dcmtk/SOURCES/0021-CVE-2022-2119-CVE-2022...

From 6aca095491009d88c4e2ea6be153ed1c5ee8e9c3 Mon Sep 17 00:00:00 2001
From: Marco Eichelberg <dicom@offis.de>
Date: Wed, 30 Mar 2022 18:46:02 +0200
Subject: [PATCH 21/22] [CVE-2022-2119, CVE-2022-2120, CVE-2022-2121] Fixed
 possible NULL pointer dereference.

Fixed a possible NULL pointer dereference that could occur when reading an
invalid DICOM file from stdin. Loading a file from the file system
and receiving data over a network connection were not affected by this bug.

Thanks to Sharon Brizinov and Noam Moshe from Claroty Research for the
bug report and sample file.

(cherry picked from commit 3e996a2749a9355c9b680fa464ecfd9ab9ff567f)
---
 dcmdata/libsrc/dcfilefo.cc | 3 +++
 dcmdata/libsrc/dcitem.cc   | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/dcmdata/libsrc/dcfilefo.cc b/dcmdata/libsrc/dcfilefo.cc
index 4b6b64899..ede677efd 100644
--- a/dcmdata/libsrc/dcfilefo.cc
+++ b/dcmdata/libsrc/dcfilefo.cc
@@ -736,6 +736,9 @@ OFCondition DcmFileFormat::readUntilTag(DcmInputStream &inStream,
                 errorFlag = metaInfo->read(inStream, EXS_Unknown, glenc, maxReadLength);
             }
 
+            // bail out if the meta-header is still incomplete or an error occured
+            if (errorFlag.bad()) return errorFlag;
+
             // determine xfer from tag (0002,0010) in the meta header
             newxfer = lookForXfer(metaInfo);
             if ((FileReadMode == ERM_fileOnly) || (FileReadMode == ERM_metaOnly))
diff --git a/dcmdata/libsrc/dcitem.cc b/dcmdata/libsrc/dcitem.cc
index 045f3c93f..a866b9845 100644
--- a/dcmdata/libsrc/dcitem.cc
+++ b/dcmdata/libsrc/dcitem.cc
@@ -1463,7 +1463,11 @@ OFCondition DcmItem::readUntilTag(DcmInputStream & inStream,
                 /* tag and length (and possibly VR) information as well as maybe some data */
                 /* data value information. We need to continue reading the data value */
                 /* information for this particular element. */
-                errorFlag = elementList->get()->read(inStream, xfer, glenc, maxReadLength);
+                DcmObject *dO = elementList->get();
+                if (dO)
+                  errorFlag = dO->read(inStream, xfer, glenc, maxReadLength);
+                  else errorFlag = EC_InternalError; // should never happen
+
                 /* if reading was successful, we read the entire information */
                 /* for this element; hence lastElementComplete is true */
                 if (errorFlag.good())
-- 
2.39.2
import dcmtk-3.6.6-12.el9 9 months ago			`From 6aca095491009d88c4e2ea6be153ed1c5ee8e9c3 Mon Sep 17 00:00:00 2001`
			`From: Marco Eichelberg <dicom@offis.de>`
			`Date: Wed, 30 Mar 2022 18:46:02 +0200`
			`Subject: [PATCH 21/22] [CVE-2022-2119, CVE-2022-2120, CVE-2022-2121] Fixed`
			`possible NULL pointer dereference.`

			`Fixed a possible NULL pointer dereference that could occur when reading an`
			`invalid DICOM file from stdin. Loading a file from the file system`
			`and receiving data over a network connection were not affected by this bug.`

			`Thanks to Sharon Brizinov and Noam Moshe from Claroty Research for the`
			`bug report and sample file.`

			`(cherry picked from commit 3e996a2749a9355c9b680fa464ecfd9ab9ff567f)`
			`---`
			`dcmdata/libsrc/dcfilefo.cc \| 3 +++`
			`dcmdata/libsrc/dcitem.cc \| 6 +++++-`
			`2 files changed, 8 insertions(+), 1 deletion(-)`

			`diff --git a/dcmdata/libsrc/dcfilefo.cc b/dcmdata/libsrc/dcfilefo.cc`
			`index 4b6b64899..ede677efd 100644`
			`--- a/dcmdata/libsrc/dcfilefo.cc`
			`+++ b/dcmdata/libsrc/dcfilefo.cc`
			`@@ -736,6 +736,9 @@ OFCondition DcmFileFormat::readUntilTag(DcmInputStream &inStream,`
			`errorFlag = metaInfo->read(inStream, EXS_Unknown, glenc, maxReadLength);`
			`}`

			`+ // bail out if the meta-header is still incomplete or an error occured`
			`+ if (errorFlag.bad()) return errorFlag;`
			`+`
			`// determine xfer from tag (0002,0010) in the meta header`
			`newxfer = lookForXfer(metaInfo);`
			`if ((FileReadMode == ERM_fileOnly) \|\| (FileReadMode == ERM_metaOnly))`
			`diff --git a/dcmdata/libsrc/dcitem.cc b/dcmdata/libsrc/dcitem.cc`
			`index 045f3c93f..a866b9845 100644`
			`--- a/dcmdata/libsrc/dcitem.cc`
			`+++ b/dcmdata/libsrc/dcitem.cc`
			`@@ -1463,7 +1463,11 @@ OFCondition DcmItem::readUntilTag(DcmInputStream & inStream,`
			`/* tag and length (and possibly VR) information as well as maybe some data */`
			`/* data value information. We need to continue reading the data value */`
			`/* information for this particular element. */`
			`- errorFlag = elementList->get()->read(inStream, xfer, glenc, maxReadLength);`
			`+ DcmObject *dO = elementList->get();`
			`+ if (dO)`
			`+ errorFlag = dO->read(inStream, xfer, glenc, maxReadLength);`
			`+ else errorFlag = EC_InternalError; // should never happen`
			`+`
			`/* if reading was successful, we read the entire information */`
			`/* for this element; hence lastElementComplete is true */`
			`if (errorFlag.good())`
			`--`
			`2.39.2`