From 6aca095491009d88c4e2ea6be153ed1c5ee8e9c3 Mon Sep 17 00:00:00 2001
From: Marco Eichelberg <dicom@offis.de>
Date: Wed, 30 Mar 2022 18:46:02 +0200
Subject: [PATCH 21/22] [CVE-2022-2119, CVE-2022-2120, CVE-2022-2121] Fixed
 possible NULL pointer dereference.

Fixed a possible NULL pointer dereference that could occur when reading an
invalid DICOM file from stdin. Loading a file from the file system
and receiving data over a network connection were not affected by this bug.

Thanks to Sharon Brizinov and Noam Moshe from Claroty Research for the
bug report and sample file.

(cherry picked from commit 3e996a2749a9355c9b680fa464ecfd9ab9ff567f)
---
 dcmdata/libsrc/dcfilefo.cc | 3 +++
 dcmdata/libsrc/dcitem.cc   | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/dcmdata/libsrc/dcfilefo.cc b/dcmdata/libsrc/dcfilefo.cc
index 4b6b64899..ede677efd 100644
--- a/dcmdata/libsrc/dcfilefo.cc
+++ b/dcmdata/libsrc/dcfilefo.cc
@@ -736,6 +736,9 @@ OFCondition DcmFileFormat::readUntilTag(DcmInputStream &inStream,
                 errorFlag = metaInfo->read(inStream, EXS_Unknown, glenc, maxReadLength);
             }
 
+            // bail out if the meta-header is still incomplete or an error occured
+            if (errorFlag.bad()) return errorFlag;
+
             // determine xfer from tag (0002,0010) in the meta header
             newxfer = lookForXfer(metaInfo);
             if ((FileReadMode == ERM_fileOnly) || (FileReadMode == ERM_metaOnly))
diff --git a/dcmdata/libsrc/dcitem.cc b/dcmdata/libsrc/dcitem.cc
index 045f3c93f..a866b9845 100644
--- a/dcmdata/libsrc/dcitem.cc
+++ b/dcmdata/libsrc/dcitem.cc
@@ -1463,7 +1463,11 @@ OFCondition DcmItem::readUntilTag(DcmInputStream & inStream,
                 /* tag and length (and possibly VR) information as well as maybe some data */
                 /* data value information. We need to continue reading the data value */
                 /* information for this particular element. */
-                errorFlag = elementList->get()->read(inStream, xfer, glenc, maxReadLength);
+                DcmObject *dO = elementList->get();
+                if (dO)
+                  errorFlag = dO->read(inStream, xfer, glenc, maxReadLength);
+                  else errorFlag = EC_InternalError; // should never happen
+
                 /* if reading was successful, we read the entire information */
                 /* for this element; hence lastElementComplete is true */
                 if (errorFlag.good())
-- 
2.39.2