0009-CVE-2025-25475.patch: new: fix CVE-2025-25475.

Closes: #1098373

diff --git a/debian/patches/0009-CVE-2025-25475.patch b/debian/patches/0009-CVE-2025-25475.patch
new file mode 100644 (file)
index 0000000..8f2ff86
--- /dev/null
+++ b/debian/patches/0009-CVE-2025-25475.patch
@@ -0,0 +1,35 @@
+commit bffa3e9116abb7038b432443f16b1bd390e80245
+Author: Marco Eichelberg <eichelberg@offis.de>
+Date:   Thu Jan 23 15:51:21 2025 +0100
+
+    Fixed issue with invalid RLE compressed DICOM images.
+    
+    Fixed issue when processing an RLE compressed image where the RLE header
+    contains an invalid stripe size.
+    
+    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
+    and the sample file (PoC).
+
+--- dcmtk.orig/dcmdata/libsrc/dcrleccd.cc
++++ dcmtk/dcmdata/libsrc/dcrleccd.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 2002-2024, OFFIS e.V.
++ *  Copyright (C) 2002-2025, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -348,6 +348,12 @@
+                     } /* while */
+ 
+                     // last fragment for this RLE stripe
++                    if (inputBytes + byteOffset > fragmentLength)
++                    {
++                        DCMDATA_ERROR("stream size in RLE header is wrong");
++                        inputBytes = fragmentLength-byteOffset;
++                    }
++
+                     result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
+ 
+                     // special handling for zero pad byte at the end of the RLE stream

diff --git a/debian/patches/series b/debian/patches/series
index 1a228ac807eb6bd0460559d30f6ff56de13426e1..4f2b824393b2426357ee5f7f79ec77975d5c014c 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 remove_version.patch
 0007-CVE-2024-47796.patch
 0008-CVE-2024-52333.patch
+0009-CVE-2025-25475.patch