--- /dev/null
+commit 1d205bcd307164c99e0d4bbf412110372658d847
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Date: Tue Jan 21 11:12:28 2025 +0100
+
+ Fixed another issue with invalid DICOM images.
+
+ Fixed issue when processing an invalid DICOM image where the number of
+ pixels stored does not match the expected number of pixels (too less)
+ and the combination of BitsAllocated and BitsStored is really unusual
+ (e.g. 1 bit stored, but 52 bits allocated). In cases where the last
+ pixel (e.g. a single bit) does not fit into the buffer of the input
+ pixel data, a buffer overflow occurred on the heap. Now, the last entry
+ of the buffer is filled with the smallest possible value (e.g. 0 in case
+ of unsigned data).
+
+ Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
+ and the sample file (PoC).
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
+@@ -643,6 +643,13 @@
+ skip -= times * bitsof_T1;
+ }
+ }
++ /* fill the remaining entry (if any) with the smallest value that is possible */
++ if (q < Data + Count)
++ {
++ DCMIMGLE_TRACE("not enough data, filling last entry of input buffer with value = " << getAbsMinimum());
++ *q = OFstatic_cast(T2, getAbsMinimum());
++ }
++
+ }
+ } else
+ DCMIMGLE_DEBUG("cannot allocate memory buffer for 'Data' in DiInputPixelTemplate::convert()");
projects / dcmtk.git / commitdiff