From: Étienne Mollier <emollier@debian.org>
Date: Sat, 18 Jan 2025 10:55:22 +0000 (+0100)
Subject: 0007-CVE-2024-47796.patch: new.
X-Git-Tag: archive/raspbian/3.6.9-4+rpi1^2~23^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=751fc511ec81cd1d432d9bba1993bffeb4ee6ae9;p=dcmtk.git

0007-CVE-2024-47796.patch: new.

This patch addresses CVE-2024-47796.

Closes: #1093043
---

diff --git a/debian/patches/0007-CVE-2024-47796.patch b/debian/patches/0007-CVE-2024-47796.patch
new file mode 100644
index 00000000..eda61292
--- /dev/null
+++ b/debian/patches/0007-CVE-2024-47796.patch
@@ -0,0 +1,32 @@
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
+Bug-Debian: https://bugs.debian.org/1093043
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-01-18
+Description:  Fixed issue rendering invalid monochrome image.
+ Fixed issue when rendering an invalid monochrome DICOM image where the
+ number of pixels stored does not match the expected number of pixels.
+ If the stored number is less than the expected number, the rest of the
+ pixel matrix for the intermediate representation was always filled with
+ the value 0. Under certain, very rare conditions, this could result in
+ memory problems reported by an Address Sanitizer (ASAN). Now, the rest
+ of the matrix is filled with the smallest possible value for the image.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery@external.cisco.com> for the original report, the sample
+ file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -72,9 +72,9 @@
+                 rescale(pixel);                     // "copy" or reference pixel data
+                 this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+             }
+-            /* erase empty part of the buffer (= blacken the background) */
++            /* erase empty part of the buffer (= fill the background with the smallest possible value) */
+             if ((this->Data != NULL) && (this->InputCount < this->Count))
+-                OFBitmanipTemplate<T3>::zeroMem(this->Data + this->InputCount, this->Count - this->InputCount);
++                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
+         }
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index de3bf78b..5f44bf76 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ da5370947226783ce3548bf1e5b7112fac70de46.patch
 0004-Fixed-two-segmentation-faults.patch
 0005-Fixed-DcmDecimalString-unit-tests.patch
 0006-Fixed-possible-overflows-when-allocating-memory.patch
+0007-CVE-2024-47796.patch