Commit 4e1f5381d for imagemagick.org
commit 4e1f5381d4ccbb6b71927e94c5d257fa883b3af7
Author: Dirk Lemstra <dirk@lemstra.org>
Date: Tue Feb 3 21:53:39 2026 +0100
Added checks to prevent an out of bounds read (GHSA-pmq6-8289-hx3v)
diff --git a/coders/dcm.c b/coders/dcm.c
index f9090667d..f4fa2cb6e 100644
--- a/coders/dcm.c
+++ b/coders/dcm.c
@@ -2705,6 +2705,7 @@ typedef struct _DCMInfo
size_t
bits_allocated,
+ bits_per_entry,
bytes_per_pixel,
depth,
mask,
@@ -3159,6 +3160,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
*/
(void) CopyMagickString(photometric,"MONOCHROME1 ",MagickPathExtent);
info.bits_allocated=8;
+ info.bits_per_entry=1;
info.bytes_per_pixel=1;
info.depth=8;
info.mask=0xffff;
@@ -3700,7 +3702,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
else
index=(unsigned short) (*p | (*(p+1) << 8));
map.red[i]=(int) index;
- p+=(ptrdiff_t) 2;
+ p+=(ptrdiff_t) info.bits_per_entry;
}
break;
}
@@ -3732,7 +3734,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
else
index=(unsigned short) (*p | (*(p+1) << 8));
map.green[i]=(int) index;
- p+=(ptrdiff_t) 2;
+ p+=(ptrdiff_t) info.bits_per_entry;
}
break;
}
@@ -3764,10 +3766,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
else
index=(unsigned short) (*p | (*(p+1) << 8));
map.blue[i]=(int) index;
- p+=(ptrdiff_t) 2;
+ p+=(ptrdiff_t) info.bits_per_entry;
}
break;
}
+ case 0x3002:
+ {
+ /*
+ Bytes per entry.
+ */
+ info.bits_per_entry=(size_t) datum;
+ if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2))
+ ThrowDCMException(CorruptImageError,"ImproperImageHeader")
+ break;
+ }
default:
break;
}