From: Étienne Mollier Date: Wed, 19 Feb 2025 21:30:36 +0000 (+0100) Subject: 0011-CVE-2025-25472.patch: new: fix CVE-2025-25472. X-Git-Tag: archive/raspbian/3.6.9-4+rpi1^2~10 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=abf4e0618d0c0d30b61ed0cde7bc7e4601d50c19;p=dcmtk.git 0011-CVE-2025-25472.patch: new: fix CVE-2025-25472. --- diff --git a/debian/patches/0011-CVE-2025-25472.patch b/debian/patches/0011-CVE-2025-25472.patch new file mode 100644 index 00000000..90d710ab --- /dev/null +++ b/debian/patches/0011-CVE-2025-25472.patch @@ -0,0 +1,49 @@ +commit 410ffe2019b9db6a8f4036daac742a6f5e4d36c2 +Author: Joerg Riesmeier +Date: Fri Jan 17 17:53:50 2025 +0100 + + Fixed another issue with invalid mono images. + + Fixed issue when rendering an invalid monochrome DICOM image where the + number of pixels stored does not match the expected number of pixels. + In this case, only a single pixel is processed, but the pixel matrix is + much larger. Filling the rest of the pixel matrix with the smallest + possible value for the image is not working because of an optimized + memory usage (value would be out of range). Now, the pixel value to be + used is double-checked before it is actually filled into the "background" + of the image. + + Thanks to Ding zhengzheng for the report + and the sample file (PoC). + +diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h +index 50389a540..f67967310 100644 +--- a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h ++++ b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h +@@ -28,6 +28,7 @@ + #include "dcmtk/ofstd/ofbmanip.h" + #include "dcmtk/ofstd/ofcast.h" + #include "dcmtk/ofstd/ofdiag.h" /* for DCMTK_DIAGNOSTIC macros */ ++#include "dcmtk/ofstd/oflimits.h" /* for OFnumeric_limits<> */ + + #include "dcmtk/dcmimgle/dimopxt.h" + #include "dcmtk/dcmimgle/diinpx.h" +@@ -72,9 +73,16 @@ class DiMonoInputPixelTemplate + rescale(pixel); // "copy" or reference pixel data + this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue())); + } +- /* erase empty part of the buffer (= fill the background with the smallest possible value) */ ++ /* erase empty part of the buffer */ + if ((this->Data != NULL) && (this->InputCount < this->Count)) +- OFBitmanipTemplate::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount); ++ { ++ /* that means, fill the background with the smallest value that is possible */ ++ const T3 minOut = OFnumeric_limits::min(); ++ const T3 background = (this->Modality->getAbsMinimum() < OFstatic_cast(double, minOut)) ? minOut : OFstatic_cast(T3, this->Modality->getAbsMinimum()); ++ const size_t count = (this->Count - this->InputCount); ++ DCMIMGLE_DEBUG("filing empty part of the intermediate pixel data (" << count << " pixels) with value = " << OFstatic_cast(double, background)); ++ OFBitmanipTemplate::setMem(this->Data + this->InputCount, background, count); ++ } + } + } + diff --git a/debian/patches/series b/debian/patches/series index 23203a97..c7d4926a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ remove_version.patch 0008-CVE-2024-52333.patch 0009-CVE-2025-25475.patch 0010-CVE-2025-25474.patch +0011-CVE-2025-25472.patch