File: 0009-CVE-2025-25475.patch

package info (click to toggle)
dcmtk 3.6.9-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 95,648 kB
  • sloc: ansic: 426,874; cpp: 318,177; makefile: 6,401; sh: 4,341; yacc: 1,026; xml: 482; lex: 321; perl: 277
file content (35 lines) | stat: -rw-r--r-- 1,312 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
commit bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date:   Thu Jan 23 15:51:21 2025 +0100

    Fixed issue with invalid RLE compressed DICOM images.
    
    Fixed issue when processing an RLE compressed image where the RLE header
    contains an invalid stripe size.
    
    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
    and the sample file (PoC).

--- dcmtk.orig/dcmdata/libsrc/dcrleccd.cc
+++ dcmtk/dcmdata/libsrc/dcrleccd.cc
@@ -1,6 +1,6 @@
 /*
  *
- *  Copyright (C) 2002-2024, OFFIS e.V.
+ *  Copyright (C) 2002-2025, OFFIS e.V.
  *  All rights reserved.  See COPYRIGHT file for details.
  *
  *  This software and supporting documentation were developed by
@@ -348,6 +348,12 @@
                     } /* while */
 
                     // last fragment for this RLE stripe
+                    if (inputBytes + byteOffset > fragmentLength)
+                    {
+                        DCMDATA_ERROR("stream size in RLE header is wrong");
+                        inputBytes = fragmentLength-byteOffset;
+                    }
+
                     result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
 
                     // special handling for zero pad byte at the end of the RLE stream