0011-CVE-2025-25472.patch: new: fix CVE-2025-25472.

diff --git a/debian/patches/0011-CVE-2025-25472.patch b/debian/patches/0011-CVE-2025-25472.patch
new file mode 100644 (file)
index 0000000..90d710a
--- /dev/null
+++ b/debian/patches/0011-CVE-2025-25472.patch
@@ -0,0 +1,49 @@
+commit 410ffe2019b9db6a8f4036daac742a6f5e4d36c2
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Date:   Fri Jan 17 17:53:50 2025 +0100
+
+    Fixed another issue with invalid mono images.
+    
+    Fixed issue when rendering an invalid monochrome DICOM image where the
+    number of pixels stored does not match the expected number of pixels.
+    In this case, only a single pixel is processed, but the pixel matrix is
+    much larger. Filling the rest of the pixel matrix with the smallest
+    possible value for the image is not working because of an optimized
+    memory usage (value would be out of range). Now, the pixel value to be
+    used is double-checked before it is actually filled into the "background"
+    of the image.
+    
+    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
+    and the sample file (PoC).
+
+diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+index 50389a540..f67967310 100644
+--- a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -28,6 +28,7 @@
+ #include "dcmtk/ofstd/ofbmanip.h"
+ #include "dcmtk/ofstd/ofcast.h"
+ #include "dcmtk/ofstd/ofdiag.h"      /* for DCMTK_DIAGNOSTIC macros */
++#include "dcmtk/ofstd/oflimits.h"    /* for OFnumeric_limits<> */
+ 
+ #include "dcmtk/dcmimgle/dimopxt.h"
+ #include "dcmtk/dcmimgle/diinpx.h"
+@@ -72,9 +73,16 @@ class DiMonoInputPixelTemplate
+                 rescale(pixel);                     // "copy" or reference pixel data
+                 this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+             }
+-            /* erase empty part of the buffer (= fill the background with the smallest possible value) */
++            /* erase empty part of the buffer */
+             if ((this->Data != NULL) && (this->InputCount < this->Count))
+-                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
++            {
++                /* that means, fill the background with the smallest value that is possible */
++                const T3 minOut = OFnumeric_limits<T3>::min();
++                const T3 background = (this->Modality->getAbsMinimum() < OFstatic_cast(double, minOut)) ? minOut : OFstatic_cast(T3, this->Modality->getAbsMinimum());
++                const size_t count = (this->Count - this->InputCount);
++                DCMIMGLE_DEBUG("filing empty part of the intermediate pixel data (" << count << " pixels) with value = " << OFstatic_cast(double, background));
++                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, background, count);
++            }
+         }
+     }
+ 

diff --git a/debian/patches/series b/debian/patches/series
index 23203a973973b1beddb32b58d348a775e0152be1..c7d4926a45683129ad5342f761fe63a7648a91d4 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ remove_version.patch
 0008-CVE-2024-52333.patch
 0009-CVE-2025-25475.patch
 0010-CVE-2025-25474.patch
+0011-CVE-2025-25472.patch