From ea62753f11ff79ed001b79b218681af8f7f8fb8e Mon Sep 17 00:00:00 2001 From: Joerg Riesmeier Date: Wed, 19 Feb 2025 22:30:57 +0100 Subject: [PATCH] Added check to make sure: HighBit < BitsAllocated. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03 Bug-Debian: https://bugs.debian.org/1093047 Reviewed-By: Étienne Mollier Last-Update: 2025-01-18 Added check to the image preprocessing to make sure that the value of HighBit is always less than the value of BitsAllocated. Before, this missing check could lead to memory corruption if an invalid combination of values was retrieved from a malformed DICOM dataset. Thanks to Emmanuel Tacheau from the Cisco Talos team for the report, sample file (PoC) and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333. Gbp-Pq: Name 0008-CVE-2024-52333.patch --- dcmimgle/libsrc/diimage.cc | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/dcmimgle/libsrc/diimage.cc b/dcmimgle/libsrc/diimage.cc index 480235e3..1827ac68 100644 --- a/dcmimgle/libsrc/diimage.cc +++ b/dcmimgle/libsrc/diimage.cc @@ -1,6 +1,6 @@ /* * - * Copyright (C) 1996-2024, OFFIS e.V. + * Copyright (C) 1996-2025, OFFIS e.V. * All rights reserved. See COPYRIGHT file for details. * * This software and supporting documentation were developed by @@ -549,12 +549,18 @@ void DiImage::convertPixelData() { const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) * OFstatic_cast(unsigned long, SamplesPerPixel); - if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) || - (BitsStored > OFstatic_cast(Uint16, HighBit + 1))) + if ((BitsAllocated < 1) || (BitsStored < 1)) { ImageStatus = EIS_InvalidValue; - DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), " - << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")"); + DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), " + << "and/or 'BitsStored' (" << BitsStored << ")"); + return; + } + else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit)) + { + ImageStatus = EIS_InvalidValue; + DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), " + << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")"); return; } else if ((evr == EVR_OB) && (BitsStored <= 8)) -- 2.30.2