From cbf27cffd86b3ee6070f2adcfba69c610837fe53 Mon Sep 17 00:00:00 2001 From: Joerg Riesmeier Date: Sat, 18 Jan 2025 16:30:29 +0100 Subject: [PATCH] Fixed issue rendering invalid monochrome image. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6 Bug-Debian: https://bugs.debian.org/1093043 Reviewed-By: Étienne Mollier Last-Update: 2025-01-18 Fixed issue when rendering an invalid monochrome DICOM image where the number of pixels stored does not match the expected number of pixels. If the stored number is less than the expected number, the rest of the pixel matrix for the intermediate representation was always filled with the value 0. Under certain, very rare conditions, this could result in memory problems reported by an Address Sanitizer (ASAN). Now, the rest of the matrix is filled with the smallest possible value for the image. Thanks to Emmanuel Tacheau from the Cisco Talos team for the original report, the sample file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796. Gbp-Pq: Name 0007-CVE-2024-47796.patch --- dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h index e746a68b..1bcea088 100644 --- a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h +++ b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h @@ -72,9 +72,9 @@ class DiMonoInputPixelTemplate rescale(pixel); // "copy" or reference pixel data this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue())); } - /* erase empty part of the buffer (= blacken the background) */ + /* erase empty part of the buffer (= fill the background with the smallest possible value) */ if ((this->Data != NULL) && (this->InputCount < this->Count)) - OFBitmanipTemplate::zeroMem(this->Data + this->InputCount, this->Count - this->InputCount); + OFBitmanipTemplate::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount); } } -- 2.30.2