fix divide by zero from crafted file (#99)

see #98

Author: jcupitt

CHANGELOG.md

@@ -10,6 +10,7 @@
 * add `dcm_filehandle_get_frame_number()` [jcupitt]
 * add DICOM catenation support [jcupitt]
 * fix GCC compiler warning [bgilbert]
+- fix /0 from crafted file [xz0x]
 
 ## 1.1.0, 28/3/24
 

src/dicom-data.c

@@ -939,7 +939,8 @@ bool dcm_element_set_value(DcmError **error,
         case DCM_VR_CLASS_NUMERIC_DECIMAL:
         case DCM_VR_CLASS_NUMERIC_INTEGER:
             size = dcm_dict_vr_size(element->vr);
-            if (length % size != 0) {
+            if (size > 0 &&
+                length % size != 0) {
                 dcm_error_set(error, DCM_ERROR_CODE_PARSE,
                               "reading of data element failed",
                               "bad byte length for numeric type");
@@ -1249,7 +1250,8 @@ char *dcm_element_value_to_string(const DcmElement *element)
                 for (i = 0; i < n; i++) {
                     result = dcm_printf_append(result, "%02x",
                                                ((unsigned char *) val)[i]);
-                    if (i % size == size - 1) {
+                    if (size > 0 &&
+                        i % size == size - 1) {
                         result = dcm_printf_append(result, " ");
                     }
                 }

src/dicom-file.c

@@ -383,6 +383,13 @@ static bool get_tiles(DcmError **error,
     height = frame_width;
     (void) get_tag_int(NULL, metadata, "TotalPixelMatrixRows", &height);
 
+    if (width <= 0 || height <= 0) {
+        dcm_error_set(error, DCM_ERROR_CODE_PARSE,
+                      "frame read failed",
+                      "value of TotalPixelMatrixColumns or TotalPixelMatrixRows is out of range");
+        return false;
+    }
+
     *tiles_across = (uint32_t) width / frame_width + !!(width % frame_width);
     *tiles_down = (uint32_t) height / frame_height + !!(height % frame_height);
 
@@ -1643,7 +1650,8 @@ static bool print_pixeldata_create(DcmError **error,
     for (uint32_t i = 0; i < n; i++) {
         printf("%02x", value[i] & 0xff);
 
-        if (i % size == size - 1) {
+        if (size > 0 &&
+            i % size == size - 1) {
             printf(" ");
         }
     }

src/dicom-parse.c

@@ -154,7 +154,9 @@ static bool is_big_endian(void)
 static void byteswap(char *data, size_t length, size_t size)
 {
     // only swap if the data is "swappable"
-    if (size > 0 && length >= size && length % size == 0) {
+    if (size > 0 &&
+        length >= size &&
+        length % size == 0) {
         size_t n_elements = length / size;
 
         switch (size) {
@@ -460,7 +462,8 @@ static bool parse_pixeldata_item(DcmParseState *state,
 
     // native (not encapsulated) pixeldata is always little-endian and needs
     // byteswapping on big-endian machines
-    if (length != 0xffffffff && state->big_endian) {
+    if (length != 0xffffffff &&
+        state->big_endian) {
         byteswap(value, item_length, dcm_dict_vr_size(vr));
     }
 
@@ -588,7 +591,8 @@ static bool parse_element_body(DcmParseState *state,
             if (vr_class == DCM_VR_CLASS_NUMERIC_DECIMAL ||
                 vr_class == DCM_VR_CLASS_NUMERIC_INTEGER) {
                 // all numeric classes have a size
-                if (length % size != 0) {
+                if (size > 0 &&
+                    length % size != 0) {
                     dcm_error_set(state->error, DCM_ERROR_CODE_PARSE,
                                   "reading of data element failed",
                                   "bad length for tag '%08x'",