From 105afb0049446f66b3cb6376c0642abefca2db24 Mon Sep 17 00:00:00 2001 From: Debian Med Packaging Team Date: Fri, 21 Mar 2025 12:45:44 +0100 Subject: [PATCH] CVE-2025-25474 commit 1d205bcd307164c99e0d4bbf412110372658d847 Author: Joerg Riesmeier Date: Tue Jan 21 11:12:28 2025 +0100 Fixed another issue with invalid DICOM images. Fixed issue when processing an invalid DICOM image where the number of pixels stored does not match the expected number of pixels (too less) and the combination of BitsAllocated and BitsStored is really unusual (e.g. 1 bit stored, but 52 bits allocated). In cases where the last pixel (e.g. a single bit) does not fit into the buffer of the input pixel data, a buffer overflow occurred on the heap. Now, the last entry of the buffer is filled with the smallest possible value (e.g. 0 in case of unsigned data). Thanks to Ding zhengzheng for the report and the sample file (PoC). Gbp-Pq: Name 0010-CVE-2025-25474.patch --- dcmimgle/include/dcmtk/dcmimgle/diinpxt.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h b/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h index 6a37c2d7..420e73cb 100644 --- a/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h +++ b/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h @@ -643,6 +643,13 @@ class DiInputPixelTemplate skip -= times * bitsof_T1; } } + /* fill the remaining entry (if any) with the smallest value that is possible */ + if (q < Data + Count) + { + DCMIMGLE_TRACE("not enough data, filling last entry of input buffer with value = " << getAbsMinimum()); + *q = OFstatic_cast(T2, getAbsMinimum()); + } + } } else DCMIMGLE_DEBUG("cannot allocate memory buffer for 'Data' in DiInputPixelTemplate::convert()"); -- 2.30.2