Skip to content

Commit c78e434

Browse files
author
Marco Eichelberg
committed
Fixed two segmentation faults.
Fixed two segmentations faults that could occur while processing an invalid incoming DIMSE message due to insufficient error handling causing a de-referenced NULL pointer. Thanks to Nils Bars <nils.bars@rub.de> for the bug report and sample files. This closes DCMTK issue #1114.
1 parent d831366 commit c78e434

File tree

2 files changed

+26
-16
lines changed

2 files changed

+26
-16
lines changed

Diff for: dcmdata/libsrc/dcelem.cc

+8-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/*
22
*
3-
* Copyright (C) 1994-2023, OFFIS e.V.
3+
* Copyright (C) 1994-2024, OFFIS e.V.
44
* All rights reserved. See COPYRIGHT file for details.
55
*
66
* This software and supporting documentation were developed by
@@ -717,6 +717,13 @@ OFCondition DcmElement::loadValue(DcmInputStream *inStream)
717717
if (isStreamNew)
718718
delete readStream;
719719
}
720+
else
721+
{
722+
errorFlag = EC_InvalidStream; // incomplete dataset read from stream
723+
DCMDATA_ERROR("DcmElement: " << getTagName() << " " << getTag()
724+
<< " larger (" << getLengthField() << ") than remaining bytes ("
725+
<< getTransferredBytes() << ") in file, premature end of stream");
726+
}
720727
}
721728
/* return result value */
722729
return errorFlag;

Diff for: dcmnet/libsrc/dimcmd.cc

+18-15
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/*
22
*
3-
* Copyright (C) 1994-2022, OFFIS e.V.
3+
* Copyright (C) 1994-2024, OFFIS e.V.
44
* All rights reserved. See COPYRIGHT file for details.
55
*
66
* This software and supporting documentation were partly developed by
@@ -205,22 +205,25 @@ getString(DcmDataset *obj, DcmTagKey t, char *s, int maxlen, OFBool *spacePadded
205205
return parseErrorWithMsg("dimcmd:getString: string too small", t);
206206
} else {
207207
ec = elem->getString(aString);
208-
strncpy(s, aString, maxlen);
209-
if (spacePadded)
208+
if (ec.good())
210209
{
211-
/* before we remove leading and tailing spaces we want to know
212-
* whether the string is actually space padded. Required to communicate
213-
* with dumb peers which send space padded UIDs and fail if they
214-
* receive correct UIDs back.
215-
*
216-
* This test can only detect space padded strings if
217-
* dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
218-
* has already been removed by dcmdata at this stage.
219-
*/
220-
size_t s_len = strlen(s);
221-
if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
210+
strncpy(s, aString, maxlen);
211+
if (spacePadded)
212+
{
213+
/* before we remove leading and tailing spaces we want to know
214+
* whether the string is actually space padded. Required to communicate
215+
* with dumb peers which send space padded UIDs and fail if they
216+
* receive correct UIDs back.
217+
*
218+
* This test can only detect space padded strings if
219+
* dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
220+
* has already been removed by dcmdata at this stage.
221+
*/
222+
size_t s_len = strlen(s);
223+
if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
224+
}
225+
DU_stripLeadingAndTrailingSpaces(s);
222226
}
223-
DU_stripLeadingAndTrailingSpaces(s);
224227
}
225228
}
226229
return (ec.good())? ec : DIMSE_PARSEFAILED;

0 commit comments

Comments
 (0)