From 39576639b2bdfa77e5e444587e3c615f651e9183 Mon Sep 17 00:00:00 2001 From: Marco Eichelberg <dicom@offis.de> Date: Wed, 13 Mar 2024 17:15:58 +0100 Subject: Fixed two segmentation faults. Bug-Debian: https://bugs.debian.org/1070207 Forwarded: not-needed Fixed two segmentations faults that could occur while processing an invalid incoming DIMSE message due to insufficient error handling causing a de-referenced NULL pointer. Thanks to Nils Bars <nils.bars@rub.de> for the bug report and sample files. This closes DCMTK issue #1114. --- dcmdata/libsrc/dcelem.cc | 7 +++++++ dcmnet/libsrc/dimcmd.cc | 31 +++++++++++++++++-------------- 2 files changed, 24 insertions(+), 14 deletions(-) --- a/dcmdata/libsrc/dcelem.cc +++ b/dcmdata/libsrc/dcelem.cc @@ -717,6 +717,13 @@ if (isStreamNew) delete readStream; } + else + { + errorFlag = EC_InvalidStream; // incomplete dataset read from stream + DCMDATA_ERROR("DcmElement: " << getTagName() << " " << getTag() + << " larger (" << getLengthField() << ") than remaining bytes (" + << getTransferredBytes() << ") in file, premature end of stream"); + } } /* return result value */ return errorFlag; --- a/dcmnet/libsrc/dimcmd.cc +++ b/dcmnet/libsrc/dimcmd.cc @@ -207,22 +207,25 @@ return parseErrorWithMsg("dimcmd:getString: string too small", t); } else { ec = elem->getString(aString); - strncpy(s, aString, maxlen); - if (spacePadded) + if (ec.good()) { - /* before we remove leading and tailing spaces we want to know - * whether the string is actually space padded. Required to communicate - * with dumb peers which send space padded UIDs and fail if they - * receive correct UIDs back. - * - * This test can only detect space padded strings if - * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding - * has already been removed by dcmdata at this stage. - */ - size_t s_len = strlen(s); - if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse; + strncpy(s, aString, maxlen); + if (spacePadded) + { + /* before we remove leading and tailing spaces we want to know + * whether the string is actually space padded. Required to communicate + * with dumb peers which send space padded UIDs and fail if they + * receive correct UIDs back. + * + * This test can only detect space padded strings if + * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding + * has already been removed by dcmdata at this stage. + */ + size_t s_len = strlen(s); + if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse; + } + DU_stripLeadingAndTrailingSpaces(s); } - DU_stripLeadingAndTrailingSpaces(s); } } return (ec.good())? ec : DIMSE_PARSEFAILED;