) ConcatenateString(&attribute,dicom_info[i].description);
+            for (i=0; i < (ssize_t) MagickMax(length,4); i++)
+              if (isprint((int) data[i]) == MagickFalse)
+                break;
+            if ((i == (ssize_t) length) || (length > 4))
+              {
+                (void) SubstituteString(&attribute," ","");
+                (void) SetImageProperty(image,attribute,(char *) data);
+              }
+            attribute=DestroyString(attribute);
           }
-        attribute=DestroyString(attribute);
         data=(unsigned char *) RelinquishMagickMemory(data);
       }
     if (image_info->verbose != MagickFalse)
-- 
2.1.4