From 12b60829e0e7e6640dde6dce66ff528e50b6a41e Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C3=89tienne=20Mollier?= <emollier@debian.org>
Date: Wed, 19 Feb 2025 21:54:45 +0100
Subject: [PATCH] 0010-CVE-2025-25474.patch: new: fix CVE-2025-25474.

Closes: #1098374
---
 debian/patches/0010-CVE-2025-25474.patch | 34 ++++++++++++++++++++++++
 debian/patches/series                    |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 debian/patches/0010-CVE-2025-25474.patch

diff --git a/debian/patches/0010-CVE-2025-25474.patch b/debian/patches/0010-CVE-2025-25474.patch
new file mode 100644
index 00000000..b58b520b
--- /dev/null
+++ b/debian/patches/0010-CVE-2025-25474.patch
@@ -0,0 +1,34 @@
+commit 1d205bcd307164c99e0d4bbf412110372658d847
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Date:   Tue Jan 21 11:12:28 2025 +0100
+
+    Fixed another issue with invalid DICOM images.
+    
+    Fixed issue when processing an invalid DICOM image where the number of
+    pixels stored does not match the expected number of pixels (too less)
+    and the combination of BitsAllocated and BitsStored is really unusual
+    (e.g. 1 bit stored, but 52 bits allocated). In cases where the last
+    pixel (e.g. a single bit) does not fit into the buffer of the input
+    pixel data, a buffer overflow occurred on the heap. Now, the last entry
+    of the buffer is filled with the smallest possible value (e.g. 0 in case
+    of unsigned data).
+    
+    Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
+    and the sample file (PoC).
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
+@@ -643,6 +643,13 @@
+                             skip -= times * bitsof_T1;
+                         }
+                     }
++                    /* fill the remaining entry (if any) with the smallest value that is possible */
++                    if (q < Data + Count)
++                    {
++                        DCMIMGLE_TRACE("not enough data, filling last entry of input buffer with value = " << getAbsMinimum());
++                        *q = OFstatic_cast(T2, getAbsMinimum());
++                    }
++
+                 }
+             } else
+                 DCMIMGLE_DEBUG("cannot allocate memory buffer for 'Data' in DiInputPixelTemplate::convert()");
diff --git a/debian/patches/series b/debian/patches/series
index 4f2b8243..23203a97 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ remove_version.patch
 0007-CVE-2024-47796.patch
 0008-CVE-2024-52333.patch
 0009-CVE-2025-25475.patch
+0010-CVE-2025-25474.patch
-- 
2.30.2