CVE-2025-25475

commit bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date:   Thu Jan 23 15:51:21 2025 +0100

    Fixed issue with invalid RLE compressed DICOM images.

    Fixed issue when processing an RLE compressed image where the RLE header
    contains an invalid stripe size.

    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
    and the sample file (PoC).

Gbp-Pq: Name 0009-CVE-2025-25475.patch

diff --git a/dcmdata/libsrc/dcrleccd.cc b/dcmdata/libsrc/dcrleccd.cc
index fd01b63ba22704ece0d1228c238ca1b8220bca78..e45ef0c1d00ff1ac2a6a97af4aba443021aa867e 100644 (file)
--- a/dcmdata/libsrc/dcrleccd.cc
+++ b/dcmdata/libsrc/dcrleccd.cc
@@ -1,6 +1,6 @@
 /*
  *
- *  Copyright (C) 2002-2024, OFFIS e.V.
+ *  Copyright (C) 2002-2025, OFFIS e.V.
  *  All rights reserved.  See COPYRIGHT file for details.
  *
  *  This software and supporting documentation were developed by
@@ -348,6 +348,12 @@ OFCondition DcmRLECodecDecoder::decode(
                     } /* while */
 
                     // last fragment for this RLE stripe
+                    if (inputBytes + byteOffset > fragmentLength)
+                    {
+                        DCMDATA_ERROR("stream size in RLE header is wrong");
+                        inputBytes = fragmentLength-byteOffset;
+                    }
+
                     result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
 
                     // special handling for zero pad byte at the end of the RLE stream