Stack smashing bug when invalid patient name parsing

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Stack smashing bug when invalid patient name parsing

Kentaro Hayashi

I found a unexpected SEGV bug. This bug is caused by invalid patient name
parsing.

# Environment

Debian unstable
aeskulap 0.2.2-beta2+git20180219.8787e95-1

# How to reproduce it

2. Run aeskulap CR_LEE_IR87a.dcm

It just crash.

** (aeskulap:12216): WARNING **: 22:42:16.808: invalid source position for vertical gradient
prescan: 1
W: DcmItem: Element (0008,1090) found twice in one data set or item, ignoring second entry
W: DcmItem: Element (0008,1090) found twice in one data set or item, ignoring second entry
opened file:CR_LEE_IR87a.dcm
*** stack smashing detected ***: <unknown> terminated

# Details about this bug

This crash  is caused by array overrun at std::string Instance::convert_string
which is implemented in imagepool/poolinstance.cpp.

This function assumes that string must be separated by only two '='.
So, if there is three or more '=' is contained in given string, array stack will be smashed because array part is declared as
char part[3][500]. It means that part[4][...] or part[5][...] will be accessed without no guard.

   669  std::string Instance::convert_string(const char* dicom_string) {
   670          std::string result = "";
   671          char part[3][500];


--
Kentaro Hayashi <[hidden email]>

_______________________________________________
Aeskulap-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/aeskulap-users