rpms
/
dcmtk
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '890a331f89'
${ noResults }
dcmtk/SOURCES/0021-CVE-2022-2119-CVE-2022...

54 lines
2.4 KiB
Raw Blame History

From 6aca095491009d88c4e2ea6be153ed1c5ee8e9c3 Mon Sep 17 00:00:00 2001
From: Marco Eichelberg <dicom@offis.de>
Date: Wed, 30 Mar 2022 18:46:02 +0200
Subject: [PATCH 21/22] [CVE-2022-2119, CVE-2022-2120, CVE-2022-2121] Fixed
possible NULL pointer dereference.
Fixed a possible NULL pointer dereference that could occur when reading an
invalid DICOM file from stdin. Loading a file from the file system
and receiving data over a network connection were not affected by this bug.
Thanks to Sharon Brizinov and Noam Moshe from Claroty Research for the
bug report and sample file.
(cherry picked from commit 3e996a2749a9355c9b680fa464ecfd9ab9ff567f)
---
dcmdata/libsrc/dcfilefo.cc | 3 +++
dcmdata/libsrc/dcitem.cc | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/dcmdata/libsrc/dcfilefo.cc b/dcmdata/libsrc/dcfilefo.cc
index 4b6b64899..ede677efd 100644
--- a/dcmdata/libsrc/dcfilefo.cc
+++ b/dcmdata/libsrc/dcfilefo.cc
@@ -736,6 +736,9 @@ OFCondition DcmFileFormat::readUntilTag(DcmInputStream &inStream,
errorFlag = metaInfo->read(inStream, EXS_Unknown, glenc, maxReadLength);
}
+ // bail out if the meta-header is still incomplete or an error occured
+ if (errorFlag.bad()) return errorFlag;
+
// determine xfer from tag (0002,0010) in the meta header
newxfer = lookForXfer(metaInfo);
if ((FileReadMode == ERM_fileOnly) || (FileReadMode == ERM_metaOnly))
diff --git a/dcmdata/libsrc/dcitem.cc b/dcmdata/libsrc/dcitem.cc
index 045f3c93f..a866b9845 100644
--- a/dcmdata/libsrc/dcitem.cc
+++ b/dcmdata/libsrc/dcitem.cc
@@ -1463,7 +1463,11 @@ OFCondition DcmItem::readUntilTag(DcmInputStream & inStream,
/* tag and length (and possibly VR) information as well as maybe some data */
/* data value information. We need to continue reading the data value */
/* information for this particular element. */
- errorFlag = elementList->get()->read(inStream, xfer, glenc, maxReadLength);
+ DcmObject *dO = elementList->get();
+ if (dO)
+ errorFlag = dO->read(inStream, xfer, glenc, maxReadLength);
+ else errorFlag = EC_InternalError; // should never happen
+
/* if reading was successful, we read the entire information */
/* for this element; hence lastElementComplete is true */
if (errorFlag.good())
--
2.39.2
Reference in new issue View Git Blame Copy Permalink