From 4e1f5381d4ccbb6b71927e94c5d257fa883b3af7 Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Tue, 3 Feb 2026 21:53:39 +0100 Subject: [PATCH] Added checks to prevent an out of bounds read (GHSA-pmq6-8289-hx3v) --- coders/dcm.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) Index: ImageMagick-7.1.1-43/coders/dcm.c =================================================================== --- ImageMagick-7.1.1-43.orig/coders/dcm.c +++ ImageMagick-7.1.1-43/coders/dcm.c @@ -2704,6 +2704,7 @@ typedef struct _DCMInfo size_t bits_allocated, + bits_per_entry, bytes_per_pixel, depth, mask, @@ -3158,6 +3159,7 @@ static Image *ReadDCMImage(const ImageIn */ (void) CopyMagickString(photometric,"MONOCHROME1 ",MagickPathExtent); info.bits_allocated=8; + info.bits_per_entry=1; info.bytes_per_pixel=1; info.depth=8; info.mask=0xffff; @@ -3695,7 +3697,7 @@ static Image *ReadDCMImage(const ImageIn else index=(unsigned short) (*p | (*(p+1) << 8)); map.red[i]=(int) index; - p+=(ptrdiff_t) 2; + p+=(ptrdiff_t) info.bits_per_entry; } break; } @@ -3727,7 +3729,7 @@ static Image *ReadDCMImage(const ImageIn else index=(unsigned short) (*p | (*(p+1) << 8)); map.green[i]=(int) index; - p+=(ptrdiff_t) 2; + p+=(ptrdiff_t) info.bits_per_entry; } break; } @@ -3759,10 +3761,20 @@ static Image *ReadDCMImage(const ImageIn else index=(unsigned short) (*p | (*(p+1) << 8)); map.blue[i]=(int) index; - p+=(ptrdiff_t) 2; + p+=(ptrdiff_t) info.bits_per_entry; } break; } + case 0x3002: + { + /* + Bytes per entry. + */ + info.bits_per_entry=(size_t) datum; + if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2)) + ThrowDCMException(CorruptImageError,"ImproperImageHeader") + break; + } default: break; }