From 97c391e2b9cbb746a8ae719056e7fe09f3706936 Mon Sep 17 00:00:00 2001
From: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Date: Wed, 19 Feb 2025 22:30:57 +0100
Subject: [PATCH] CVE-2025-25475

commit bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date:   Thu Jan 23 15:51:21 2025 +0100

    Fixed issue with invalid RLE compressed DICOM images.

    Fixed issue when processing an RLE compressed image where the RLE header
    contains an invalid stripe size.

    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
    and the sample file (PoC).


Gbp-Pq: Name 0009-CVE-2025-25475.patch
---
 dcmdata/libsrc/dcrleccd.cc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/dcmdata/libsrc/dcrleccd.cc b/dcmdata/libsrc/dcrleccd.cc
index fd01b63b..e45ef0c1 100644
--- a/dcmdata/libsrc/dcrleccd.cc
+++ b/dcmdata/libsrc/dcrleccd.cc
@@ -1,6 +1,6 @@
 /*
  *
- *  Copyright (C) 2002-2024, OFFIS e.V.
+ *  Copyright (C) 2002-2025, OFFIS e.V.
  *  All rights reserved.  See COPYRIGHT file for details.
  *
  *  This software and supporting documentation were developed by
@@ -348,6 +348,12 @@ OFCondition DcmRLECodecDecoder::decode(
                     } /* while */
 
                     // last fragment for this RLE stripe
+                    if (inputBytes + byteOffset > fragmentLength)
+                    {
+                        DCMDATA_ERROR("stream size in RLE header is wrong");
+                        inputBytes = fragmentLength-byteOffset;
+                    }
+
                     result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
 
                     // special handling for zero pad byte at the end of the RLE stream
-- 
2.30.2