From: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Date: Fri, 21 Mar 2025 11:45:44 +0000 (+0100)
Subject: CVE-2025-25475
X-Git-Tag: archive/raspbian/3.6.9-5+rpi1^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f6a092f21d33631e3b1e1f614298ee4aa5fdd868;p=dcmtk.git

CVE-2025-25475

commit bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date:   Thu Jan 23 15:51:21 2025 +0100

    Fixed issue with invalid RLE compressed DICOM images.

    Fixed issue when processing an RLE compressed image where the RLE header
    contains an invalid stripe size.

    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
    and the sample file (PoC).


Gbp-Pq: Name 0009-CVE-2025-25475.patch
---

diff --git a/dcmdata/libsrc/dcrleccd.cc b/dcmdata/libsrc/dcrleccd.cc
index fd01b63b..e45ef0c1 100644
--- a/dcmdata/libsrc/dcrleccd.cc
+++ b/dcmdata/libsrc/dcrleccd.cc
@@ -1,6 +1,6 @@
 /*
  *
- *  Copyright (C) 2002-2024, OFFIS e.V.
+ *  Copyright (C) 2002-2025, OFFIS e.V.
  *  All rights reserved.  See COPYRIGHT file for details.
  *
  *  This software and supporting documentation were developed by
@@ -348,6 +348,12 @@ OFCondition DcmRLECodecDecoder::decode(
                     } /* while */
 
                     // last fragment for this RLE stripe
+                    if (inputBytes + byteOffset > fragmentLength)
+                    {
+                        DCMDATA_ERROR("stream size in RLE header is wrong");
+                        inputBytes = fragmentLength-byteOffset;
+                    }
+
                     result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
 
                     // special handling for zero pad byte at the end of the RLE stream