Bug - Floating point exception

[voidz0r]

Introduction

The issue comes whenever a zero value is passed to one of the width,height parameter of the tile.

libdicom/src/dicom-file.c

Lines 335 to 363 in 345eda5

	static bool get_tiles(DcmError **error,
	const DcmDataSet *metadata,
	uint32_t *tiles_across,
	uint32_t *tiles_down)
	{
	int64_t width;
	int64_t height;
	uint32_t frame_width;
	uint32_t frame_height;
	if (!get_frame_size(error, metadata, &frame_width, &frame_height)) {
	return false;
	}
	// TotalPixelMatrixColumns is optional and defaults to Columns, ie. one
	// frame across
	width = frame_width;
	(void) get_tag_int(NULL, metadata, "TotalPixelMatrixColumns", &width);
	// TotalPixelMatrixColumns is optional and defaults to Columns, ie. one
	// frame across
	height = frame_width;
	(void) get_tag_int(NULL, metadata, "TotalPixelMatrixRows", &height);
	*tiles_across = (uint32_t) width / frame_width + !!(width % frame_width);
	*tiles_down = (uint32_t) height / frame_height + !!(height % frame_height);
	return true;
	}

Debugging it with gdb shows the following:

With the value of width and frame_width set to 0.

This is possible by crafting a DCM file with the following byte sequences:

Impact

The application just crashes with no further consequence. This issue does not seem to affect related products such as openslide.

Solution

The solution would be to check if the provided values are different from zero, and returns an error whenever this happens.

Attached the payload:

floatpe.zip

[jcupitt]

I fixed this with 17d7e75 and credited you in the changelog (I hope that's OK).

Thank you for the very clear bug report!

[jcupitt]

I did a little quick grepping and I couldn't see any similar /0 issues.

[voidz0r]

Looks good to me. Thanks for the mention in the changelog :)