CVE-2025-25474

commit 1d205bcd307164c99e0d4bbf412110372658d847
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date:   Tue Jan 21 11:12:28 2025 +0100

    Fixed another issue with invalid DICOM images.

    Fixed issue when processing an invalid DICOM image where the number of
    pixels stored does not match the expected number of pixels (too less)
    and the combination of BitsAllocated and BitsStored is really unusual
    (e.g. 1 bit stored, but 52 bits allocated). In cases where the last
    pixel (e.g. a single bit) does not fit into the buffer of the input
    pixel data, a buffer overflow occurred on the heap. Now, the last entry
    of the buffer is filled with the smallest possible value (e.g. 0 in case
    of unsigned data).

    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
    and the sample file (PoC).

Gbp-Pq: Name 0010-CVE-2025-25474.patch

diff --git a/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h b/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
index 6a37c2d7fefcf0e3a1193adc60a777417b38655a..420e73cb88d71bfe1f201672d7cf5cbfd4bc2f5c 100644 (file)
--- a/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
+++ b/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
@@ -643,6 +643,13 @@ class DiInputPixelTemplate
                             skip -= times * bitsof_T1;
                         }
                     }
+                    /* fill the remaining entry (if any) with the smallest value that is possible */
+                    if (q < Data + Count)
+                    {
+                        DCMIMGLE_TRACE("not enough data, filling last entry of input buffer with value = " << getAbsMinimum());
+                        *q = OFstatic_cast(T2, getAbsMinimum());
+                    }
+
                 }
             } else
                 DCMIMGLE_DEBUG("cannot allocate memory buffer for 'Data' in DiInputPixelTemplate::convert()");