From: Marco Eichelberg Date: Wed, 13 Mar 2024 16:15:58 +0000 (+0100) Subject: [PATCH] Fixed two segmentation faults. X-Git-Tag: archive/raspbian/3.6.8-6+rpi1^2~3 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cf9fb71d97f779dcf1f7b70b297e73097ee0b376;p=dcmtk.git [PATCH] Fixed two segmentation faults. Fixed two segmentations faults that could occur while processing an invalid incoming DIMSE message due to insufficient error handling causing a de-referenced NULL pointer. Thanks to Nils Bars for the bug report and sample files. This closes DCMTK issue #1114. Gbp-Pq: Name 0004-Fixed-two-segmentation-faults.patch --- diff --git a/dcmdata/libsrc/dcelem.cc b/dcmdata/libsrc/dcelem.cc index 1524904b..3b9cc2bf 100644 --- a/dcmdata/libsrc/dcelem.cc +++ b/dcmdata/libsrc/dcelem.cc @@ -1,6 +1,6 @@ /* * - * Copyright (C) 1994-2023, OFFIS e.V. + * Copyright (C) 1994-2024, OFFIS e.V. * All rights reserved. See COPYRIGHT file for details. * * This software and supporting documentation were developed by @@ -717,6 +717,13 @@ OFCondition DcmElement::loadValue(DcmInputStream *inStream) if (isStreamNew) delete readStream; } + else + { + errorFlag = EC_InvalidStream; // incomplete dataset read from stream + DCMDATA_ERROR("DcmElement: " << getTagName() << " " << getTag() + << " larger (" << getLengthField() << ") than remaining bytes (" + << getTransferredBytes() << ") in file, premature end of stream"); + } } /* return result value */ return errorFlag; diff --git a/dcmnet/libsrc/dimcmd.cc b/dcmnet/libsrc/dimcmd.cc index a3d8d52d..3bcfae5e 100644 --- a/dcmnet/libsrc/dimcmd.cc +++ b/dcmnet/libsrc/dimcmd.cc @@ -1,6 +1,6 @@ /* * - * Copyright (C) 1994-2022, OFFIS e.V. + * Copyright (C) 1994-2024, OFFIS e.V. * All rights reserved. See COPYRIGHT file for details. * * This software and supporting documentation were partly developed by @@ -207,22 +207,25 @@ getString(DcmDataset *obj, DcmTagKey t, char *s, int maxlen, OFBool *spacePadded return parseErrorWithMsg("dimcmd:getString: string too small", t); } else { ec = elem->getString(aString); - strncpy(s, aString, maxlen); - if (spacePadded) + if (ec.good()) { - /* before we remove leading and tailing spaces we want to know - * whether the string is actually space padded. Required to communicate - * with dumb peers which send space padded UIDs and fail if they - * receive correct UIDs back. - * - * This test can only detect space padded strings if - * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding - * has already been removed by dcmdata at this stage. - */ - size_t s_len = strlen(s); - if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse; + strncpy(s, aString, maxlen); + if (spacePadded) + { + /* before we remove leading and tailing spaces we want to know + * whether the string is actually space padded. Required to communicate + * with dumb peers which send space padded UIDs and fail if they + * receive correct UIDs back. + * + * This test can only detect space padded strings if + * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding + * has already been removed by dcmdata at this stage. + */ + size_t s_len = strlen(s); + if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse; + } + DU_stripLeadingAndTrailingSpaces(s); } - DU_stripLeadingAndTrailingSpaces(s); } } return (ec.good())? ec : DIMSE_PARSEFAILED;